IANS Photo
London, August 26 (IANS): The Dutch Data Protection Authority (DPA) on Monday imposed a hefty fine of 290 million euros ($324 million) on ride-hailing platform Uber over data transfer breach of European taxi drivers.
The Dutch regulator found that Uber transferred personal data of European taxi drivers to the US and failed to appropriately safeguard the data with regard to these transfers.
This constitutes a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation.
"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care", said Dutch DPA chairperson, Aleid Wolfsen.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” Wolfsen added.
According to the regulator, Uber collected “sensitive information of drivers from Europe” like account details, taxi licences, location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers, and retained it on servers in the US.
For a period of over two years, the company transferred those data to Uber's headquarters in the US, without using transfer tools.
The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the human-rights interest group LDH, which subsequently submitted a complaint to the French DPA.
“All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4 per cent of the worldwide annual turnover of a business. Uber had a worldwide turnover of around 34.5 billion euro in 2023. Uber has indicated its intent to object to the fine,” said the regulator.
This is the third fine that the Dutch DPA imposes on Uber.
The Dutch DPA imposed a fine of 600,000 euro on Uber in 2018, and a fine of 10 million euro in 2023. Uber has objected to this last fine.
In January, Uber was fined 10 million euros for data access rights pertaining to the same complaints.