Alleges Uber collected driver data and transferred to the US without safeguards.
The Dutch Data Protection Authority has fined Uber €290 million (£245 million) for a breach of GDPR when it gathered sensitive data from European drivers and then transferred to the US without appropriate safeguards.
The data was stockpiled at Uber’s US headquarters over the course of more than two years, and included location data, photos, payment details and identity documents, reports The Record.
The Dutch DPA also alleges Uber took criminal and medical data from drivers in some cases, and that Uber failed to use “transfer tools” when it moved the data, leading to inadequate protections.
In response, Uber said it would appeal the fine, which it called "unjustified", pointing out that the cross-border data transfer process was compliant with GDPR during a three year period of immense uncertainty between the EU and US.
The Dutch DPA also issued a fine of €10 million on Uber in January, in response to the company's failure to disclose the full details of its retention periods for data concerning European drivers, or to name the non-European countries in which it shares this data.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.