The Dutch Data Protection Authority (DPA) has imposed a landmark €290 million penalty on ride-hailing platform Uber.
This fine is a consequence of the transfer of personal data of European drivers to servers in the United States, without the implementation of adequate security measures to protect such information, which is a serious breach of the General Data Protection Regulation (GDPR).
In the course of its investigation, the DPA found that Uber collected "sensitive personal information" about its European drivers, including cab licenses, real-time location data and even medical records. This information was stored on U.S. servers, which, according to the Dutch authority, entailed a significant risk, as U.S. regulations do not offer the same level of protection as European privacy laws.
Reason for non-compliance with the General Data Protection Regulation
For the DPA, Uber made these transfers to U.S. databases without "adequately safeguarding the data in connection with these transfers." In addition to the lack of adequate protection measures during the data transfer, the DPA called Uber's conduct a "serious breach" of the European General Data Protection Regulation (GDPR), not only because of the sensitive nature of the information involved, but also because of the lack of transparency towards the drivers concerned. This breach underlines the importance of respecting European rules, which require companies to implement specific mechanisms, such as standard contractual clauses or binding corporate rules, to ensure that data transferred to third countries is adequately protected.
It should be remembered that data protection is not only a legal obligation, but also a matter of trust and business reputation. Failure to comply with data protection regulations can result not only in significant fines, but also in reputational damage that can be difficult to calculate and recover.
