Netherlands fines Uber €290M for improper EU-US driver data transfers
- Reference: 1724688607
- News link: https://www.theregister.co.uk/2024/08/26/uber_fined_eu_us_data/
- Source link:
[1]According to the Dutch Data Protection Authority (DPA), Uber spent years sending sensitive driver information from Europe to the US. Among the data that was transmitted were taxi licenses, location data, payment details, identity documents, and medical and criminal records. The data was sent abroad without the use of "transfer tools," which the DPA said means the data wasn't sufficiently protected.
"Businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union," Dutch DPA chairman Aleid Wolfsen said of the decision. "Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."
[2]
The Dutch DPA said that the investigation that led to the fine began after complaints from a group of more than 170 French Uber drivers who alleged their data was being sent to the US without adequate protection. Because Uber's European operations are based in the Netherlands, enforcement for GDPR violations fell to the Dutch DPA.
[3]
[4]
Unfortunately for Uber, it already has an extensive history with the Dutch DPA, which has fined the outfit twice before.
The first came in 2018 when the authority fined Uber €600,000 for failing to report a data breach (a slugfest that [5]several EU countries joined in on). The latter [6]€10 million fine came earlier this year after Dutch officials determined Uber had failed to disclose data retention practices surrounding the data of EU drivers, refusing to name which countries data was sent to, and had obstructed its drivers' right to privacy.
Uber asks officials to remember their history
This latest fine appears to be a step too far for Uber, which told The Register it intends to appeal the Dutch DPA's decision because it said it had no clear instructions on how to do otherwise.
"This flawed decision and extraordinary fine are completely unjustified," an Uber spokesperson told us in an emailed statement. "Uber's cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US."
[7]Uber driver info stolen yet again: This time from law firm
[8]Leaked Uber docs reveal frequent use of 'kill switch' to deactivate tech, thwart investigators
[9]'One Less Car' Uber bets a grand you'll ditch your wheels
[10]Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up
The uncertainty Uber refers to stems from the EU's [11]striking down of the EU-US Privacy Shield agreement and the [12]years of efforts to replace it with a new rule that defines the safe transfer of personal data between the two regions.
Uber claims it's done its job under the GDPR to safeguard data belonging to European citizens - it didn't even need to make any data transfer process changes to comply the latest rules.
[13]
The striking down of Privacy Shield, [14]according to the Computer and Communications Industry Association of Europe, left companies doing business in the EU and US with "virtually no legal bases to move data to the US" between 2020 and the final [15]passage of the Data Privacy Framework in 2023.
That framework has helped smooth the road going forward, but "it does not account for the three-year legal gap left behind," the CCIA said.
"The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows," said CCIA Europe head of policy Alexandre Roure.
[16]
We're told Uber has one week left to file its objection, and that the fine must be paid after appeals have been exhausted - a process the outfit claims could buy it as many as four years of stalling to avoid having to pay out. ®
Get our [17]Tech Resources
[1] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zsz7Bre24v-rEphUv-8SMQAAANA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsz7Bre24v-rEphUv-8SMQAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsz7Bre24v-rEphUv-8SMQAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2018/12/20/uber_france_400k_euro_fine_for_2016_hack/
[6] https://www.autoriteitpersoonsgegevens.nl/en/current/uber-fined-eu10-million-for-infringement-of-privacy-regulations
[7] https://www.theregister.com/2023/04/03/uber_drivers_info_stolen/
[8] https://www.theregister.com/2022/07/11/uber_leak/
[9] https://www.theregister.com/2024/06/27/uber_one_less_car/
[10] https://www.theregister.com/2024/06/08/uber_cso_joe_sullivan/
[11] https://www.theregister.com/2020/07/16/privacy_shield_struck_down/
[12] https://www.theregister.com/2022/10/10/privacy_shield/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsz7Bre24v-rEphUv-8SMQAAANA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://ccianet.org/news/2024/08/ubers-eu-us-data-flows-ccia-europe-statement/
[15] https://www.theregister.com/2023/10/11/uk_us_data_bridge/
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/legal&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsz7Bre24v-rEphUv-8SMQAAANA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://whitepapers.theregister.com/
It does matter. The data should never have left the EU and there was no need for it with a European subsidiary. Various other US companies have the same problem and most seem to manage without incurring large fines, at least in this regard.
No, they simply haven't been sued yet.
If you think Microsoft and Google (to name just two) aren't on the radar of the privacy authorities, I've got a very nice bridge for sale.
For the CLOUD Act to get involved, the USA has to issue a warrant, and even that can be challenged. It provides no defence against a company shipping EU personal data to its USA server because that is just how they do things.
I don't understand.
I understand why a company like Uber wants to collect theetails of their employees/opetatives on the varios countries that they operate.
What I don't understand is why they need to ship this data to another juristiction. What use is this data to someone in the USA operation? I cant see it affecting their operation on the ground one jot so compliance should be easy.
Am I missing something or are these people idiots?
Wahhhh...No way for us to comply...
...well you could have set up European servers and processed data there.
You have zero privacy anyway. Get over it
Scott McNealy (1999): “ You have zero privacy anyway. Get over it ”
AFAIK they're a US company and thus exposed to the US CLOUD Act so it doesn't matter whether or not they transfer data to the US or by what means.