Uber fined $324 million by Netherlands data protection agency over transfer of drivers' personal details

Uber fined $324 million by Netherlands data protection agency over transfer of drivers’ personal details

The Hague, Netherlands — The Dutch data protection watchdog slapped a 290 million euro ($324 million) fine Monday on ride-hailing service Uber for allegedly transferring personal details of European drivers to the United States without adequate protection. Uber called the decision flawed and unjustified and said it would appeal.

The Dutch Data Protection Authority said the data transfers spanning more than two years amounted to a serious breach of the European Union’s General Data Protection Regulation, which requires technical and organizational measures aimed at protecting user data.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said in a statement. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the U.S. That is very serious.”

GDPR rolls out in Europe, giving people more control over their data

02:23

The case was initiated by complaints from 170 French Uber drivers, but the Dutch authority issued the fine because Uber’s European headquarters is in the Netherlands.

Data breaches at American Airlines, Uber raise cybersecurity concerns

05:20

The Dutch data protection agency said that following the EU court ruling, standard clauses in contracts could provide a basis for transferring data outside the EU, “but only if an equivalent level of protection can be guaranteed in practice.”

“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected,” the watchdog said. It added that Uber has been using the successor to Privacy Shield since the end of last year, ending the alleged breach.

The Computer & Communications Industry Association, an advocacy organization for tech companies, said the fine ignored the realities of online business in the aftermath of the 2020 EU court ruling.

FILE PHOTO: A photo Illustration shows the Uber application on a mobile phone in in central Paris
The Uber app is seen on a smartphone in central Paris, France, in a March 5, 2020 file photo.

REUTERS/Gonzalo Fuentes


“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” the association’s European head of policy, Alexandre Roure, said in a statement.

“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework,” he added.

Monday’s announcement is not the first time the Dutch data protection watchdog has fined Uber. In January, the agency fined it 10 million euros over what it said was the company’s failure to disclose how long it retained data from drivers in Europe or to name non-EU countries it shared the data with.

Source: cbsnews.com