Ride-hailing platform Uber has been fined €290 million — round $324 million at present exchanges charges — by the Netherlands’ privateness watchdog for breaching the European Union’s General Data Protection Regulation (GDPR).
The penalty is expounded to transfers of non-public knowledge of drivers out of the European Union to the US, the place Uber’s principal enterprise is situated. The GDPR permits for fines of as much as 4% of world annual turnover to be levied for non-compliance.
Uber’s full yr income for 2023 was round €34.5 billion — so the extent of sanction is effectively under that most. However, it’s nonetheless a notable quantity because it’s among the many largest penalties levied on a tech firm because the GDPR started working again in 2018.
The positive is the end result of a collection of complaints made by greater than 170 Uber drivers in France again in 2021. The Dutch regulator, the Autoriteit Persoonsgegevens (or AP), leads on GDPR oversight of Uber as the corporate has its principal EU institution within the nation. It investigated complaints over how the corporate processes the drivers’ private knowledge. Complaints had been submitted by means of a human rights group, Ligue des droits de l’Homme (LDH), to France’s privateness watchdog after which handed to the AP.
In January, Uber was fined €10 million for knowledge entry rights pertaining to the identical complaints. But the brand new positive introduced Monday dwarfs the sooner penalty — touchdown it a brand new spot on the record of tech giants stung with the ten greatest GDPR fines, slightly below mid-table.
The dimension of the penalty displays the seriousness of the breach, per the AP, which wrote in a press launch that Uber had did not “appropriately safeguard” knowledge which it transferred out of the EU — dubbing that “a severe violation”.
The knowledge safeguarding downside pertains to US nationwide safety intelligence company surveillance applications which — within the wake of the 2013 disclosures by NSA whistleblower Edward Snowden — courts in Europe have repeatedly discovered to pose a danger to the info safety and privateness rights of EU individuals. This is a matter as a result of GDPR protections are presupposed to journey with Europeans’ knowledge.
US tech giants, that are liable for driving a lot of the EU-US knowledge flows, have basically been caught in the course of this conflict for years. Business fashions that depend on knowledge mining (and subsequently entry to non-public knowledge within the clear) are additionally significantly uncovered to the privateness authorized danger.
“In Europe, the GDPR protects the basic rights of individuals, by requiring companies and governments to deal with private knowledge with due care. But sadly, this isn’t self-evident outdoors Europe,” wrote Dutch DPA chairman Aleid Wolfsen in an announcement. “Think of governments that may faucet knowledge on a big scale. That is why companies are normally obliged to take further measures in the event that they retailer private knowledge of Europeans outdoors the European Union. Uber didn’t meet the necessities of the GDPR to make sure the extent of safety to the info with regard to transfers to the US. That may be very severe.”
The complaints in opposition to Uber had been made throughout a interval when there was no excessive stage knowledge switch framework agreed between the EU and the US. In July 2020 the bloc’s prime courtroom struck down a mechanism generally known as Privacy Shield that the corporate, and hundreds of others, had been counting on for authorizing their knowledge exports.
A brand new EU-US knowledge switch deal was not agreed and adopted till July 2023 — which means there was a interval of three years with excessive authorized uncertainty round knowledge exports.
Digital firms have been significantly uncovered over this era, given the data-driven nature of their companies. And Uber shouldn’t be the one tech large to have been stung: Meta was hit with a record-breaking GDPR penalty of €1.2BN again in May 2023 over the identical core challenge. Several DPAs additionally warned in opposition to use of Google Analytics.
In Uber’s case the Dutch DPA stated the info it collected and exported included “delicate” driver data, together with account particulars, taxi licences, location knowledge, images, fee particulars, id paperwork, and in some circumstances even felony and medical knowledge of drivers.
“For a interval of over 2 years, Uber transferred these knowledge to Uber’s headquarters within the US, with out utilizing switch instruments. Because of this, the safety of non-public knowledge was not ample,” it wrote.
Uber shouldn’t be pleased in regards to the penalty. It denies any non-compliance and has vowed to file an enchantment in opposition to the enforcement in courtroom.
Uber spokesman Caspar Nixon emailed TechCrunch an announcement during which the corporate writes: “This flawed resolution and extraordinary positive are utterly unjustified. Uber’s cross-border knowledge switch course of was compliant with GDPR throughout a 3-year interval of immense uncertainty between the EU and US. We will enchantment and stay assured that widespread sense will prevail.”
The firm claims it sought steering from the AP in the course of the interval the place there was no excessive stage EU-US knowledge switch deal however says the regulator didn’t present it with any readability that there have been issues with its processes.
The AP suggests Uber has been in compliance because the finish of final yr when it began to make use of the successor to Privacy Shield. Uber claims the processes that are actually thought of compliant below this new knowledge switch framework are the identical ones it used earlier than. So, principally, its argument is that the authorized goalposts have moved.
However, in the course of the interval when there was no excessive stage EU-US switch deal, the bloc’s privateness regulators warned firms they had been liable for making certain any knowledge exports complied with the foundations.
European Data Protection Board steering from this era supplied data on further measures the info supervisor stated firms might have to use to boost the extent of safety on knowledge exports to make sure their knowledge flows had been GDPR compliance — equivalent to switching to knowledge localization or making use of types of ‘zero entry’ encryption that imply exported knowledge can’t be accessed.
Uber’s spokesman couldn’t instantly affirm whether or not it utilized any such further measures in the course of the interval.