Uber Faces €290 Million Fine for GDPR Violations
Uber Faces €290 Million Fine for GDPR Violations
Amsterdam, Netherlands – In a significant decision, the Dutch Data Protection Authority (AP) has imposed a hefty fine of €290 million on Uber Technologies Inc. and Uber B.V. for violating the General Data Protection Regulation (GDPR). The ruling highlights critical data protection issues that are relevant to any organization dealing with cross-border data transfers.
Unauthorized Data Transfers
The AP’s investigation centered around Uber’s practice of transferring personal data of its European Economic Area (EEA) drivers to the United States without ensuring the necessary safeguards. This violated Article 44 of the GDPR, which requires that personal data transferred to third countries be protected to the same standards as within the EU.
Inadequate Safeguards
Uber initially relied on Standard Contractual Clauses (SCCs) as a safeguard but removed them in August 2021 without replacing them with other valid mechanisms. This left the data transfers unprotected, leading to a breach of GDPR requirements.
Misinterpretation of GDPR Application
Uber argued that Chapter V of the GDPR, which concerns data transfers, did not apply because both Uber B.V. and Uber Technologies Inc. were subject to the GDPR. However, the AP rejected this argument, stating that such an interpretation would undermine the high level of data protection guaranteed by the GDPR.
Lack of Data Protection Compliance
The AP also found that Uber’s centralized IT infrastructure processed the personal data of EEA drivers on servers located in the United States. This inherently involved the transfer of personal data, which should have been subjected to the GDPR’s stringent requirements. Uber’s failure to implement the necessary safeguards and its reliance on the incorrect interpretation of GDPR provisions contributed to the substantial fine.