Uber fined £246mn for personal data transfer

BBC: The ride-hailing app Uber has been hit with a 290 million euros (£246 million; US $ 324 million) fine for transferring the personal data of European drivers to US servers in violation of the EU rules, the Dutch data protection regulator said yesterday.

The Dutch Data Protection Authority (DPA) said the transfers were a “serious violation” of the EU’s General Data Protection Regulation (GDPR), as they failed to appropriately protect driver information.

According to the watchdog, information including ID documents, taxi licences and location data was transferred to the company’s headquarters in the US over a two-year period.

Uber said it would appeal the fine, which it called “unjustified”.

“Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US,” an Uber spokesperson said.

“This flawed decision and extraordinary fine are completely unjustified,” the statement added. While data transfers to the US are allowed under the EU law, there is significant uncertainty around when they can occur without the need for further authorisation. DPA Chairman Aleid Wolfsen said the company failed to meet the GDPR requirements to “ensure the level of protection for the data with regard to transfers to the US.”

“That is very serious,” he added, noting that Uber also failed to appropriately safeguard the data. The DPA said Uber collected sensitive information of European drivers, including taxi licences, location data, photos, payment details, identity documents, “and in some cases even criminal and medical data of drivers”.

It said it started the investigation after more than 170 French drivers complained to a French human rights group, which then filed a complaint with France’s data protection watchdog.

Under the GDPR rules, a business that processes data in several EU countries must deal with the data protection authority where its main office is located. Uber’s European headquarters are in the Netherlands. “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Wolfsen said.