The Dutch Data Protection Authority (DPA) has imposed a fine of €290 million ($324.4 million) on the ride-hailing service, Uber for infringing the General European Union’s (E.U.) Data Regulation Protocol and also directed it to comply with recent mandates. European drivers, Uber is alleged to have shifted sensitive information from European countries and sent it over the Atlantic.
The Dutch DPA has found that for two years, US datacentre regulars were shipped information including drivers’ names, taxi licence details, payment and location history and if available in the local market receipts of medical or criminal records. Under the old Data Protection Directive, non-European companies that received data about European citizens were required to protect this information even if they exported it out of Europe.
The Privacy Shield was a legal framework that covered privacy for U.S. to E.U data transfers until it was invalidated by a court order last month due in large part to the influence of this type of surveillance on Americans and Europeans alike through bots! The U. S data transfers were invalidated in 2020 In the event period amid the invalidation of Privacy Shield and the introduction of E.U.-U. Data Privacy Framework in 2023, Uber failed to use alternative mechanisms to protect this data as well, the DPA said. One of the reasons Uber is being penalised for so much money, meanwhile, is because it did not continue using Standard Contractual Clauses during that time.
Uber has dismissed the fine as “unjustified.” The company says it will object to the ruling given that its approach to moving data around borders was GDPR-compliant. The company also says it followed the correct protocols at the time of data transfer rule changes and explains in additional documents that Uber was under particular stress dealing with a competitive allegation from freight broker, Flexport.
In 2021, the company engaged with Dutch authorities to establish that they were playing by GDPR rules and said it heard no complaints about any violations. Uber also said that the E.U.-U. None of our customers have had to change their existing data transfer practices on account that the S. Data Privacy Framework did not mandate so
This is not the first instance in which Uber has been punished for a data breach of this nature. The tech company had earlier this year faced a €10m fine for failing to tell drivers how long their data would be held or what countries the ill-gotten information might go to.
The Uber fine, besides being the latest black eye wound in a cascade of embarrassments coming from the company this year alone as you may have already noticed, illustrates for companies serving European data that operate across multiple continents. This has triggered a scramble among U.S. firms to determine how and when if at all they can transfer data across borders involving European citizens, under the now-complicated rules of doing so overseas. In the future, other companies may also be confronted by similar fines for not being GDPR-compliant such as when Privacy Shield was struck down in 2020.
At least the Dutch DPA is worried that U.S. surveillance programs could sweep up European data if it isn’t adequately protected from snooping over here in America. This is the challenge that Uber, and other tech behemoths such as Google before it have also faced.
That should send a stern message to any company moving data out of the E.U., Uber was Fined €290M For Breaking GDPR This case is a reminder of how crucial data protection is, especially if the document contains fine personal details. Although Uber is set to appeal, the decision highlights the conundrum of ensuring adherence with international data transfer rules a challenge that could have significant implications for cross-border business.
Earlier in the year, Uber was slapped with fines for breaking E.U. data protection law by sending information from its European drivers to servers located stateside without sufficient controls.
Data which was sent over included the identity documents, taxi licenses, payment information and location data for drivers on the platform as well criminal or medical records.
Alleged that the company violated GDPR, a privacy law put in place to protect personal data of European citizens.
Uber says it will appeal, arguing the way data was transferred between its teams in preparation for GDPR compliance had satisfied requirements of that regulation.
The Privacy Shield was the framework underpinning U.S-to-E. Invalid in 2020 U. S. data transfers That is in turn superseded by the E.U.-U. The U. S Data Privacy Framework of 2023