Privacy authorities in the Netherlands have imposed a €290 million ($324 million) fine on ride-share giant Uber for sending driver data to servers in the United States – “a serious violation” of the EU’s General Data Protection Regulation (GDPR).
According to the Dutch Data Protection Authority (DPA), Uber spent years sending sensitive driver information from Europe to the US. Among the data that was transmitted were taxi licenses, location data, payment details, identity documents, and medical and criminal records. The data was sent abroad without the use of “transfer tools,” which the DPA said means the data wasn’t sufficiently protected.
“Businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union,” Dutch DPA chairman Aleid Wolfsen said of the decision. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The Dutch DPA said that the investigation that led to the fine began after complaints from a group of more than 170 French Uber drivers who alleged their data was being sent to the US without adequate protection. Because Uber’s European operations are based in the Netherlands, enforcement for GDPR violations fell to the Dutch DPA.
Unfortunately for Uber, it already has an extensive history with the Dutch DPA, which has fined the outfit twice before.
The first came in 2018 when the authority fined Uber €600,000 for failing to report a data breach (a slugfest that several EU countries joined in on). The latter €10 million fine came earlier this year after Dutch officials determined Uber had failed to disclose data retention practices surrounding the data of EU drivers, refusing to name which countries data was sent to, and had obstructed its drivers’ right to privacy.
[…]
The uncertainty Uber refers to stems from the EU’s striking down of the EU-US Privacy Shield agreement and the years of efforts to replace it with a new rule that defines the safe transfer of personal data between the two regions.
Uber claims it’s done its job under the GDPR to safeguard data belonging to European citizens – it didn’t even need to make any data transfer process changes to comply the latest rules.
[…]
Source: Dutch officials fine Uber €290M for GDPR violations • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft