Uber is facing a massive GDPR fine after the Dutch regulator claimed it violated the regulation by storing driver data in the US without adequate safeguards.
The Dutch Data Protection Authority (AP) announced the €290m ($324m) fine yesterday, claiming that it stems from the same concerns that have led to years-long legal wranglings between the EU and US.
Specifically, these are that European citizens’ human rights may be imperilled if their data is stored in the US without safeguards, as their personal data may otherwise be accessed and queried by law enforcement and intelligence agencies there.
These same concerns led to the European Court of Justice declaring the EU-US Privacy Shield invalid in 2020.
“In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care. But outside Europe, that is unfortunately not self-evident. Think of governments that can tap data on a large scale,” explained AP chairman, Aleid Wolfsen.
“That’s why companies are usually required to take additional measures when they store personal data of Europeans outside the European Union. Uber has not guaranteed the level of protection required by the GDPR for drivers for the transfer of data to the US. That is very serious.”
Read more on GDPR fines: Vinted Fined €2.3m Over Data Protection Failure
The AP claimed Uber had not used Standard Contractual Clauses (SCCs) or other means to ensure that citizens’ personal data stored on US servers received levels of protection equivalent to those in the EU.
It said that sensitive personal information included account details, taxi licenses, location data, photos, payment details, IDs and in some cases drivers’ criminal and medical records. These were transferred to Uber’s headquarters in the US for over two years without proper safeguards, it added.
The Case Against AP’s Ruling
Non-profit the Computer & Communications Industry Association (CCIA Europe), which has Uber as a member, argued in response that the period in question – 2021-2022 – was one of tremendous uncertainty after the Privacy Shield agreement was ruled illegal.
It argued that both European and American companies were left without any clear guidelines for a period of nearly three years, with the uncertainty compounded by disagreements between EU data protection authorities and the European Commission. The latter, it claimed, ruled out SCCs for non-EU companies already subject to European data protection rules.
Alexandre Roure, CCIA Europe’s head of policy, argued that the AP ruling ignores reality.
“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” he said in a statement.
“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework.”
Since last year, Uber has been following the successor to Privacy Shield – a Data Privacy Framework negotiated between the EU and US – and is now compliant with the GDPR, AP said.
The AP launched an investigation into Uber after over 170 French drivers filed a complaint with French human rights group, Ligue des droits de l'Homme (LDH), which subsequently filed a complaint with the French privacy watchdog.
Image credit: rafapress / Shutterstock.com