Meta is generally the big name in the news when it comes to GDPR violations involving data transfers to the United States, but the Dutch privacy watchdog has hit Uber with a considerable fine for sending EU driver data overseas.
The Netherlands’ Data Protection Authority (DPA) is fining Uber €290 million, or about $324 million, and stems from a complaint lodged by 170 European drivers in 2021 that the agency has already taken action on. In January the DPA responded to the complaint by fining Uber 10 million euros for failing to secure driver data properly when sending it outside of the European Economic Area (EEA), making driver requests for that data too complicated, and failing to be sufficiently transparent about how long it retains stored personal data. Uber had previously referred to these complaints as “low impact” to drivers and largely unfounded.
Netherlands privacy watchdog highlights continued GDPR actions on international data transfers
The EU-US Data Privacy Framework was put into place a little over a year ago, but has not cleared up all lingering international data transfer issues that have emerged since prior agreement “Privacy Shield” was invalidated by the EU Court of Justice in mid-2020. Uber’s statements have noted that the previous three years have been a time of “intense uncertainty” in this area and have indicated the company plans to appeal the privacy watchdog’s fine. If it does appeal, which first involves a review by the DPA and then a possible follow-up with the Dutch courts, the driver data fine could be on hold for as long as several years.
The fine amount is fairly heavy as the driver data contained quite a bit of sensitive personal information: photo identification documents, payment data, portions of criminal and medical records, taxi licenses and personal contact information among other items. Uber maintains that its transfer of this data was compliant with all requirements of the time, going back at least three years.
This is actually the third fine of Uber by the Netherlands privacy watchdog; the first took place in 2018 and is unrelated to the current driver data complaints. That 600,000 euro fine was issued for failure to properly disclose its infamous 2016 data breach that impacted some 57 million people. Other European countries, such as France and the UK, issued similar fines to Uber over the incident.
Driver data not thought to be compromised by criminals
The headlines might make EU Uber drivers wary of potential compromise of their personal information, but in this case the fine stems from a general principle enforced by the GDPR rather than any specific knowledge of data theft. International data transfers to the US have become contentious due to the US government reserving the right to intercept foreign communications crossing its borders, with little to no recourse provided for these data subjects to learn if their personal information was accessed.
Though Uber insists it was within compliance during the period between the Privacy Shield dissolution and the implementation of the new agreement, the privacy watchdog noted that it was not making use of the Standard Contractual Clauses (SCC) that allowed for at least some level of legal data transfer to the US during that time. It is thus unclear on what basis Uber is claiming compliance with the rules after it ceased using SCCs in August 2021. Uber has since stopped the practice, and claims compliance with the new EU-US Data Privacy Framework since it went into effect last year, but that leaves a period of at least two years during which driver data may not have been covered.
Though the driver data complaints originated from France, the Netherlands privacy watchdog took point on the case as Uber keeps its European headquarters in Amsterdam. The fine amount represents about 1% of Uber’s global annual revenue and is the sixth-largest issued under the GDPR to date (since the law went into force in 2018), coming in behind only those issued to a small collection of the major social media platforms and Amazon.
The EU-US Data Privacy Framework is holding up legally thus far, but has yet to be fully tested out by the force that took down the prior international data transfer agreements: Max Schrems and his privacy advocacy group “noyb.” The group has announced its intention to challenge the new framework but appears to be taking its time in crafting a formal legal challenge, after an initial tilt at having it dismissed made by a member of the French Parliament was fairly quickly rebuffed by a CJEU ruling. noyb recently filed complaints against the European Parliament regarding the data breach it experienced in May, claiming that it failed to adequately protect employee personal data.