Uber, a ride-hailing service, was fined 290 million euros ($324 million) by the Dutch data protection agency on Monday for allegedly sending the personal information of European drivers to the US without sufficient security.
Uber declared it would appeal the ruling, calling it erroneous and unjustified.
The General Data Protection Regulation of the European Union, which mandates organizational and technical safeguards to secure user data, was gravely violated, according to the Dutch Data Protection Authority, during more than two years of data transfers.
According to a statement from Dutch DPA head Aleid Wolfsen, “The GDPR protects people’s fundamental rights in Europe by requiring businesses and governments to handle personal data with due care.
Unfortunately, though, outside of Europe, this is not obvious. Consider governments that have extensive data access.
For this reason, companies that store Europeans’ personal data outside of the EU are typically required to take extra precautions.
Uber failed to comply with the GDPR’s criteria to guarantee the degree of data protection for transfers to the United States. That is extremely grave.
Laptops 1000Uber’s European headquarters is located in the Netherlands, therefore despite the fact that 170 French Uber drivers filed complaints that started the case, the Dutch government decided to impose the fine.
Uber claimed it had done nothing improper.
“This erroneous ruling and astronomical fine are wholly unwarranted. Uber’s cross-border data transfer procedure complied with GDPR during the three years that the EU and the US were experiencing a great deal of uncertainty.
The business released a statement, saying, “We will appeal and continue to believe that common reason will win out.
The purported breach occurred after the EU’s highest court said in 2020 that the Privacy Shield deal, which permitted thousands of businesses, including tiny financial institutions and internet giants, to send data to the US, was unconstitutional due to the possibility of US government eavesdropping.
Standard contract conditions may serve as a foundation for data transfers outside the EU, according to the Dutch data protection agency, “but only if an equivalent level of protection can be guaranteed in practice,” in light of the EU court verdict.
“The data of drivers from the EU were not sufficiently protected because Uber ceased to use Standard Contractual Clauses in August 2021,” the watchdog stated.
It further stated that Uber has been using Privacy Shield’s replacement since the end of the previous year, ending the reported hack.
In the wake of the 2020 EU court verdict, the Computer & Communications Industry Association, an advocate group for tech businesses, claimed that the penalties disregarded the realities of online commerce.
The association’s European head of strategy, Alexandre Roure, said in a statement that “the busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows.”
“As there is no clear legal framework, any retroactive fines by data protection authorities are particularly concerning given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty,” the speaker continued.
Uber had already been penalized by the Dutch data protection authorities before Monday’s announcement.
The corporation was fined 10 million euros by the agency in January for allegedly failing to declare the duration for which it kept driver data in Europe or to identify the non-EU nations with which it shared the data.
