Uber Fined €290 Million for GDPR Violations After Moving Data from EU to US
Uber has been fined €290 million ($324 million) after improperly transferring driver data from the EU to the US. Learn more about the case, the nature of the violation, and what the penalty means for the company.
- The Dutch Data Protection Authority (DPA) has fined Uber a record €290 million ($324 million) for breaking European Union data protection laws by sending driver data to the US.
- The ride-hailing giant has refuted the decision and plans to file an appeal, suspending the penalty for now.
Uber has been slammed with a hefty €290 million fine by the Dutch Data Protection Authority (DPA) for allegedly violating the European Union’s General Data Protection Regulation (GDPR). The regulator has alleged that the ride-hailing service improperly transferred personal data from European drivers to the US without adequate safeguards.
The Violation
Uber was fined for failing to comply with the GDPR’s strict requirements for transferring personal data outside the European Economic Area (EEA). The company was found to be in violation of Chapter V of the GDPR, which is associated with international data transfers.
The section requires companies to meet specific data protection measures while transferring personal data to non-EU countries. These measures can include mechanisms such as Standard Contractual Clauses (SCCs) or the now-invalid EU-US Privacy Shield. In the case of Uber, the DPA found that the company did not use adequate transfer tools to comply with protection standards while moving the data of its European drivers.
Uber’s Response
The €290 million fine is one of the largest ever for a GDPR violation. The penalty highlights the severity of the case and the DPA’s intent to set an example about the importance of data protection. Uber’s financial resources and the large-scale nature of the data transfer, involving numerous drivers over a long period, influenced the size of the fine.
Uber, in response, has planned to appeal the decision, stating that it had always acted in good faith despite regulatory uncertainties about data transfer practices that were in alignment with GDPR requirements. The company has called the fine unjustified and has claimed that the new EU-US Data Privacy Framework, which has been in effect since 2023, should mitigate concerns associated with data transfers.
Takeaways
The case highlights the challenges faced by global tech companies in managing data protection requirements, especially in light of the EU-US Privacy Shield’s invalidation. If the fine against Uber goes through, it could set a precedent for future enforcement actions, pushing companies to reassess their compliance strategies. The appeal process will consequently be watched closely by businesses and regulators and could have far-reaching implications in the sector in the coming years.
LATEST NEWS STORIES
- Microsoft Sets Up Endpoint Security Ecosystem Summit to Address CrowdStrike Outage
- Google To Pay About $250 Million To Support Local Journalism In California
- University of California Santa Cruz Runs Phishing Test, Creates Ebola Scare
- Oil Giant Halliburton’s Operations Disrupted by Cyber Incident
