Uber Fined $478 Million For ‘Serious’ Data Breaches
It began with complaints from more than 170 French Uber drivers, and ended with the ride share company being slapped with a 290 million euro (A$478 million) fine for transferring data across the Atlantic without taking satisfactory precautions.
In some cases it included drivers’ medical data and criminal histories.
The Dutch Data Protection Authority (DPA) said it started the investigation into Uber after the drivers complained to a French human rights group, which then made representations to the French DPA.
According to Europe’s General Data Protection Regulation (GDPR), “businesses that process data in several EU Member States have to deal with one DPA: the authority in the country in which the business has its main establishment”.
Uber’s European headquarters is based in the Netherlands.
“During the investigation, the Dutch DPA closely cooperated with the French DPA and coordinated the decision with other European DPAs,” said the Dutch DPA.
The Dutch DPA found that “Uber transferred personal data of European taxi drivers to the United States and failed to appropriately safeguard the data with regard to these transfers … this constitutes a serious violation of the GDPR. In the meantime, Uber has ended the violation.”
Dutch DPA chairman Aleid Wolfsen said European countries required business and government to “handle data with due care … but sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
All DPAs in Europe employ the same calculation when setting fines. The maximum is 4% of the worldwide annual turnover of a business.
“Uber had a worldwide turnover of around 34.5 billion euro in 2023,” the Dutch DPA said.
It noted “Uber has indicated its intent to object to the fine”.
The BBC quoted Uber: “Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. This flawed decision and extraordinary fine are completely unjustified.”
The Dutch DPA found that “Uber collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US. It concerns account details and taxi licences, but also location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers. For a period of over 2 years, Uber transferred those data to Uber’s headquarters in the US, without using transfer tools.”
This is the third fine the Dutch DPA has imposed on Uber – the previous being a 600,000 euro fine in 2018 and a 10 million euro fine in 2023 (Uber has objected to this fine).