Summarize

Simplifying... Inshort

Uber has been hit with a €290M fine by the Dutch Data Protection Authority (DPA) for improperly transferring European drivers' sensitive data to its US headquarters.
The DPA's investigation was sparked by over 170 complaints from French drivers.
Despite the hefty fine, Uber maintains its data transfer process was GDPR-compliant and plans to appeal, marking its third clash with the DPA in recent years.

Was a long read? Making it simpler...

Next Article

Dutch watchdog slaps Uber with fine for GDPR violation

Uber slapped with €290M fine for unauthorized cross-border data transfer

By Akash Pandey

Aug 26, 2024

06:00 pm

What's the story

Uber, the ride-hailing platform, has been charged with a hefty €290 million (nearly ₹2,715 crore) fine by the Dutch Data Protection Authority (DPA). The penalty was imposed due to Uber's unauthorized transfer of European drivers' personal data to US servers. This action has been labeled as a "serious violation" of the European Union's General Data Protection Regulation (GDPR), according to the DPA.

Regulatory breach

Platform failed to meet GDPR requirements: DPA Chairman

DPA Chairman Aleid Wolfsen stated that Uber did not comply with the GDPR's stipulations regarding data protection during transfers to the US. He emphasized that this oversight is a grave matter. The DPA revealed that over a two-year span, Uber collected and transferred sensitive information of European drivers, including taxi licenses, location data, photos, identity documents, and "in some cases even criminal and medical data of drivers" to its US headquarters without using proper transfer tools.

Legal response

Uber to appeal against the fine

In response to the fine, Uber has announced its intention to appeal. An Uber spokesperson described the decision and fine as "completely unjustified." The company maintains that its cross-border data transfer process was in compliance with GDPR, during a three-year period of immense uncertainty between the EU and US. "We will appeal and remain confident that common sense will prevail," said the spokesperson.

Origin

DPA's investigation was triggered by French drivers' complaints

The DPA initiated its investigation after receiving over 170 complaints from French drivers. These grievances were channeled through a French human rights interest group, which subsequently lodged a complaint with France's data protection watchdog. As per GDPR guidelines, a company processing data in multiple EU countries must liaise with the data protection authority where its main office is situated. In Uber's case, this is the Netherlands.

Data protection

Wolfsen emphasizes GDPR's role in Europe

Wolfsen highlighted the importance of GDPR in Europe, stating that it safeguards people's fundamental rights by mandating businesses and governments to handle personal data responsibly. He expressed concern about non-European entities potentially accessing this data without adequate measures. This fine marks the third time Uber has been penalized by the DPA, following previous fines of €600,000 in 2018 and €10 million last year.