Topics
Latest
AI
Amazon
Image Credits:Getty Images
Apps
Biotech & Health
Climate
Cloud Computing
Department of Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
widget
bet on
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
seclusion
Robotics
security system
societal
blank
Startups
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Ride - acclaim platform Uber has been fined € 290 million — around $ 324 million at current exchanges rates — by the Netherlands ’ concealment guard dog for breaching the European Union ’s General Data Protection Regulation ( GDPR ) .
The penalisation is related to transfers of personal information of driver out of the European Union to the U.S. , where Uber ’s main clientele is site . The GDPR allows for amercement of up to 4 % of world-wide annual turnover to be raise for non - compliance .
Uber ’s full - class revenue for 2023 was around € 34.5 billion — so the level of sanction is well below that maximum . However , it is still a notable amount as it ’s among the largest penalty levy on a technical school company since the GDPR set out operate back in 2018 .
The fine is the issue of a series of complaints made by more than 170 Uber drivers in France back in 2021 . The Dutch regulator , the Autoriteit Persoonsgegevens ( or AP ) , lead on GDPR oversight of Uber as the company has its master EU administration in the country . It investigated complaints over how the company processes the drivers ’ personal data . complaint were submitted through a human rights system , Ligue des droits de l’Homme ( LDH ) , to France ’s privacy watchdog and then transcend to the AP .
InJanuary , Uber was fin € 10 million for data accession right come to to the same complaints . But the unexampled fine announced Monday dwarfs the earlier penalty — landing it a new spot on the inclination oftech giants sting with the 10 biggest GDPR fines , just below mid - table .
The size of the penalty reflect the seriousness of the breach , per the AP , which wrote in apress releasethat Uber had failed to “ appropriately safeguard ” information which it transplant out of the EU — dub that “ a serious ravishment . ”
The data safeguarding problem relates to U.S. internal security intelligence agency surveillance broadcast which — in the wake of the 2013 revealing by NSA whistleblower Edward Snowden — courts in Europe have repeatedly found to vex a risk to the data point protection and concealment rights of EU people . This is an issue because GDPR protections are supposed to journey with Europeans ’ data .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
U.S. technical school whale , which are responsible for driving much of the EU - U.S. data flows , have essentially been fascinate in the middle of this clank for years . business concern model that swear on data mining ( and therefore approach to personal data point in the cleared ) are also particularly exposed to the secrecy legal peril .
“ In Europe , the GDPR protects the fundamental right of people , by need businesses and governments to manage personal information with due care . But sadly , this is not ego - unmistakable outside Europe , ” wrote Dutch DPA chairperson Aleid Wolfsen in a statement . “ Think of administration that can tap data on a large scale . That is why businesses are usually obligate to take additional measure if they store personal data of Europeans outside the European Union . Uber did not adjoin the requirements of the GDPR to ensure the level of protective cover to the data with regard to transfers to the US . That is very serious . ”
The ill against Uber were made during a period when there was no mellow - stage data transfer framework agreed between the EU and the U.S. InJuly 2020the bloc ’s top court attain down a mechanism known as Privacy Shield that the fellowship , and M of others , had been trust on for authorizing their information exportation .
A unexampled EU - U.S. data transfer slew was not agreed on and adopted untilJuly 2023 — intend there was a full point of three year with high sound uncertainty around data exports .
Digital troupe have been particularly expose over this period , given the datum - drive nature of their businesses . And Uber is not the only tech giant to have been sting : Meta was hit witha record - intermit GDPR penalty of € 1.2 billion back in May 2023over the same core issue . Several DPAs alsowarned against use of Google Analytics .
In Uber ’s grammatical case the Dutch DPA said the datum it take in and exported included “ sensitive ” gadget driver data , include history details , taxi licenses , location data , pic , defrayment details , identity documents and . in some cases . even criminal and medical datum of drivers .
“ For a period of time of over 2 year , Uber remove those data to Uber ’s headquarters in the US , without usingtransfer tools . Because of this , the protective covering of personal data was not sufficient , ” it write .
Uber is not happy about the penalty . It denies any non - abidance and has vow to file an appeal against the enforcement in motor inn .
Uber spokesman Caspar Nixon email TechCrunch a program line in which the party writes : “ This flawed decisiveness and extraordinary fine are completely unjustified . Uber ’s cross - border datum transfer process was compliant with GDPR during a 3 - class period of Brobdingnagian incertitude between the EU and US . We will appeal and remain confident that coarse sentience will prevail . ”
The ship’s company claims it seek guidance from the AP during the period where there was no gamey - layer EU - U.S. data transfer passel , but says the regulator did not provide it with any clarity that there were problems with its physical process .
The AP suggest Uber has been in obligingness since the end of last year when it started to use the successor to Privacy Shield . Uber claims the process that are now considered compliant under this new data carry-over framework are the same unity it used before . So , basically , its argument is that the legal goalposts have moved .
However , during the period when there was no gamy - point EU - U.S. transfer great deal , the bloc ’s concealment regulators warned companies they were responsible for ensuring any data export complied with the rule .
European Data Protection Boardguidancefrom this period provided information on additional measure the data executive program said party may need to apply to raise the level of security on datum exports to ensure their data flows were GDPR compliant — such as interchange to data localisation or apply figure of “ zero access code ” encoding that mean exported data can not be get at .
Uber ’s spokesman could not immediately confirm whether it applied any such extra measures during the period .
