“Uber did not meet the GDPR’s requirements to ensure the necessary level of protection for data transfers to the U.S”
Amsterdam, Netherlands – The Dutch Data Protection Authority (DPA) announced on Monday that it has imposed a €290 million (approximately $324 million) fine on ride-hailing giant Uber for transferring the personal data of European drivers to servers in the United States.
According to the DPA, these data transfers constituted a “serious violation” of the European Union’s General Data Protection Regulation (GDPR) because Uber failed to adequately protect the drivers’ personal information during the transfer process.
“Uber did not meet the GDPR’s requirements to ensure the necessary level of protection for data transfers to the U.S. This is a very serious matter,” stated Aleid Wolfsen, chairman of the Dutch Data Protection Authority, in an official statement.
The DPA detailed that Uber collected various sensitive pieces of information from European drivers, including taxi licenses, location data, photographs, payment information, identity documents, and, in some instances, even criminal records and medical data. This information was transferred to Uber’s U.S. headquarters over a span of two years without the use of appropriate data transfer tools, the regulator noted.
“As a result, the protection of personal data was insufficient,” the DPA concluded in its assessment.
In response, Uber has stated its intention to appeal the fine, describing the decision as flawed and unjustified.
“This extraordinary fine is completely unwarranted,” an Uber spokesperson said. “Uber’s cross-border data transfer process complied with GDPR throughout three years of significant uncertainty between the EU and the U.S. We will appeal this decision and remain confident that common sense will ultimately prevail.”
Join our Channel...