Uber Fined €290m for GDPR Data Transfer Violations
Uber has been fined €290m ($324m) by the Dutch Data Protection Authority (AP) for violating the General Data Protection Regulation (GDPR). The penalty follows revelations that Uber stored sensitive driver data in the US without adequate safeguards for over two years. Despite this, Uber has recently achieved GDPR compliance through a new EU-US Data Privacy Framework.
The fine stems from Uber's transfer of European drivers' personal information, including account details, location data, and IDs, to its US headquarters without proper protection. This occurred despite the European Court of Justice's 2020 invalidation of the EU-US Privacy Shield due to similar concerns. Uber did not employ Standard Contractual Clauses (SCCs) or other means to ensure EU-level protection for this data. The Dutch AP expressed concern that US law enforcement and intelligence agencies could access the data without proper safeguards.
Uber's recent compliance with the GDPR comes via a new EU-US Data Privacy Framework, negotiated between the EU and US. This framework aims to provide robust safeguards for transatlantic data transfers, addressing previous concerns about US surveillance laws.
Uber's €290m fine underscores the seriousness of GDPR violations and the importance of adequate data protection measures, especially when transferring data to the US. Despite this penalty, Uber has now achieved GDPR compliance through the new EU-US Data Privacy Framework, ensuring better protection for European drivers' personal data.
