The Dutch Data Protection Authority(DPA) has imposed a fine of 290 Million euros on transport giant Uber for violations of the General Data Protection Regulation(GDPR) in Europe. Uber was found to be transferring the personal data of European taxi drivers to the United States(US) without safeguarding the data being transferred as mandated by the GDPR. Uber has since ended this violation.
What is the GDPR?
The GDPR is a data protection law enacted by the European Union(EU) to safeguard the personal data of EU Citizens. It protects the fundamental rights of people by requiring businesses and governments to handle personal data with due care. The GDPR applies to all organisations that handle the personal data of EU citizens, regardless of where they are based and protects any information that can identify an individual such as names, addresses, phone numbers, etc.
The GDPR also defines the following rights given to the people(data subjects) whose personal data is being stored or used by organisations:
- Right to be Informed: Data subjects must be informed about how their data is being processed.
- Right to Access: Data subjects have the right to access their personal data.
- Right to Rectification: Data subjects can request that incorrect data be rectified.
- Right to Erasure: Data subjects can request that their personal data be erased.
- Right to Restrict Processing: Data subjects can request that the processing of their personal data be restricted.
- Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
- Right to Object: Data subjects can object to the processing of their personal data.
The Indian equivalent of the General Data Protection Regulation (GDPR) is the Digital Personal Data Protection Act, 2023 (DPDPA).
Being an ex-member of the EU, The United Kingdom(UK) has its version of the GDPR very similar to the EU.
Uber’s Violations
The Dutch DPA found that Uber collected sensitive information of drivers from Europe and retained it on servers in the US. This included account details, taxi licenses, location data, photos, and even medical records of the drivers. Now this in itself was not in violation of the GDPR.
For over 2 years, the method used by Uber to transfer that data to its US headquarters was not the one recommended under the GDPR and implemented insufficient protection measures for the drivers’ personal data. Per the GDPR, an alternate method can be used to transfer data provided that the method being used guarantees an equivalent level of protection, which according to the DPA, Uber’s method did not do. This use of an inadequate method is in violation of the GDPR.
What Now?
Uber has changed its method of data transfer to a more secure one and is no longer in violation of the law. They have however expressed intent to object to this fine on the basis that, post a ruling by the EU courts in 2020, there had been a lack of clarity and guidance on the topic.
If Uber were to object to the fine imposed in this case, it would initiate an appeal process followed by legal proceedings and judicial review. The court’s decision after this would be binding.
All European DPAs use the same basis for calculating their fines. Fines can amount to a maximum of 4% of the worldwide annual turnover of a business. In Uber’s case, the fine determined is 290 million euros.
This is not the first time the Dutch DPA has imposed a fine on Uber. There have been two other instances, a 600,000 euro fine was imposed due to a violation of the Dutch data breach regulation in 2018, and a 10 million dollar fine for infringement of privacy regulations in 2023. Uber has objected to the latter.