August 26, 2024, 8:38 AM
August 26, 2024, 8:38 AM
The transfers are a “serious violation” of the European Union’s General Data Protection Regulation (GDPR), the Dutch regulator said.
“Uber has failed to meet the GDPR requirements to ensure the level of protection for data transferred to the United States,” said the organization’s president, Aleid Wolfsen, in a statement, calling it “very serious.”
Sensitive information for European drivers
According to the Dutch authority, Uber collected sensitive information from European drivers, including taxi licenses, location data, photos, payment details, identity documents, “and in some cases even criminal and medical data.”
Over a two-year period, information was sent to the company’s US headquarters without using the appropriate tools, the regulatory agency criticised. “The protection of personal data was not sufficient,” it complained.
Uber: “flawed” decision and “unjustified” fine
Uber said it would appeal the fine. “This flawed decision and extraordinary fine are completely unjustified,” a company spokesperson said in a statement.
“Uber’s cross-border data transfer process complied with the GDPR during a 3-year period of immense uncertainty between the EU and the US. We will appeal and trust that common sense will prevail,” he said.
The Dutch agency began investigating the case after more than 170 French drivers complained to a human rights group, which filed a complaint with France’s data protection agency.
Uber’s European headquarters are in the Netherlands
Under the GDPR, a company that processes data in multiple EU countries must deal with the data protection authority where its headquarters are located. Uber’s European headquarters are in the Netherlands.
“In Europe, the GDPR protects people’s fundamental rights, requiring companies and governments to handle personal data with due care,” Wolfsen said. “But unfortunately, this is not the case outside Europe,” he added.
“Let’s think about governments that can intervene in data on a large scale. That’s why companies are often obliged to take additional measures if they store personal data of Europeans outside the EU,” he continued.
In recent years, the 27-nation European bloc has imposed a series of rules on big tech companies. It has also imposed huge fines for violations.
Uber’s fine is the third imposed by the Dutch regulatory authority on the company. The previous ones, in 2018 and 2023, were respectively €600,000 and €10 million.