Uber, the ride-hailing service, has been hit with a hefty fine of 290 million euros ($324 million) by the Dutch data protection watchdog. The fine was imposed for allegedly transferring personal details of European drivers to the United States without adequate protection, a serious breach of the European Union’s General Data Protection Regulation (GDPR). The Dutch Data Protection Authority (DPA) stated that Uber failed to meet the requirements of the GDPR in ensuring the proper level of protection for the data when transferring it to the US.
The case originated from complaints made by 170 French Uber drivers, but the fine was issued by the Dutch authority due to Uber’s European headquarters being based in the Netherlands. Uber, however, has strongly disagreed with the decision, calling it flawed and unjustified. The company plans to appeal the ruling, expressing confidence that common sense will prevail.
The alleged breach occurred following a ruling by the EU’s top court in 2020, which invalidated an agreement called Privacy Shield. This agreement allowed companies to transfer data to the US, but the court deemed it invalid due to concerns about the US government’s ability to access people’s data. Following this ruling, the Dutch data protection agency stated that standard contractual clauses could be used for data transfers outside the EU if an equivalent level of protection could be guaranteed. However, they found that Uber had failed to ensure sufficient protection for the data of its EU drivers after ceasing to use standard contractual clauses in August 2021.
The Computer & Communications Industry Association, an advocacy group for tech companies, criticized the fine, stating that it ignored the challenges faced by online businesses after the Privacy Shield ruling. They argued that the internet could not be put on hold for three years while waiting for a new legal framework to be established. The association also expressed concern about retroactive fines, highlighting the lack of clear guidance from data protection authorities during a period of legal uncertainty.
This is not the first time that the Dutch data protection watchdog has fined Uber. In January, the agency imposed a 10 million euro fine on the company for its failure to disclose how long it retained data from drivers in Europe and the non-EU countries it shared the data with.
Overall, this case highlights the importance of complying with data protection regulations, especially in the context of cross-border data transfers. The GDPR aims to protect the fundamental rights of individuals, requiring businesses and governments to handle personal data with care. It also emphasizes the need for additional measures when storing personal data of Europeans outside the EU. Uber’s failure to meet these requirements has resulted in a significant fine and raises concerns about the protection of user data in the digital age.
