Netherlands data protection authority fines Uber €290M for violating EU data regulation News
freestocks-photos / Pixabay
Netherlands data protection authority fines Uber €290M for violating EU data regulation

The Data Protection Agency (DPA) of the Netherlands fined Uber 290 million euros on Monday for violating the EU General Data Protection Regulation (GDPR) by storing the personal data of European taxi drivers on US servers.

The DPA found that Uber did not sufficiently protect the personal data that it transferred to the US. Uber sent personal data from the EU to its headquarters in the US for two years without the use of transfer tools to protect the data. Transfer tools include encryption and pseudonymisation, and should be used when sending personal data outside of the EU, according to the DPA.

Businesses in Europe are permitted to transfer data outside of the EU through a Standard Contractual Clause, which is a model contract approved by the European Commission. Nonetheless, businesses that store personal data outside the EU typically have to utilize additional measures, such as transfer tools, to ensure that EU data protection standards are met.

Special rules apply to data transfers to the US. American businesses that participate in the Data Privacy Framework are treated as having a level of data protection that is equivalent to that of the EU, according to an adequacy decision of the European Commission from 2023. EU citizens may submit a complaint regarding how their personal data is handled, even if the business is a member of the Data Privacy Framework.

The investigation by Dutch authorities was triggered by a complaint from 170 taxi drivers in France. Since Uber’s European headquarters are in the Netherlands, the Dutch DPA was responsible for the investigation.

The data that was transferred included “location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers”. The GDPR establishes the protection of personal data as a fundamental right in the EU.

Uber has indicated its intent to appeal the fine, according to the DPA.

THIS DAY @ LAW

Thurgood Marshall confirmed as US Supreme Court justice

On August 30, 1965, civil rights attorney Thurgood Marshall was confirmed as a Supreme Court justice by the US Senate, becoming the first African-American to be approved for the nation's highest tribunal. Learn more about Thurgood Marshall.

ICTY announces genocide charges against Slobodan Milošević

On August 30, 2001, the International Criminal Tribunal for the former Yugoslavia (ICTY) informed former Yugoslav President Slobodan Milošević that he would be charged with genocide in addition to other war crimes. The charges stemmed from Milošević's role in the Balkan civil wars of the 1990s in which Milošević, as President of Serbia and Yugoslavia, attempted to use force to prevent the ethnic dissolution of the Yugoslav Federation. Learn more about the trial of Slobodan Milošević and the charges filed against him from the BBC.