Aug 27, 2024 10:49:00

Dutch authorities fine Uber $4.3 billion for sending sensitive driver data to the US without proper protections

The Dutch Data Protection Authority (DPA) announced on August 26, 2024 that it will impose a fine of 290 million euros (approximately 46.8 billion yen) on

Uber in the United States. The DPA claims that Uber did not take adequate safeguards when transmitting personal information of Uber drivers in Europe to the United States.

Dutch DPA imposes a fine of 290 million euro on Uber because of transfers of drivers' data to the US | Autoriteit Persoonsgegevens
https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

Uber Hit by Record $324 Million Fine for Data Transfers to US - Bloomberg

https://www.bloomberg.com/news/articles/2024-08-26/uber-hit-by-record-324-million-fine-for-data-transfers-to-us

Uber gets slapped with €290 million fine
https://www.engadget.com/uber-gets-slapped-with-%E2%82%AC290-million-fine-123039726.html

Uber to Appeal €290 Million GDPR Fine - SecurityWeek
https://www.securityweek.com/uber-to-appeal-dutch-e290-million-gdpr-fine/

The case was sparked by a complaint filed by more than 170 French drivers with the French human rights group Ligue des droits de l'Homme (LDH). Because Uber's European headquarters is in the Netherlands, the DPA is set to investigate.

The DPA said Uber had collected sensitive information about its drivers in Europe, including account details, location data, photos, payment details, identification documents, and criminal and medical data, and stored that data on servers at Uber's headquarters in the United States.

When transferring data from the Netherlands to countries outside the European Economic Area (EEA), the use of data transfer tools to protect privacy is

mandatory . However, an investigation by the Autoriteit Persoonsgegevens found that Uber had not taken such appropriate safeguards for more than two years.

The DPA therefore decided to fine Uber €290 million under the General Data Protection Regulation (GDPR), the largest fine ever imposed by the DPA on a company and the largest fine ever imposed on Uber.

'In Europe, the GDPR requires companies and governments to handle personal data appropriately and protects people's fundamental rights. However, Uber did not meet the GDPR's requirements to ensure a level of protection for data transfers to the US. This is a very serious matter,' said DPA Chairman Aleid Wolfsen.

Meanwhile, Uber contacted the DPA in 2021 to confirm that it complies with GDPR regarding the transfer of user data in Europe. In addition, the EU declared that it would invalidate the Privacy Shield, a regulation on data transfer between the EU and the United States, in July 2020, and the EU-US Data Privacy Framework, which replaced the Privacy Shield, came into effect in July 2023. However, Uber claimed that 'even after adopting the new EU-US Data Privacy Framework, there was no need to make any changes to Uber's data transfer process.'

'This flawed decision and the excessively high fine are completely unjustified,' Uber said in a statement. 'Uber's cross-border data transfer processes have been GDPR compliant for many years. We plan to appeal this decision and are confident that common sense will prevail.'