Uber facing a financial penalty from European regulators. The company has been fined $324 million by the Dutch Data Protection Authority for improper data transfers involving the personal information of European drivers to the United States. This is one of the largest fines imposed under the European Union’s General Data Protection Regulation (GDPR) since its implementation in 2018.
Also Read: Shein Reports Child Labour Cases and Upgrades Supplier Policies
The General Data Protection Regulation is a data privacy regulation enacted by the European Union in 2016. It was designed to give individuals greater control over their personal data and to ensure that companies handle this data with the utmost care.
GDPR sets stringent rules on how companies collect, store, process and transfer personal data. One of its provisions is the requirement for companies to ensure that any personal data transferred outside the EU is given equivalent protection to what it would receive within the Union.
Uber’s violation of the GDPR centers on its practice of transferring the personal data of European drivers to the United States without adequate safeguards.
According to the Dutch DPA, Uber failed to appropriately safeguard this data during the transfer process. The information transferred included sensitive details such as:
- Account details
- Taxi licenses
- Location data
- Photos
- Payment details
- Identity documents
- Criminal and medical records
The investigation into Uber’s data practices was initiated after a collective complaint was lodged by 170 French Uber drivers. These drivers is represented by a human rights organization who raised concerns about how their data was being handled.
The complaint was made to the French Data Protection Authority (DPA) but was later forwarded to the Dutch DPA since Uber’s European headquarters are located in the Netherlands.
The Dutch DPA found that the company had retained sensitive driver data on servers based in the United States violating GDPR requirements.
Specifically Uber was found to have moved this data without using the appropriate transfer tools required by GDPR, thereby failing to ensure the necessary level of data protection.
The Dutch DPA’s response to Uber’s GDPR violation was unequivocal. The authority addressed the seriousness of the infraction noting that Uber’s failure to protect the data during its transfer to the United States constituted a breach of European data protection laws.
Aleid Wolfsen, chairman of the Dutch DPA, stated, “In Europe, the GDPR protects the fundamental rights of people by requiring businesses and governments to handle personal data with due care. Sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale.”
The company has contested the fine labeling the decision as flawed. A spokesperson for Uber, Caspar Nixon expressed the company’s intention to appeal the decision.
This period of uncertainty refers to the time when the EU and the US were renegotiating the adequacy decision that allowed companies to transfer data between the two regions without complex contractual agreements.
Also Read: Y Combinator Ventures into Defense Tech, Ares Industries
The case against Uber was triggered by complaints from 170 French Uber drivers in 2021. These complaints were submitted through the Ligue des droits de l’Homme (LDH), a human rights organization and then passed on to the Dutch DPA for investigation.
The company’s European headquarters is located in the Netherlands making the Dutch DPA the lead regulator in this case under the GDPR’s one-stop-shop mechanism.
The core of the allegations against Uber is around the transfer of personal data of European drivers to the United States. The data in question included sensitive information such as account details, taxi licenses, location data, photos, payment information, identity documents and in some cases, even criminal and medical records.
The Dutch DPA found that Uber had been transferring this data without using the necessary legal safeguards required under the GDPR.
The breach is significant because it occurred after the European Court of Justice (ECJ) invalidated the Privacy Shield agreement in 2020.
Privacy Shield had previously allowed companies to transfer data between the EU and the US, but it was struck down due to concerns about US government surveillance.
In the absence of Privacy Shield companies were required to rely on Standard Contractual Clauses (SCCs) or other legal mechanisms to ensure that the level of data protection in the US matched that of the EU.
According to the Dutch DPA, Uber ceased using SCCs in August 2021, which meant that the data of European drivers was not adequately protected during its transfer to the US.
The challenge in these cases is the clash between the EU’s data protection standards and US national security laws, which allow for government surveillance.
European courts influenced by the revelations of NSA whistleblower Edward Snowden in 2013 have repeatedly ruled that US surveillance practices pose a risk to the privacy rights of EU citizens.
Meta was fined $1.3 billion in 2023 for transferring data on EU citizens to the US without adequate protections.
Also Read: Australia’s New Right to Disconnect Laws