The Data Protection Agency (DPA) of the Netherlands fined Uber 290 million euros on Monday for violating the EU General Data Protection Regulation (GDPR) by storing the personal data of European taxi drivers on US servers.
The DPA found that Uber did not sufficiently protect the personal data that it transferred to the US. Uber sent personal data from the EU to its headquarters in the US for two years without the use of transfer tools to protect the data. Transfer tools include encryption and pseudonymisation, and should be used when sending personal data outside of the EU, according to the DPA.
Businesses in Europe are permitted to transfer data outside of the EU through a Standard Contractual Clause, which is a model contract approved by the European Commission. Nonetheless, businesses that store personal data outside the EU typically have to utilize additional measures, such as transfer tools, to ensure that EU data protection standards are met.
Special rules apply to data transfers to the US. American businesses that participate in the Data Privacy Framework are treated as having a level of data protection that is equivalent to that of the EU, according to an adequacy decision of the European Commission from 2023. EU citizens may submit a complaint regarding how their personal data is handled, even if the business is a member of the Data Privacy Framework.
The investigation by Dutch authorities was triggered by a complaint from 170 taxi drivers in France. Since Uber’s European headquarters are in the Netherlands, the Dutch DPA was responsible for the investigation.
The data that was transferred included “location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers”. The GDPR establishes the protection of personal data as a fundamental right in the EU.
Uber has indicated its intent to appeal the fine, according to the DPA.