The US-based Uber Technologies, which provides taxi ordering and food delivery services, has been fined 290 million euros in the Netherlands for transferring data on European drivers to the US, AP News reports.
The Dutch Data Protection Authority (DPA) said that the company had violated the EU General Data Protection Regulation by storing information on European drivers on servers in the US. Dutch DPA chairman Aleid Wolfsen said in a statement:
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US That is very serious.”
The case was initiated following a complaint from 170 French Uber drivers, but the fine was issued by Dutch authorities because Uber’s European headquarters are in the Netherlands. Uber insists that it has done nothing wrong. The company said in a statement:
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US We will appeal and remain confident that common sense will prevail.”
The alleged breach comes after the EU’s highest court ruled in 2020 that an agreement known as Privacy Shield, which allows thousands of companies – from tech giants to small financial firms – to transfer data to the US, is invalid because the US government can spy on people’s data.
Uber accused of insufficient data protection
The Dutch data protection agency said that following the EU court ruling, standard clauses in contracts could be grounds for transferring data outside the EU, “but only if an equivalent level of protection can be guaranteed in practice.” The watchdog said:
“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected.”
It added that Uber has been using a Privacy Shield successor since late last year, ending the alleged breach.
The Computer and Communications Industry Association, which advocates for technology companies, said the fine ignores the realities of online business following the EU court’s 2020 ruling. The association’s European head of policy, Alexandre Roure, said in a statement:
“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows. Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework.”
Monday’s announcement is not the first time the Dutch data protection watchdog has fined Uber. In January, the authority fined it 10 million euros for what it said was the company’s failure to disclose how long it stores driver data in Europe and to name the non-EU countries with which it shares that data.