The Dutch Data Protection Authority (DPA) has fined Uber €290 million. The penalty comes after the DPA found that Uber had transferred the personal data of European taxi drivers to the United States without adequate safeguards, a serious breach of the General Data Protection Regulation (GDPR).
This marks the third time the Dutch DPA has fined Uber, highlighting ongoing concerns about the company’s data protection practices.
Sensitive Data Mishandled
The Dutch DPA’s investigation revealed that Uber had collected and transferred sensitive information from European drivers to its headquarters in the US.
This data included account details, taxi licenses, location data, photos, payment details, identity documents, and, in some cases, criminal and medical records.
The transfer of such sensitive data without appropriate safeguards is a clear violation of GDPR standards, which require businesses to ensure high data protection, especially when transferring data outside the European Union.
The investigation uncovered that Uber transferred this data without using any transfer tools for over two years. This lack of protection became more pronounced after the EU Court of Justice invalidated the EU-US Privacy Shield in 2020.
Although Standard Contractual Clauses can still be used for data transfers, they require equivalent protection, which Uber failed to provide.
The company stopped using these clauses in August 2021, further compromising the data protection of EU drivers. However, Uber has since adopted the successor to the Privacy Shield, ending the violation.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Complaints from Drivers Spur Investigation
The Dutch DPA initiated the investigation following complaints from over 170 French drivers. These drivers raised concerns with the Ligue des droits de l’Homme (LDH), a French human rights interest group, which subsequently complained to the French DPA.
Under GDPR, companies operating in multiple EU Member States are subject to the authority of the DPA in the country where they have their main establishment.
With Uber’s European headquarters in the Netherlands, the Dutch DPA took the lead in the investigation, working closely with the French DPA and coordinating with other European DPAs.
The collaboration among European DPAs underscores the importance of cross-border cooperation in enforcing GDPR and protecting the rights of individuals across the EU.
Uber’s Response and Future Implications
Uber has expressed its intention to object to the €290 million fine. The company has a history of challenging penalties imposed by the Dutch DPA, having previously objected to fines of €600,000 in 2018 and €10 million in 2023.
The current fine represents a significant financial penalty, calculated based on a maximum of 4% of Uber’s worldwide annual turnover, approximately €34.5 billion in 2023.
The case serves as a stark reminder to businesses operating in Europe of the GDPR’s stringent requirements and the potential financial consequences of non-compliance.
As Aleid Wolfsen, chairman of the Dutch DPA, emphasized, the GDPR is designed to protect individuals’ fundamental rights by ensuring that personal data is handled with care.
Companies must take additional measures when storing data outside the EU to prevent unauthorized access and misuse.
This latest fine against Uber highlights the company’s ongoing challenges and responsibilities in navigating international data protection laws.
It also reinforces European authorities’ commitment to upholding individuals’ rights and ensuring that businesses adhere to the highest standards of data protection.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial