Record-Breaking Fine for Data Transfer Violations

The Dutch Data Protection Authority (DPA) has imposed a staggering €290 million ($324 million) fine on Uber for failing to comply with the European Union’s (EU) strict data protection rules. The penalty comes after Uber was found guilty of improperly handling and transferring sensitive data belonging to European drivers to the United States without adequate safeguards.

You might be interested in: Software Searches Lead to FakeBat Malware Infections

Serious Breach of GDPR Regulations

According to the Dutch DPA, Uber transferred personal data of EU-based taxi drivers to the U.S. without providing sufficient protection. This action was deemed a “serious” violation of the General Data Protection Regulation (GDPR), one of the most rigorous data privacy laws in the world. In response to the breach, Uber has since discontinued this data transfer practice.

What Data Was Affected?

The sensitive information involved in this case included a wide range of personal details. Uber collected and stored data on U.S. servers for over two years, which included drivers’ account details, taxi permits, locations, photos, payment info, and identification documents. In some instances, the data also included drivers’ medical records and criminal histories.

Privacy Shield Invalidated, New Framework Introduced

The fine was partly due to Uber’s continued data transfers after the EU’s Privacy Shield with the U.S. was invalidated in 2020. Despite the launch of a new agreement, the EU-U.S. Data Privacy Framework, in July 2023, Uber had already stopped using Standard Contractual Clauses by August 2021. The Dutch DPA concluded that this left the data of EU drivers inadequately protected. As of late 2023, Uber now uses the successor to the Privacy Shield.

Uber Denies Wrongdoing

Uber has rejected the fine, calling it “completely unjustified.” The company insists that its international data transfers have always adhered to GDPR requirements. Uber has expressed its intention to challenge the ruling.

Previous Penalties for Data Privacy Issues

This isn’t the first time Uber has faced penalties over data protection concerns. Earlier this year, the DPA fined Uber €10 million for not fully disclosing how long it retains driver data or the details of data transfers to non-European countries. Additionally, Uber was criticized for making it difficult for drivers to access or obtain copies of their personal data.

Concerns Over U.S. Data Privacy Standards

The issue highlights ongoing concerns about the lack of equivalent privacy protections in the U.S. compared to the EU. Many fear that data transferred to the U.S. could be subject to mass surveillance by American authorities. This isn’t a new concern—other U.S. companies, like Google, have also faced scrutiny over transatlantic data transfers.

The Importance of Proper Data Safeguards

As Aleid Wolfsen, head of the Dutch DPA, emphasized, businesses must implement extra measures when storing the personal data of Europeans outside the EU. These measures are critical to ensure data remains protected and compliant with EU regulations.