The Dutch Data Protection Authority (AP) has imposed a fine of no less than 290 million euros on the taxi service Uber, the highest privacy fine ever handed out in the Netherlands.
This decision follows serious violations of the General Data Protection Regulation (GDPR), where Uber transferred personal data of European drivers to the United States without the required protection. According to the AP, Uber carelessly moved the personal data of thousands of drivers from the European Union to servers in the United States. This happened without adequate safeguards, leaving the data vulnerable to unauthorized access and misuse. The regulator emphasizes that Uber has acted in violation of the GDPR, which imposes strict rules for the protection of personal data, especially when transferred to countries outside the European Economic Area (EEA).
guarantee
The AP sets her report that Uber has failed to implement sufficient technical and organizational measures to ensure the security of the data. “This is a serious violation of the privacy of European citizens,” said the president of the AP. “Companies operating in Europe must adhere to strict rules designed to protect the privacy of our citizens. The fine reflects the seriousness of the offense and should send a clear message to all companies who think they can act without consequences.”
“In Europe, the GDPR protects people's fundamental rights by requiring companies and governments to handle personal data with care,” says AP President Aleid Wolfsen. But unfortunately this is not self-evident outside Europe. Think of governments that can tap data on a large scale."
According to the AP, Uber collected various sensitive data from drivers over a period of more than two years and stored it on servers in the US. This not only concerned account details and taxi licenses, but also location data, photos, payment details and IDs. What makes the case even more serious is that Uber also transferred criminal and medical data of drivers to the US, without using an appropriate transfer tool. This could expose the data to risks such as unauthorized access and misuse.
The AP judges that Uber has seriously violated the General Data Protection Regulation (GDPR), which sets strict requirements for the protection of personal data. The law requires that when data of EU citizens is transferred to countries outside the European Economic Area (EEA), adequate measures must be taken to protect the data. This can be done, for example, by using standard contractual clauses or other transfer tools approved by the European Commission. In the case of Uber, these measures were lacking, resulting in serious deficiencies in the protection of personal data.
discussion
The legal battle that may now follow could draw attention to a broader discussion about privacy compliance by major international companies. Experts point out that this is not the first time that Uber has come under fire for its handling of privacy issues. In 2018, the company was fined 600.000 euros by the AP due to a data breach in 2016 in which the data of 57 million users, including 174.000 Dutch, was exposed. This new incident reinforces concerns about how tech companies manage the privacy of their users and raises questions about the effectiveness of current regulations.
The AP launched an investigation into Uber after more than 170 French drivers filed a complaint with the Ligue des droits de l'Homme (LDH), a French human rights advocacy group. LDH then filed a complaint with the French privacy regulator.
The European Union has tightened its data protection laws in recent years, with the GDPR being one of the most drastic measures. The GDPR requires companies to take strict precautions when processing personal data and imposes heavy fines for violations.
EER
The AP's ruling could also have broader implications for other technology companies active in Europe. Companies that process data of EU citizens must ensure that they comply with the GDPR, even when this data is transferred to countries outside the EEA. This incident highlights the importance of robust security measures and the need to be transparent about how data is managed and protected.
Although Uber is opposing the fine, there is a good chance that this will be a long legal battle. Should the fine stand, it could set a precedent for future enforcement actions against other companies that fail to comply with GDPR. The outcome of this case will be watched with great interest by both the technology industry and privacy activists.