The Dutch information safety watchdog slapped a 290 million euro ($324 million) nice Monday on ride-hailing service Uber for allegedly transferring private particulars of European drivers to the USA with out satisfactory safety. Uber referred to as the choice flawed and unjustified and stated it might attraction.
The Dutch Knowledge Safety Authority stated the info transfers spanning greater than two years amounted to a critical breach of the European Union’s Basic Knowledge Safety Regulation, which requires technical and organizational measures aimed toward defending consumer information.
“In Europe, the GDPR protects the elemental rights of individuals, by requiring companies and governments to deal with private information with due care,” Dutch DPA chairman Aleid Wolfsen stated in a press release.
“However sadly, this isn’t self-evident outdoors Europe. Consider governments that may faucet information on a big scale. That’s the reason companies are often obliged to take further measures in the event that they retailer private information of Europeans outdoors the European Union. Uber didn’t meet the necessities of the GDPR to make sure the extent of safety to the info with regard to transfers to the U.S. That could be very critical.”
The case was initiated by complaints from 170 French Uber drivers, however the Dutch authority issued the nice as a result of Uber’s European headquarters is within the Netherlands.
Uber insisted it did nothing incorrect.
“This flawed choice and extraordinary nice are utterly unjustified. Uber’s cross-border information switch course of was compliant with GDPR throughout a 3-year interval of immense uncertainty between the EU and U.S. We’ll attraction and stay assured that widespread sense will prevail,” the corporate stated in a press release.
The alleged breach got here after the EU’s prime courtroom dominated in 2020 that an settlement often known as Privateness Protect that allowed hundreds of firms — from tech giants to small monetary companies — to switch information to the USA was invalid as a result of the American authorities might eavesdrop on folks’s information.
The Dutch information safety company stated that following the EU courtroom ruling, customary clauses in contracts might present a foundation for transferring information outdoors the EU, “however provided that an equal stage of safety could be assured in apply.”
“As a result of Uber now not used Normal Contractual Clauses from August 2021, the info of drivers from the EU had been insufficiently protected,” the watchdog stated. It added that Uber has been utilizing the successor to Privateness Protect because the finish of final yr, ending the alleged breach.
The Laptop & Communications Trade Affiliation, an advocacy group for tech firms, stated the nice ignored the realities of on-line enterprise within the aftermath of the 2020 EU courtroom ruling.
“The busiest web route on the earth couldn’t merely be placed on maintain for 3 whole years whereas governments labored to determine a brand new authorized framework for these information flows,” the affiliation’s European head of coverage, Alexandre Roure, stated in a press release.
“Any retroactive fines by information safety authorities are particularly worrisome provided that these very privateness watchdogs failed to supply useful steerage throughout this era of serious authorized uncertainty, in absence of any clear authorized framework,” he added.
Monday’s announcement just isn’t the primary time the Dutch information safety watchdog has fined Uber. In January, the company fined it 10 million euros over what it stated was the corporate’s failure to reveal how lengthy it retained information from drivers in Europe or to call non-EU international locations it shared the info with.