Tuesday, November 19, 2024

Uber Fined Record $324 Million In Netherlands For Transferring Sensitive EU Driver Data To U.S.

Must read

Topline

Dutch privacy regulators hit Uber with a record $324 million (€290 million) fine Monday for violating the European Union’s data protection laws by transferring sensitive personal data of its drivers to the U.S. without adequate safeguards.

Key Facts

The Dutch Data Protection Authority said its investigation found Uber had transferred the personal data of European cab drivers—including taxi licenses, IDs, location data, photos, payment details, and “in some cases even criminal and medical records,” to the U.S.

The agency said Uber transferred this data to the U.S. for over two years without proper transfer tools designed to protect user privacy—in violation of the EU’s General Data Protection Regulation (GDPR).

Uber ended this violation and has implemented the proper safeguards since late last year, the Dutch DPA said.

According to Bloomberg, the $324 million penalty is the biggest issued by the Dutch DPA and the biggest fine Uber has faced globally.

Forbes has reached out to Uber for comment, but the company told Bloomberg the fine is “completely unjustified,” claiming it was compliant with the laws and will file an appeal.

Get Forbes Breaking News Text Alerts: We’re launching text message alerts so you’ll always know the biggest stories shaping the day’s headlines. Text “Alerts” to (201) 335-0739 or sign up here.

Crucial Quote

“In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care. But outside Europe, this is unfortunately not the case…This is why companies are usually obliged to take extra measures if they store personal data of Europeans outside the European Union,” Dutch DPA Chair Aleid Wolfsen said, adding Uber’s violation was “very serious.”

Key Background

Earlier this year, the Dutch DPA fined Uber $11 million (€10 million) for how it handled the retention of drivers’ personal data. The agency found Uber had not properly laid out terms and conditions for how long it retains driver personal data. The DPA also found Uber’s process for allowing drivers to make personal data access requests “unnecessarily complicated.” Both the previous fine and the latest one stem from an investigation launched by the Dutch agency in response to a complaint filed by 170 French drivers with the country’s privacy regulator. The investigation was handed over to the Dutch DPA, since Uber’s EU operations are headquartered in the Netherlands. Under the EU’s GDPR laws, violating companies can be fined up to 4% of their annual global revenue.

Further Reading

Uber Hit by Record $324 Million Fine for Data Transfers to US (Bloomberg)

Latest article