Overview:
The Dutch Data Protection Authority (DPA) has fined Uber €290 million for transferring European drivers’ personal data to the United States without proper safeguards. This action was deemed a significant violation of Europe’s General Data Protection Regulation (GDPR). Uber has since corrected the issue.
What Happened:
The Dutch DPA found that Uber transferred sensitive information, such as driver account details, taxi licenses, location data, payment details, and even medical and criminal records, to its headquarters in the United States. However, Uber failed to protect this data as required by the GDPR.
The issue stemmed from the invalidation of the EU-US Privacy Shield in 2020. This agreement once allowed personal data to be transferred from the EU to the US. When the agreement was scrapped, businesses like Uber were required to use other tools, like Standard Contractual Clauses, to ensure data protection. Uber stopped using these clauses in August 2021, which left European drivers’ data exposed.
GDPR and Data Protection:
The GDPR is a regulation in the European Union that sets strict guidelines on how businesses handle personal data. If a company stores or transfers data outside the EU, it must take extra precautions to protect it. European data protection rules are strong, designed to ensure people’s privacy is respected and protected. However, outside of Europe, this isn’t always the case. In countries like the US, there are concerns about government access to large amounts of personal data.
Uber’s failure to meet GDPR requirements resulted in the hefty fine. Since the end of 2023, Uber has adopted new measures, using the updated successor to the Privacy Shield, to comply with European data protection standards.
Driver Complaints Sparked Investigation:
The Dutch DPA’s investigation began after over 170 French Uber drivers filed complaints with the Ligue des droits de l’Homme (LDH), a French human rights group. This led to an official complaint being submitted to the French data protection authority. Because Uber’s European headquarters is in the Netherlands, the Dutch DPA took charge of the investigation, working closely with the French DPA and other European data protection authorities.
The Fine:
In Europe, data protection authorities can fine businesses up to 4% of their global revenue if they violate GDPR rules. In 2023, Uber reported a global turnover of approximately €34.5 billion, so this fine represents a small but significant penalty. Uber has indicated that it plans to challenge the fine.
This isn’t the first time Uber has faced penalties from the Dutch DPA. In 2018, the company was fined €600,000, followed by a €10 million fine in 2023, which Uber is also disputing.