Allegations of Inadequate Data Protection
The Dutch Data Protection Authority (DPA) has fined Uber Technologies Inc. (NYSE:UBER) €290 million (approximately $324 million) for allegedly transferring the personal data of European drivers to the United States without sufficient protection. The fine is attributed to Uber’s failure to comply with the European Union’s General Data Protection Regulation (GDPR), which mandates stringent measures for protecting user data.
The DPA’s decision follows complaints from 170 French Uber drivers and is based on Uber’s European headquarters being located in the Netherlands. The authority asserts that Uber did not meet GDPR requirements for safeguarding data transferred to the U.S., a situation exacerbated by the invalidation of the Privacy Shield agreement in 2020.
Uber’s Response and Industry Reactions
Uber has criticized the fine as flawed and unjustified, asserting that its data transfer processes were compliant with GDPR during a period of regulatory uncertainty between the EU and the U.S. The company plans to appeal the decision, maintaining confidence that the appeal will overturn the fine.
Following the EU court ruling in 2020 that nullified the Privacy Shield agreement, which previously allowed data transfers to the U.S., Uber’s use of Standard Contractual Clauses was deemed inadequate in August 2021. The Dutch DPA noted that although Uber has since adopted the successor to Privacy Shield, the alleged breach occurred during the transition period.
The Computer & Communications Industry Association, representing tech companies, argued that the fine disregards the practical challenges of online business and the lack of clear guidance during the legal uncertainty. The association’s European head of policy, Alexandre Roure, expressed concerns about retroactive fines amid the absence of a new legal framework for data transfers.
This is not the first penalty imposed on Uber by the Dutch DPA; the company was previously fined €10 million in January for failing to disclose data retention practices and details on data sharing with non-EU countries.
Featured Image: Megapixl