Uber is dealing with a large GDPR effective after the Dutch regulator claimed it violated the regulation by storing driver knowledge within the US with out satisfactory safeguards.
The Dutch Knowledge Safety Authority (AP) introduced the €290m ($324m) effective yesterday, claiming that it stems from the identical considerations which have led to years-long authorized wranglings between the EU and US.
Particularly, these are that European residents’ human rights could also be imperilled if their knowledge is saved within the US with out safeguards, as their private knowledge might in any other case be accessed and queried by legislation enforcement and intelligence businesses there.
These identical considerations led to the European Courtroom of Justice declaring the EU-US Privateness Protect invalid in 2020.
“In Europe, the GDPR protects individuals’s basic rights by requiring corporations and governments to deal with private knowledge with care. However exterior Europe, that’s sadly not self-evident. Consider governments that may faucet knowledge on a big scale,” defined AP chairman, Aleid Wolfsen.
“That’s why corporations are often required to take further measures after they retailer private knowledge of Europeans exterior the European Union. Uber has not assured the extent of safety required by the GDPR for drivers for the switch of knowledge to the US. That could be very critical.”
Learn extra on GDPR fines: Vinted Fined €2.3m Over Knowledge Safety Failure
The AP claimed Uber had not used Customary Contractual Clauses (SCCs) or different means to make sure that residents’ private knowledge saved on US servers obtained ranges of safety equal to these within the EU.
It mentioned that delicate private info included account particulars, taxi licenses, location knowledge, photographs, cost particulars, IDs and in some instances drivers’ prison and medical data. These had been transferred to Uber’s headquarters within the US for over two years with out correct safeguards, it added.
The Case Towards AP’s Ruling
Non-profit the Pc & Communications Trade Affiliation (CCIA Europe), which has Uber as a member, argued in response that the interval in query – 2021-2022 – was one in all large uncertainty after the Privateness Protect settlement was dominated unlawful.
It argued that each European and American corporations had been left with none clear tips for a interval of almost three years, with the uncertainty compounded by disagreements between EU knowledge safety authorities and the European Fee. The latter, it claimed, dominated out SCCs for non-EU corporations already topic to European knowledge safety guidelines.
Alexandre Roure, CCIA Europe’s head of coverage, argued that the AP ruling ignores actuality.
“The busiest web route on the earth couldn’t merely be placed on maintain for 3 complete years whereas governments labored to ascertain a brand new authorized framework for these knowledge flows,” he mentioned in a press release.
“Any retroactive fines by knowledge safety authorities are particularly worrisome on condition that these very privateness watchdogs failed to supply useful steering throughout this era of great authorized uncertainty, in absence of any clear authorized framework.”
Since final yr, Uber has been following the successor to Privateness Protect – a Knowledge Privateness Framework negotiated between the EU and US – and is now compliant with the GDPR, AP mentioned.
The AP launched an investigation into Uber after over 170 French drivers filed a criticism with French human rights group, Ligue des droits de l’Homme (LDH), which subsequently filed a criticism with the French privateness watchdog.
Picture credit score: rafapress / Shutterstock.com