The Dutch data protection authority has imposed a significant fine of €290 million, equivalent to roughly $324 million, on Uber for infringing the European Union’s General Data Protection Regulation (GDPR).
This fine stems from Uber’s practice of transferring its drivers’ personal data from the EU to the United States, where its primary operations are based. The GDPR legislation permits penalties up to 4% of a company’s global annual sales for such violations.
With Uber reporting revenues of approximately €34.5 billion in 2023, the fine represents a small fraction of the allowable maximum. Nonetheless, it marks one of the heftiest fines against a technology firm since the enforcement of the GDPR in 2018.
Originating from over 170 complaints by French Uber drivers in 2021, the investigation was led by the Autoriteit Persoonsgegevens (AP), the Dutch regulatory authority responsible for GDPR compliance oversight in cases where the company has its main EU base. The AP scrutinized the complaints regarding Uber’s handling of driver data, which had been channeled through the human rights group Ligue des droits de l’Homme (LDH) to France’s privacy watchdog before reaching the AP.
Earlier in January, Uber was fined €10 million over issues related to the access rights to data based on these complaints. Nevertheless, this recent fine significantly overshadows the earlier one and places Uber prominently among tech giants incurring the largest GDPR fines.
According to the AP’s statement, this fine underscores the gravity of Uber’s failure to protect the data adequately upon their transfer outside of the EU, describing it as a severe breach.
This case underscores concerns about the exposure of EU citizens’ data to US surveillance programs, highlighting the significant privacy and data protection risks that have been identified by European courts following the 2013 Snowden disclosures.
Amidst these challenges, US technology firms have found themselves caught in a protracted struggle, especially those whose business models are heavily reliant on data analytics and thus sensitive to legal concerns surrounding privacy.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the importance of the GDPR in safeguarding Europeans’ fundamental rights and the expectation that personal data is handled carefully, a standard not necessarily upheld outside of Europe. The lack of compliance by Uber in ensuring the requisite level of protection for data transferred to the US was deemed significantly grievous.
The controversy emerged during a period devoid of a robust EU-US data transfer agreement, especially after the EU’s top court invalidated the Privacy Shield framework in 2020, a situation that remained unresolved until a new agreement was established in July 2023.
Digital enterprises, in particular, have been vulnerable during this interval of legal uncertainty regarding data exports. For instance, Meta faced an unprecedented GDPR fine of €1.2 billion in May 2023 over a similar issue, with several data protection authorities cautioning against the use of Google Analytics as well.
Specifically for Uber, the Dutch DPA highlighted the transfer of sensitive driver information to the US without adequate protection tools for over two years as a point of contention.
Uber has expressed disagreement with the penalty, asserting its compliance with GDPR standards throughout the disputed period and indicating its intention to appeal the decision.
In a statement to TechCrunch, Uber’s spokesman Caspar Nixon contended that the company had adhered to GDPR compliance, despite the absence of clear guidance from the AP on its data transfer processes.
While the company cites the eventual endorsement of its processes under the new data transfer framework, the preceding period was marked by advisories from European data protection authorities urging entities to ensure their data export practices were in line with regulatory expectations.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
