Dutch Regulator Fines Uber €290 Million for GDPR Violations in Data Transfers to U.S.

Dutch Regulator Fines Uber €290 Million for GDPR Violations in Data Transfers to U.S.

August 26, 2024 at 11:36AM

The Dutch DPA fined Uber €290 million for failing to comply with E.U. data protection laws by transferring sensitive driver data to the U.S. Uber collected and stored a range of personal driver information on U.S. servers without adequate protection. Uber contested the decision, claiming their actions were GDPR-compliant. Earlier, they also faced a €10 million penalty for non-disclosure of data retention details. This case reflects ongoing concerns about E.U. data privacy when transferred to the U.S.

Key takeaways from the meeting notes:

1. The Dutch Data Protection Authority (DPA) fined Uber a record €290 million for failing to comply with European Union (E.U.) data protection standards when transferring sensitive driver data to the U.S.
2. The DPA found that Uber transferred personal data of European taxi drivers to the U.S. and failed to appropriately safeguard the data, leading to a serious violation of GDPR.
3. Uber collected and retained drivers’ sensitive information on U.S.-based servers, including account details, location data, photos, payment details, and identity documents, some of which also contained criminal and medical data.
4. The data transfers were carried out without using appropriate mechanisms, especially after the invalidation of the E.U.-U.S. Privacy Shield in 2020.
5. Uber intends to contest the DPA’s decision and believes the fine is unjustified. However, earlier this year, Uber was fined €10 million for its failure to disclose the full details of its data retention periods concerning European drivers.
6. The lack of equivalent privacy protections in the U.S. with regard to E.U. data transfers has raised concerns among E.U. data protection authorities, as demonstrated by previous incidents involving U.S. companies such as Google Analytics.

The article also mentions the broader implications of European user data being subject to U.S. surveillance programs, highlighting the importance for businesses to take additional measures when storing personal data of Europeans outside the European Union.

Full Article