Uber Fined $324m For Transferring European Data To US
Dutch data protection watchdog imposes fine of €290m on Uber for transferring personal data of European drivers to US servers
Uber has said it will appeal, after a European data protection watchdog slapped the ride-hailing firm with a fine totalling hundreds of millions of euros.
The Dutch Data Protection Authority (DPA) announced on Monday that it has imposed a fine of 290 million euros (£246m or $324m) on Uber, after it found it had “transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers.”
The Dutch DPA stated that this constitutes a serious violation of the General Data Protection Regulation (GDPR), but noted that Uber has since ended the violation.
GDPR violation
So what exactly did Uber do to warrant such a huge fine?
It should be noted that the 290 million euros fine is 4 percent of the worldwide annual turnover of a business under the GDPR rules. In 2023 Uber recorded a worldwide turnover of around 34.5 billion euros.
The Dutch DPA said it found that Uber had collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US. This included account details and taxi licences, as well as location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.
The Dutch DPA said for a period of over 2 years, Uber transferred this data to Uber’s headquarters in the US, without using transfer tools.
Because of this, the protection of personal data was not sufficient. It pointed out that the Court of Justice of the EU had invalidated the EU-US Privacy Shield in 2020.
According to the Court, Standard Contractual Clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection could be guaranteed in practice.
Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected, according to the Dutch DPA.
Since the end of 2023, Uber uses the successor to the Privacy Shield.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” said Dutch DPA chairman Aleid Wolfsen. “But sadly, this is not self-evident outside Europe.”
“Think of governments that can tap data on a large scale,” said Wolfsen. “That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The Dutch DPA said it had begun its investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.
Uber appeal
Uber has indicated its intent to appeal the fine, calling it “unjustified.”
“Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US,” an Uber spokesperson said.
“This flawed decision and extraordinary fine are completely unjustified,” Uber was quoted by the BBC as saying.
This is the third fine that the Dutch DPA has imposed on Uber.
The Dutch DPA imposed a fine of 600,000 euro on Uber in 2018, and a fine of 10 million euro in 2023. Uber objected to this last fine.
Previous fines
Uber has run into very serious data protection problems and issues before.
Uber ran into hot water a decade ago, after it waited five months to report that it had been hacked in September 2014 when the details of hundreds of its drivers were leaked online.
Social security numbers, pictures of driver licenses, and vehicle registration numbers were among the details accidentally revealed by the taxi company, with as many as 647 drivers thought to have been affected across the US.
But much worse was to follow in 2016, when Uber again concealed a data breach that exposed data from 57 million customers and drivers.
To make matters worse, Uber actually used its “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hackers (one of whom was to be an unidentified 20-year-old man in Florida).
Uber came clean about the incident in November 2017, after newly installed CEO Dara Khosrowshahi became aware of the breach, after recently joining the firm.
Khosrowshahi’s admission in 2017 that Uber had not revealed the breach for over a year prompted an investigation by European authorities.
Read More: What on Earth was Uber thinking?
The British Information Commissioner’s Office (ICO) also fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.
Uber in September 2018 also announced that it would pay $148m to settle legal action over the attack.
Then in August 2020 US federal prosecutors formally charged the former head of security at Uber (Joseph Sullivan), for concealing its controversial data breach in 2016.
In 2022 Uber confirmed another ‘cybersecurity incident’, after a 18 year old hacker accessed its network via social engineering.