Netherlands fines Uber €290M for improper EU-US driver data transfers

Privacy authorities in the Netherlands have imposed a €290 million ($324 million) fine on ride-share giant Uber for sending driver data to servers in the United States - "a serious violation" of the EU's General Data Protection Regulation (GDPR). 

According to the Dutch Data Protection Authority (DPA), Uber spent years sending sensitive driver information from Europe to the US. Among the data that was transmitted were taxi licenses, location data, payment details, identity documents, and medical and criminal records. The data was sent abroad without the use of "transfer tools," which the DPA said means the data wasn't sufficiently protected. 

"Businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union," Dutch DPA chairman Aleid Wolfsen said of the decision. "Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."

The Dutch DPA said that the investigation that led to the fine began after complaints from a group of more than 170 French Uber drivers who alleged their data was being sent to the US without adequate protection. Because Uber's European operations are based in the Netherlands, enforcement for GDPR violations fell to the Dutch DPA. 

Unfortunately for Uber, it already has an extensive history with the Dutch DPA, which has fined the outfit twice before. 

The first came in 2018 when the authority fined Uber €600,000 for failing to report a data breach (a slugfest that several EU countries joined in on). The latter €10 million fine came earlier this year after Dutch officials determined Uber had failed to disclose data retention practices surrounding the data of EU drivers, refusing to name which countries data was sent to, and had obstructed its drivers' right to privacy. 

Uber asks officials to remember their history

This latest fine appears to be a step too far for Uber, which told The Register it intends to appeal the Dutch DPA's decision because it said it had no clear instructions on how to do otherwise. 

"This flawed decision and extraordinary fine are completely unjustified," an Uber spokesperson told us in an emailed statement. "Uber's cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US." 

• Uber driver info stolen yet again: This time from law firm
• Leaked Uber docs reveal frequent use of 'kill switch' to deactivate tech, thwart investigators
• 'One Less Car' Uber bets a grand you'll ditch your wheels
• Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up

The uncertainty Uber refers to stems from the EU's striking down of the EU-US Privacy Shield agreement and the years of efforts to replace it with a new rule that defines the safe transfer of personal data between the two regions. 

Uber claims it's done its job under the GDPR to safeguard data belonging to European citizens - it didn't even need to make any data transfer process changes to comply the latest rules. 

The striking down of Privacy Shield, according to the Computer and Communications Industry Association of Europe, left companies doing business in the EU and US with "virtually no legal bases to move data to the US" between 2020 and the final passage of the Data Privacy Framework in 2023. 

That framework has helped smooth the road going forward, but "it does not account for the three-year legal gap left behind," the CCIA said. 

"The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows," said CCIA Europe head of policy Alexandre Roure. 

We're told Uber has one week left to file its objection, and that the fine must be paid after appeals have been exhausted - a process the outfit claims could buy it as many as four years of stalling to avoid having to pay out. ®