he Dutch Data Protection Authority stated that the data transfers over more than two years constituted a severe breach of the European Union’s General Data Protection Regulation, which requires proper measures to protect user data.
The Dutch DPA chairman, Aleid Wolfsen, emphasized that businesses and governments must care about personal data by the GDPR. Failure to do so, especially when transferring personal data of Europeans outside the EU, is viewed very seriously.
The fine was issued despite the complaints filed by 170 French Uber drivers, as Uber’s European headquarters is in the Netherlands.
Uber, however, contested the decision, claiming that its cross-border data transfer process was compliant with GDPR. The company plans to appeal the decision.
The alleged breach occurred following a 2020 EU court ruling invalidating the Privacy Shield agreement, which facilitated data transfers to the United States. The Dutch data protection agency mentioned that although standard contract clauses could provide a basis for transferring data outside the EU, Uber had not used them effectively, resulting in insufficient protection for the data of EU drivers.
Uber’s use of the successor to Privacy Shield, which began at the end of last year, effectively ended the alleged breach.
The Computer & Communications Industry Association also criticized the fine, arguing that the online business realities after the 2020 EU court ruling were not considered.
This action marks the second time the Dutch data protection watchdog fined Uber. In January, the agency fined the company €10 million for its failure to disclose the duration of data retention from drivers in Europe and the non-EU countries with which it shared data.