The ride-hailing app Uber has been hit with a €290m (£246m; $324m) advantageous for transferring the non-public knowledge of European drivers to US servers in violation of EU guidelines, the Dutch knowledge safety regulator mentioned on Monday.
The Dutch Information Safety Authority (DPA) mentioned the transfers have been a “critical violation” of the EU’s Basic Information Safety Regulation (GDPR), as they didn’t appropriately defend driver data.
In accordance with the watchdog, data together with ID paperwork, taxi licences and placement knowledge was transferred to the corporate’s headquarters within the US over a two-year interval.
Uber mentioned it will enchantment the advantageous, which it known as “unjustified”.
“Uber’s cross-border knowledge switch course of was compliant with GDPR throughout a 3-year interval of immense uncertainty between the EU and US,” an Uber spokesperson mentioned.
“This flawed determination and extraordinary advantageous are fully unjustified,” the assertion added.
Whereas knowledge transfers to the US are allowed below EU regulation, there may be vital uncertainty round once they can happen with out the necessity for additional authorisation.
DPA chairman Aleid Wolfsen mentioned the corporate failed to satisfy GDPR necessities to “guarantee the extent of safety to the information with regard to transfers to the US.”
“That could be very critical,” he added, noting that Uber additionally didn’t appropriately safeguard the information.
The DPA mentioned Uber collected delicate data of European drivers, together with taxi licences, location knowledge, pictures, fee particulars, identification paperwork, “and in some circumstances even legal and medical knowledge of drivers”.
It mentioned it began the investigation after greater than 170 French drivers complained to a French human rights group, which then filed a grievance to France’s knowledge safety watchdog.
Below GDPR guidelines, a enterprise that processes knowledge in a number of EU nations should cope with the information safety authority the place its fundamental workplace is positioned. Uber’s European headquarters are within the Netherlands.
“In Europe, the GDPR protects the basic rights of individuals, by requiring companies and governments to deal with private knowledge with due care,” Mr Wolfsen mentioned.
“Consider governments that may faucet knowledge on a big scale,” he mentioned, explaining, “companies are normally obliged to take further measures in the event that they retailer private knowledge of Europeans outdoors the European Union.”
It’s the DPA’s third advantageous in opposition to Uber following fines of €600,000 (£508,000) in 2018 and €10m (£8.5m) final yr.
The EU has rolled out a sequence of guidelines for large tech corporations and imposed enormous fines for breaches in recent times.
Final yr Irish regulators fined TikTok €345m (£296m) for violating youngsters’s privateness below GDPR guidelines.
