Dutch regulators slams $324m fine on Uber over driver data protection

Advertisements

Uber was fined €290 million by Dutch authorities for breaching EU data protection regulations by sending unauthorized personal information of European drivers to the US.

Uber’s data transmission practices were examined when French taxi drivers filed a complaint.

Together with the Dutch DPA, the French data protection authority CNIL worked closely on the inquiry, which eventually turned up serious shortcomings in Uber’s management of private data.

The DPA said Uber obtained private information about drivers in Europe, including driver identities, taxi licenses, location data, images, payment information, and identity documents—” and in some cases even criminal and medical data of drivers.”

Because driver information was not properly protected, the regulator said the transfers constituted a “serious violation” of the General Data Protection Regulation (GDPR) of the European Union.

A statement by Dutch Data Protection Authority (DPA) chairman, Aleid Wolfsen, said: “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data about transfers to the US. That is very serious.”

Uber defended its action, disagreeing with the ruling, even though the cross-border data transfers in question have subsequently stopped.

Caspar Nixon, a spokesman for Uber, called the fine “extraordinary and unjustified,” adding that during what he called a “period of immense uncertainty” over data protection agreements, Uber’s activities were compliant with GDPR.

“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale.

“That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.

“Uber did not meet the requirements of the GDPR to ensure the level of protection of the data about transfers to the US. That is very serious,” adds Wolfsen.