The Dutch Data Protection Authority (DPA) has fined Uber a record €290M for violating the EU data protection regulation while sending sensitive driver data to the U.S.
The Dutch Data Protection Authority (DPA) has fined Uber €290 million ($324 million) for allegedly failing to comply with the EU data protection regulation GPDR when transferring the personal data of European taxi drivers to the U.S.
“The Dutch Data Protection Authority (DPA) imposes a fine of 290 million euros on Uber. The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers. According to the Dutch DPA, this constitutes a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation.” reads the press release published by the Dutch Data Protection Authority.
Aleid Wolfsen, the chairman of the Dutch DPA, emphasized that the GDPR is designed to protect people’s fundamental rights by ensuring that businesses and governments handle personal data responsibly. Businesses must take extra precautions when storing Europeans’ personal data outside the EU. Wolfsen criticized Uber for failing to meet GDPR requirements in protecting data transferred to the U.S., calling the violation “very serious.”
The Dutch DPA launched an investigation into Uber after over 170 French drivers filed complaints with the Ligue des droits de l’Homme (LDH), which then reported the issue to the French DPA. The Dutch DPA investigated in close cooperation with the French DPA and coordinated the decision with other European DPAs.
The Dutch Data Protection Authority (DPA) determined that Uber collected sensitive information from European drivers and stored it on servers in the U.S. for over two years without using proper data transfer tools. The collected data included account details, location data, payment information, and even criminal and medical records. After the EU-US Privacy Shield was invalidated in 2020, the use of Standard Contractual Clauses was required to ensure equivalent data protection. However, Uber stopped using these clauses in August 2021, leaving the data insufficiently protected until it adopted the Privacy Shield’s successor at the end of last year.
“All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business. Uber had a worldwide turnover of around 34.5 billion euro in 2023. Uber has indicated its intent to object to the fine.” concludes the press release. “This is the third fine that the Dutch DPA imposes on Uber. The Dutch DPA imposed a fine of 600,000 euro on Uber in 2018, and a fine of 10 million euro in 2023. Uber has objected to this last fine.”
The company refuses any accusation and claims that its data transfer process is compliant with European laws. The company will appeal against the decision, its spokesman Caspar Nixon told Bloomberg.
The fine is “completely unjustified,” said Caspar Nixon.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, DPA)