The Dutch Data Protection Authority (DPA) has fined Uber €290 million for transferring personal data of European taxi drivers to the US without ensuring data protection measures, sparking an industry backlash.
According to the DPA, Uber collected sensitive information from European drivers over a two-year period and stored it on servers in the US without using proper transfers tools, thus violating the European Union’s General Data Protection Regulation (GDPR).
The Computer and Communications Industry Association (CCIA Europe) argued the fine set a “worrisome” precedent for retroactive enforcement.
“The accusations [about] Uber dates back to 2021-2022, preceding the new EU-US Data Privacy Framework,” the CCIA said.
During this period, non-EU companies already subject to the GDPR had virtually no legal basis to move data to the US, it said in statement.
The CCIA argued that when an EU court decided to invalidate the previous framework that allowed for data transfers between the EU and the US, European and US companies were left without any clear guidelines for transatlantic data flows for a period of almost three years.
“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework,” stated the CCIA Europe’s Head of Policy Alexandre Roure.
“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” Roure said.
The data transferred by Uber across the Atlantic contained professional information such as taxi licences, locations, photos, payment details, identity documents, criminal and medical data regarding drivers.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said.
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” he added.
The DPA noted that Uber has since ceased the practice and has stated it will appeal the court decision.
“This flawed decision and extraordinary fine are completely unjustified,” said Uber spokesperson Caspar Nixon as quoted by Reuters.
“Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US,” he added.
The investigation into Uber was triggered after more than 170 French drivers complained to the country’s human rights interest group, which submitted a complaint to the country’s data protection authority.
As Uber has its European headquarters in the Netherlands, it was forwarded to the Dutch DPA.
In a statement, French national data protection regulator Commission Nationale de l’informatique et des Libertés (CNIL) said it had co-operated with the DPA.
En coopération avec la CNIL, la @toezicht_AP a prononcé à l’encontre des sociétés Uber B.V. et Uber Technologies Inc. une amende de 290 millions d’euros pour avoir transféré des données personnelles hors UE sans garanties suffisantes 👉 https://t.co/6Y7ciAOo3I pic.twitter.com/lYvblZWiBR
— CNIL (@CNIL) August 26, 2024
The latest fine is not the first for Uber. In January, the Dutch DPA hit Uber for €10 million over privacy regulation infringements.
The DPA found that Uber had not specified in its terms and conditions for how long it retained its drivers’ personal data, or how it secured the data when sending it to entities in countries, which it had not named, outside the European Economic Area.
In 2018, CNIL fined Uber of €400,000 for insufficiently securing users’ data on its service, thus allegedly resulting in the data piracy of 57 million of its users.
