Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Complaints from French drivers led to a fine.
The Dutch Data Protection Authority (AP) has fined Uber Technologies Inc. and Uber B.V. €290 million for violating the GDPR.
At the center of the accusations is the transfer of personal data from the European Economic Area (EEA) to servers in the United States without proper guarantees. The data sent includes location information, photos, payment details, and drivers identification documents. In some cases, the company also collected criminal and medical data.
The reason for the investigation against the company was the complaints of more than 170 French drivers who turned to the human rights organization Ligue des droits de l'Homme (LDH) for help. According to the complaints, the drivers' data was transferred to the Dutch regulator through the French Data Protection Authority (CNIL).
For more than 2 years, Uber has stored the collected data at the company's headquarters in the United States. The regulator noted that Uber did not use "transfer tools" when transferring data, which led to insufficient protection of confidential information. Since Uber's non-US headquarters are located in the Netherlands, it was the Dutch regulator that imposed the fine under GDPR rules.
The problem arose after the EU Court of Justice in the Schrems II case (Max Schrems case) invalidated the EU-US Privacy Shield due to insufficient US data protection standards.
Despite the ruling, Uber continued to transfer data to the U.S. without implementing mandatory Standard Contractual Clauses (SCCs) or other safeguards, in violation of the GDPR. A similar violation previously led to a fine of $1.3 billion for Meta and more than $1.1 million for four companies for using Google Analytics.
Uber, in its defense, states that the GDPR does not apply to the company, since the regulation already extends its jurisdiction to the company's activities in the United States. It is also claimed that data transfers, as described in the GDPR, do not occur, as users themselves transfer their data to servers in the United States through the app.
The AP rejected Uber's arguments, approving the fine. Uber has expressed disagreement with the decision and intends to challenge it. A company spokesperson stressed that the fine is unfair because Uber complied with the GDPR during the three years of uncertainty between the EU and the US. The company is convinced that during the appeal, "common sense will prevail."
The appeal process can be delayed for up to 4 years, during which the fine will be suspended. Uber also insists that the data processing practices outlined in the company's privacy policy comply with GDPR regulations, and the exchange of data between users and the company is an integral part of the service.
Source
The Dutch Data Protection Authority (AP) has fined Uber Technologies Inc. and Uber B.V. €290 million for violating the GDPR.
At the center of the accusations is the transfer of personal data from the European Economic Area (EEA) to servers in the United States without proper guarantees. The data sent includes location information, photos, payment details, and drivers identification documents. In some cases, the company also collected criminal and medical data.
The reason for the investigation against the company was the complaints of more than 170 French drivers who turned to the human rights organization Ligue des droits de l'Homme (LDH) for help. According to the complaints, the drivers' data was transferred to the Dutch regulator through the French Data Protection Authority (CNIL).
For more than 2 years, Uber has stored the collected data at the company's headquarters in the United States. The regulator noted that Uber did not use "transfer tools" when transferring data, which led to insufficient protection of confidential information. Since Uber's non-US headquarters are located in the Netherlands, it was the Dutch regulator that imposed the fine under GDPR rules.
The problem arose after the EU Court of Justice in the Schrems II case (Max Schrems case) invalidated the EU-US Privacy Shield due to insufficient US data protection standards.
Despite the ruling, Uber continued to transfer data to the U.S. without implementing mandatory Standard Contractual Clauses (SCCs) or other safeguards, in violation of the GDPR. A similar violation previously led to a fine of $1.3 billion for Meta and more than $1.1 million for four companies for using Google Analytics.
Uber, in its defense, states that the GDPR does not apply to the company, since the regulation already extends its jurisdiction to the company's activities in the United States. It is also claimed that data transfers, as described in the GDPR, do not occur, as users themselves transfer their data to servers in the United States through the app.
The AP rejected Uber's arguments, approving the fine. Uber has expressed disagreement with the decision and intends to challenge it. A company spokesperson stressed that the fine is unfair because Uber complied with the GDPR during the three years of uncertainty between the EU and the US. The company is convinced that during the appeal, "common sense will prevail."
The appeal process can be delayed for up to 4 years, during which the fine will be suspended. Uber also insists that the data processing practices outlined in the company's privacy policy comply with GDPR regulations, and the exchange of data between users and the company is an integral part of the service.
Source
