Uber, the global ride-hailing giant, has been hit with a massive €290 million fine by the Dutch Data Protection Authority (DPA) for failing to comply with the European Union’s General Data Protection Regulation (GDPR) according to Engadget. The DPA found that Uber had transferred sensitive driver data to U.S. servers without adequate protection for over two years, putting the privacy of countless drivers at risk, as The Hacker News reports.
The case was initiated by complaints from 170 French Uber drivers who raised concerns about the company’s handling of their personal information, as APnews points out. Uber had collected and retained a wide range of sensitive data on its U.S. servers, including account details, taxi licenses, location data, photos, payment details, and identity documents. In some instances, even criminal and medical data of drivers were collected.
According to the DPA, Uber failed to use appropriate mechanisms, such as Standard Contractual Clauses, to safeguard driver data during the transfer process. This lack of proper protection left the data vulnerable to potential breaches and unauthorized access.
In response to the fine, Uber has called it “completely unjustified” and plans to appeal the decision. The company claims that it has already ended the practice of transferring driver data to the U.S. without adequate protection and has been using the successor to the Privacy Shield since the end of last year.
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S. We will appeal and remain confident that common sense will prevail,” the company said.
The record-breaking fine imposed on Uber serves as a stark reminder of the importance of data protection and the severe consequences of non-compliance with GDPR. It may not only damage Uber’s reputation and erode customer trust but also force the company to reevaluate and change its business operations to ensure full compliance with EU data protection laws.
This case also highlights the challenges faced by tech companies when it comes to cross-border data transfers. The invalidation of the E.U.-U.S. Privacy Shield in 2020 created a period of legal uncertainty, during which data protection authorities failed to provide clear guidance to companies like Uber.
Looking ahead, the recently announced E.U.-U.S. Data Privacy Framework, set to be implemented in July 2023, aims to address these data protection concerns and establish a clear legal framework for data transfers between the two regions. As data protection authorities continue to enforce GDPR compliance through fines and other measures, companies must prioritize data protection and implement robust measures for cross-border data transfers to avoid similar violations in the future.
Image credit: Wikimedia