The ride-hailing app Uber has been hit with a €290m (£246m; $324m) effective for transferring the private information of European drivers to US servers in violation of EU guidelines, the Dutch information safety regulator stated on Monday.
The Dutch Knowledge Safety Authority (DPA) stated the transfers have been a “severe violation” of the EU’s Normal Knowledge Safety Regulation (GDPR), as they did not appropriately defend driver info.
In accordance with the watchdog, info together with ID paperwork, taxi licences and placement information was transferred to the corporate’s headquarters within the US over a two-year interval.
Uber stated it will enchantment the effective, which it known as “unjustified”.
“Uber’s cross-border information switch course of was compliant with GDPR throughout a 3-year interval of immense uncertainty between the EU and US,” an Uber spokesperson stated.
“This flawed determination and extraordinary effective are fully unjustified,” the assertion added.
Whereas information transfers to the US are allowed underneath EU legislation, there’s important uncertainty round once they can happen with out the necessity for additional authorisation.
DPA chairman Aleid Wolfsen stated the corporate failed to fulfill GDPR necessities to “guarantee the extent of safety to the info with regard to transfers to the US.”
“That could be very severe,” he added, noting that Uber additionally did not appropriately safeguard the info.
The DPA stated Uber collected delicate info of European drivers, together with taxi licences, location information, photographs, fee particulars, id paperwork, “and in some circumstances even felony and medical information of drivers”.
It stated it began the investigation after greater than 170 French drivers complained to a French human rights group, which then filed a grievance to France’s information safety watchdog.
Beneath GDPR guidelines, a enterprise that processes information in a number of EU nations should cope with the info safety authority the place its essential workplace is situated. Uber’s European headquarters are within the Netherlands.
“In Europe, the GDPR protects the basic rights of individuals, by requiring companies and governments to deal with private information with due care,” Mr Wolfsen stated.
“Consider governments that may faucet information on a big scale,” he stated, explaining, “companies are normally obliged to take further measures in the event that they retailer private information of Europeans exterior the European Union.”
It’s the DPA’s third effective towards Uber following fines of €600,000 (£508,000) in 2018 and €10m (£8.5m) final yr.
The EU has rolled out a collection of guidelines for giant tech companies and imposed large fines for breaches in recent times.
Final yr Irish regulators fined TikTok €345m (£296m) for violating kids’s privateness underneath GDPR guidelines.