CAD 390 million fine hits Uber for violating EU data privacy laws

CAD 390 million fine for transferring private data of European drivers to the USA. This fine was imposed on a taxi company by the Dutch authority. Uber's actions were found to violate EU privacy regulations (GDPR). The company criticized this decision and announced an appeal.

According to the Dutch Data Protection Authority (DPA), Uber transferred drivers' data from Europe to the United States for over two years without properly securing it.

The DPA emphasized, "This constitutes a serious violation of the General Data Protection Regulation," referring to the privacy regulations effective in the EU, known by the acronym GDPR.

Uber denies violating EU regulations. "This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and the U.S," the company wrote in a statement. Reuters notes that the statement added "the company would appeal and was confident that 'common sense will prevail.'"

According to the AP, the violation of regulations was alleged to have occurred following a ruling by the EU Court of Justice in 2020, which invalidated the so-called Privacy Shield—a mechanism used by companies operating in the EU for sending data to the USA—due to concerns it allowed U.S. authorities to access those data.

Uber can appeal the fine decision to the DPA, and if unsuccessful, challenge it in a Dutch court. The entire appeal process may take about four years, and until all appeals are exhausted, the fine is suspended, reported Reuters.

The proceedings against Uber were initiated in response to a complaint filed in France by a local human rights organization on behalf of over 170 drivers. The matter was referred to the DPA because Uber’s European headquarters are registered in the Netherlands. The French Data Protection Authority (CNIL) cooperated with the DPA in the proceedings.

This is not the first fine the DPA has imposed on Uber. In January, the Dutch authority fined the company CAD 15 million for failing to disclose how long it stored drivers' data in Europe or to which countries outside the EU it sent them, reminded AP.