Ride-hailing giant Uber has been slapped with a substantial fine by the Netherlands' privacy watchdog for violating the European Union's General Data Protection Regulation (GDPR).
The penalty, amounting to €290 million or $324 million in US dollars, is one of the largest imposed on a tech company since the GDPR came into effect.
As Uber continues to roll downhill because of its financial struggles, it needs to figure out a solution how to come out of this new loophole.
Data Transfer Violations Done by Uber
According to Reuters, the fine stems from Uber's transfer of drivers' personal data from the EU to the US. The GDPR imposes strict regulations on the transfer of personal data outside the EU, particularly to countries with less stringent privacy protections.
Related Article: Uber Rolls Out Enhanced Safety Preferences for Users, Offering Customizable Features for Secure Rides
GDPR Penalties and Compliance
The GDPR allows for fines of up to 4% of a company's global annual turnover for non-compliance. While Uber's fine falls short of this maximum, it remains a significant amount, reflecting the seriousness of the data breaches.
Investigation and Complaints
The Dutch regulator, the Autoriteit Persoonsgegevens (AP), initiated an investigation into Uber's data practices following complaints from over 170 drivers in France. The complaints alleged that Uber had failed to adequately protect drivers' personal data during transfers to the US.
"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe," Dutch DPA chairman Aleid Wolfsen wrote in a statement.
Wolfsen also noted that businesses should be obliged to be serious about storing the personal data of European drivers outside the region. He added that the app did not meet GDPR's requirements to ensure data protection level regarding US transfers.
Uber's Previous Fines and the GDPR
Uber has faced previous GDPR fines, including a €10 million penalty earlier this year. However, the recent €290 million fine is a significant escalation, placing Uber among the tech giants with the largest GDPR penalties.
Data Safeguarding and US Surveillance
The AP determined that Uber had failed to "appropriately safeguard" data transferred outside the EU.
According to TechCrunch, the breach is related to US national security intelligence agency surveillance programs, which have been found to pose a risk to EU citizens' privacy rights.
The EU-US Data Transfer Dilemma
The clash between EU privacy protections and US surveillance practices has created a challenging environment for US tech giants operating in Europe. The GDPR requires companies to implement additional measures to protect data transferred outside the EU, but this can be difficult when dealing with US authorities.
Uber Claims Compliance With GDPR's Standards
Uber has strongly contested the fine, claiming that its data transfer processes were compliant with the GDPR. The company has vowed to appeal the decision and argues that the legal landscape surrounding data transfers has evolved over time.