iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Uber is facing a €290 million (roughly AU$477 million) fine after it breached European data protection law by transferring personal data from the EU to the US.
According to the Dutch Data Protection Authority (DPA), Uber had been transferring the personal data of European taxi drivers to the US for over two years without required protections, violating the EU’s General Data Protection Regulation (GDPR).
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” said DPA chairman Aleid Wolfsen.
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale.
“That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The data Uber reportedly collected and transferred to US servers includes taxi licenses, payment details, ID documents, account details, location data, photos, and, in some cases, medical and criminal data of drivers.
As a result of the breach, the DPA, cooperating with the French data protection agency CNIL, has slapped Uber with a €290 million fine, which equates to roughly “a maximum of 4 per cent of the worldwide annual turnover of a business”.
“Uber had a worldwide turnover of €34.5 billion last year,” according to the DPA, which added that it seems that Uber will contest the fine.
In a statement seen by the media, Uber confirmed that it intends to appeal the fine.
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail,” it said.
The period of uncertainty mentioned above refers to the time after EU courts ruled that the EU/US Privacy Shield, an agreement that allowed companies to transfer data to the US, was null as it allowed the US government to see the data.
The DPA then ruled that to transfer data to the US, organisations needed an “equivalent level of protection” to honour standard contract clauses.
“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected,” said the DPA.
By the end of last year, Uber had used the agreement that had replaced the EU/US Privacy Shield and was no longer in breach of the GDPR.
It seems that Uber is not the only group that believes the fine was unjust. Tech company advocacy group the Computer and Communications Industry Association said the requirements on tech companies following the ruling were unrealistic.
“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” said Alexandre Roure, the organisation’s EU head of policy.
“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework.”
Be the first to hear the latest developments in the cyber industry.
