Uber Fined Over $300M For Failing to Protect Drivers’ Data

By: Alex Trent | Published: Aug 26, 2024

US rideshare giant Uber has been fined over 290 million euros (~$324 million) by a Dutch watchdog organization over charges that it failed to adequately protect the data of its European drivers.

This watchdog, called the Dutch Data Protection Authority (DPA) accused Uber of allowing the transfer of personal details of European drivers to the United States without proper protection.

Uber Under Fire

This watchdog group accused Uber’s data transfers of breaching requirements from the European Union’s General Data Protection Regulation (GDPR).

Advertisement
An Uber sign lit up on a driver's windshield.

Source: Erik Mclean/Unsplash

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said in a statement.

Advertisement

Outside of Europe

Wolfsen lamented the fact that companies in other places do not have the same kinds of data protection common sense that Europe has.

Advertisement
A series of flags from the European Union.

Source: Guillaume Perfigois/Unsplash

“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union,” Wolfsen said.

Not Meeting Requirements

Wolfsen emphasized that Uber is under a serious charge for not meeting these requirements when it transferred the data of Europeans unsafely.

Advertisement
A person's hand holding a smartphone with a black screen displaying the white Uber logo

Source: Austin Distel/Unsplash

“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the U.S. That is very serious,” said Wolfsen.

Original Complaints

A case against Uber was started by complaints from French Uber drivers who were unhappy with the company’s data practices.

Advertisement
A French flag flies against a blue sky background.

Source: Rafael Garcin/Unsplash

This case was eventually given to the authority of the DPA because Uber’s headquarters in Europe is located in the Netherlands.

Uber Responds

In a statement, Uber has denied any wrongdoing related to the DPA’s accusations and insists that it will appeal the decision.

A close-up of a parked Uber vehicle's roof showing a black sign with the Uber logo illuminated in white

Source: Viktor Avdeev/Unsplash

“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S. We will appeal and remain confident that common sense will prevail,” Uber said in a statement.

Advertisement

Previous Ruling

In 2020, the top court in the EU found that an agreement called Privacy Shield that allowed the transfer of data to the United States was no longer valid because the American government could access to this data, causing a major disruption for companies.

Flags of the European Union outside a Brussels building.

Source: Thijs ter Haar/Wikimedia

“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected,” said the DPA.

Advertisement

Blaming the Decision

Tech advocacy group Computer & Communications Industry Association (CCIA) argued that the fine is unfair given how the 2020 EU ruling shook things up.

A wooden judge’s gavel.

Source: Tingey Injury Law Firm/Unsplash

“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” the association’s European head of policy, Alexandre Roure, said in a statement.

Advertisement

Ignoring Reality

Roure felt that the decision to slap a fine on Uber was worrying and that such a huge fine was unwarranted.

A view of an American flag underneath a cloudy sky.

Source: Tim Mossholder/Unsplash

“The fact that the Dutch Data Protection Authority today decided to issue a massive fine to a tech company for EU-US data flows that happened back in 2021 ignores reality,” said Roure.

Advertisement

Retroactive Fines

Roure also took issue with the fact that the fines are retroactive, especially given the circumstances.

A collection of paper currency from America and Europe.

Source: Ibrahim Boran/Unsplash

“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework,” said Roure.

Advertisement

Unclear Guidelines

The CCIA asserted in a statement that the EU left the data transfer landscape without clear guidelines for a sustained period.

A person writing on a piece of paper near a judge’s gavel.

Source: KATRIN BOLOVTSOVA/Pexels

“Ever since an EU Court decided to invalidate Privacy Shield – the previous framework that allowed for data transfers between the EU and the United States – back in 2020, the so-called Schrems II ruling, European and American companies were left without any clear guidelines for transatlantic data flows for a period of nearly three years,” the statement said.

Advertisement

Not The First Fine

The DPA has been going after Uber before this most recent fine for similar issues related to how handles its European data.

A bald male Uber driver, wearing a smartwatch and sunglasses, is driving a car with his hands on the steering wheel

Source: Airam Dato-on/Pexels

In January, the Dutch watchdog fined Uber 10 million euros (~$11 million) for failing to disclose critical information on European drivers like how long it retained their data and which countries outside the EU it was sharing it with.

Advertisement