Uber Fined £245M Over Inadequate Protection Of Drivers’ Data

Uber, a ride-hailing service, was fined 290 million euros (£245.5 million) by the Dutch data protection agency for allegedly sending the personal information of European drivers to the US without sufficient security.

Uber declared that it would appeal the ruling, calling it erroneous and unjustified. The General Data Protection Regulation (GDPR) of the European Union, which mandates organizational and technical safeguards to secure user data, was gravely violated, according to the Dutch Data Protection Authority, during more than two years of data transfers.

According to a statement from Dutch DPA head Aleid Wolfsen, “the GDPR protects people’s fundamental rights in Europe by requiring businesses and governments to handle personal data with due care.”

“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store the personal data of Europeans outside the European Union.

“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data concerning transfers to the US. That is very serious.”

Uber’s European headquarters is located in the Netherlands, therefore even though 170 French Uber drivers filed complaints that started the case, the Dutch government decided to impose the fine. Uber says it didn’t do anything improper.

In a statement, it stated: “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during three years of immense uncertainty between the EU and the US.

“We will appeal and remain confident that common sense will prevail.”

The purported violation occurred after the EU’s highest court declared in 2020 that the Privacy Shield agreement, which permitted data transfers to the US for thousands of businesses, including tiny financial institutions and internet giants, was unconstitutional due to the possibility of government eavesdropping.

Following the EU court’s decision, the Dutch Data Protection Agency stated that standard contract conditions might serve as a foundation for data transfers outside the EU, “but only if an equivalent level of protection can be guaranteed in practice.”

“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected,” the watchdog said.

It further stated that Uber has been using Privacy Shield’s replacement since the end of the previous year, putting an end to the reported hack. The sentence, according to the Computer & Communications Industry Association, an advocate group for digital businesses, disregards the realities of doing business online following the EU court ruling from 2020.

“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” the association’s European head of policy, Alexandre Roure, said.

“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in the absence of any clear legal framework.”

Uber had already been penalized by the Dutch data protection authorities before Monday’s announcement.

The corporation was fined 10 million euros (£8.5 million) by the agency in January for allegedly failing to declare the length of time it kept driver data in Europe or identify which non-EU nations it shared the data with.