East Asia

Dutch regulator fines Uber US$324 million over transfer of sensitive driver data to US

The DPA said Uber collected sensitive information of European drivers, including taxi licences, location data, photos, payment details, identity documents “and in some cases, even criminal and medical data of drivers”.

Over a two-year period, the DPA said, the information was transferred to Uber’s US headquarters without using transfer tools.

“Because of this, the protection of personal data was not sufficient,” the DPA said, noting that Uber has “ended the violation”.

Uber said it would appeal the fine, a process that suspends the penalty but can take up to four years.

“This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson said in a statement

“Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail,” the statement said.

The EU has rolled out a series of rules for what Big Tech firms can and cannot do, and imposed huge fines for breaches in recent years.

04:41

Where do drivers stand in Hong Kong’s Uber vs taxi battle?

Where do drivers stand in Hong Kong’s Uber vs taxi battle?

The DPA said it started the investigation after more than 170 French drivers complained to a French human rights interest group, which then filed a complaint to France’s data protection watchdog.

Under the GDPR, a business that processes data in several EU countries must deal with the data protection authority where its main office is located. Uber’s European headquarters are in the Netherlands.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Wolfsen said.

“But sadly, this is not self-evident outside Europe,” he said.

“Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”

Uber plans to appeal the latest Dutch fine. Photo: dpa

It is the DPA’s third fine against Uber following fines of 600,000 euros in 2018 and 10 million euros last year.

Uber said Monday the most recent case relates to a complaint that dates back to 2021, during a three-year period “when there was significant uncertainty regarding data transfers between the US and the EU”.

It said the uncertainty began after the Court of Justice of the European Union invalidated a data transfer framework known as the EU-US Privacy Shield in 2020.

A successor, the EU-US Data Privacy Framework, was adopted by The European Commission last year.

“Similar to what many other companies operating in the EU and transferring data to the US had to do, during the period the Privacy Shield was disputed, Uber continued to safeguard data in accordance with GDPR,” the company said.

Related Articles

Back to top button