US rideshare giant Uber has been fined over 290 million euros (~$324 million) by a Dutch watchdog organization over charges that it failed to adequately protect the data of its European drivers.
This watchdog, called the Dutch Data Protection Authority (DPA) accused Uber of allowing the transfer of personal details of European drivers to the United States without proper protection.
Uber Under Fire
This watchdog group accused Uber’s data transfers of breaching requirements from the European Union’s General Data Protection Regulation (GDPR).
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said in a statement.
Outside of Europe
Wolfsen lamented the fact that companies in other places do not have the same kinds of data protection common sense that Europe has.
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union,” Wolfsen said.
Not Meeting Requirements
Wolfsen emphasized that Uber is under a serious charge for not meeting these requirements when it transferred the data of Europeans unsafely.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the U.S. That is very serious,” said Wolfsen.
Original Complaints
A case against Uber was started by complaints from French Uber drivers who were unhappy with the company’s data practices.
This case was eventually given to the authority of the DPA because Uber’s headquarters in Europe is located in the Netherlands.
Uber Responds
In a statement, Uber has denied any wrongdoing related to the DPA’s accusations and insists that it will appeal the decision.
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S. We will appeal and remain confident that common sense will prevail,” Uber said in a statement.
Previous Ruling
In 2020, the top court in the EU found that an agreement called Privacy Shield that allowed the transfer of data to the United States was no longer valid because the American government could access to this data, causing a major disruption for companies.
“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected,” said the DPA.
Blaming the Decision
Tech advocacy group Computer & Communications Industry Association (CCIA) argued that the fine is unfair given how the 2020 EU ruling shook things up.
“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” the association’s European head of policy, Alexandre Roure, said in a statement.
Ignoring Reality
Roure felt that the decision to slap a fine on Uber was worrying and that such a huge fine was unwarranted.
“The fact that the Dutch Data Protection Authority today decided to issue a massive fine to a tech company for EU-US data flows that happened back in 2021 ignores reality,” said Roure.
Retroactive Fines
Roure also took issue with the fact that the fines are retroactive, especially given the circumstances.
“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework,” said Roure.
Unclear Guidelines
The CCIA asserted in a statement that the EU left the data transfer landscape without clear guidelines for a sustained period.
“Ever since an EU Court decided to invalidate Privacy Shield – the previous framework that allowed for data transfers between the EU and the United States – back in 2020, the so-called Schrems II ruling, European and American companies were left without any clear guidelines for transatlantic data flows for a period of nearly three years,” the statement said.
Not The First Fine
The DPA has been going after Uber before this most recent fine for similar issues related to how handles its European data.
In January, the Dutch watchdog fined Uber 10 million euros (~$11 million) for failing to disclose critical information on European drivers like how long it retained their data and which countries outside the EU it was sharing it with.
