Uber transferred European drivers’ data to US servers in violation of the GDPR: the Dutch data protection authority DPA has ruled, imposing a fine of 290 million euros. The company has already announced that it will appeal.
The case arose from the protest of over 170 French drivers who filed a complaint with the national human rights association Ligue des droits de l’Homme. The documentation was subsequently forwarded to the French data protection authority. According to the GDPR, in the event that a company manages the data of individuals from multiple EU countries, the competent authority is that of the country in which the company itself has established its headquarters, in this case the Netherlands.
The data collected would also include strictly personal information, including identity documents and, in some cases, criminal and medical data of the drivers. The Data Protection Authority believes that the San Francisco company did not adequately safeguard drivers’ information, transferring and storing it across the Atlantic Ocean for over two years without using the required transfer tools.
“In Europe, the GDPR protects people’s fundamental rights, requiring companies and governments to handle personal data with due care. Unfortunately, this is not obvious outside of Europe,” explained DPA President Aleid Wolfsen. “Uber has not met the GDPR requirements to ensure the level of data protection regarding their transfer to the United States. This is very serious.”
In essence, Uber would have transferred European drivers’ data to American servers by limiting itself to what is provided for by the Privacy Shield, an agreement that the European Court of Justice, however, defined as inadequate in 2020. Following the Schrems II ruling, the Standard Contractual Clauses were introduced which, according to the GDPR, “can constitute adequate safeguards […] without requiring specific authorization from a supervisory authority.” Uber did not use such clauses to transfer drivers’ data to the United States, so their information was “not sufficiently protected”.
Uber had already been fined by the Dutch DPA twice before: first in 2018 (600,000 euros), second in 2023 (10 million euros).
This article is originally published on hdmotori.it
