The ride-hailing app Uber has been hit with a €290m (£246m; $324m) positive for transferring the private knowledge of European drivers to US servers in violation of EU guidelines, the Dutch knowledge safety regulator stated on Monday.
The Dutch Knowledge Safety Authority (DPA) stated the transfers have been a “severe violation” of the EU’s Basic Knowledge Safety Regulation (GDPR), as they did not appropriately defend driver info.
Based on the watchdog, info together with ID paperwork, taxi licences and site knowledge was transferred to the corporate’s headquarters within the US over a two-year interval.
Uber stated it will enchantment the positive, which it referred to as “unjustified”.
“Uber’s cross-border knowledge switch course of was compliant with GDPR throughout a 3-year interval of immense uncertainty between the EU and US,” an Uber spokesperson stated.
“This flawed determination and extraordinary positive are utterly unjustified,” the assertion added.
Whereas knowledge transfers to the US are allowed below EU legislation, there may be important uncertainty round once they can happen with out the necessity for additional authorisation.
DPA chairman Aleid Wolfsen stated the corporate failed to fulfill GDPR necessities to “guarantee the extent of safety to the information with regard to transfers to the US.”
“That may be very severe,” he added, noting that Uber additionally did not appropriately safeguard the information.
The DPA stated Uber collected delicate info of European drivers, together with taxi licences, location knowledge, pictures, fee particulars, id paperwork, “and in some circumstances even legal and medical knowledge of drivers”.
It stated it began the investigation after greater than 170 French drivers complained to a French human rights group, which then filed a criticism to France’s knowledge safety watchdog.
Below GDPR guidelines, a enterprise that processes knowledge in a number of EU international locations should cope with the information safety authority the place its important workplace is situated. Uber’s European headquarters are within the Netherlands.
“In Europe, the GDPR protects the basic rights of individuals, by requiring companies and governments to deal with private knowledge with due care,” Mr Wolfsen stated.
“Consider governments that may faucet knowledge on a big scale,” he stated, explaining, “companies are normally obliged to take further measures in the event that they retailer private knowledge of Europeans outdoors the European Union.”
It’s the DPA’s third positive in opposition to Uber following fines of €600,000 (£508,000) in 2018 and €10m (£8.5m) final 12 months.
The EU has rolled out a collection of guidelines for giant tech companies and imposed enormous fines for breaches in recent times.
Final 12 months Irish regulators fined TikTok €345m (£296m) for violating youngsters’s privateness below GDPR guidelines.
