The Dutch data protection authority (DPA) has imposed a hefty fine of 10 million euros ($11 million) on Uber for violating privacy regulations related to its handling of drivers’ personal data. The DPA’s investigation revealed several lapses in Uber’s data protection practices, leading to concerns about the duration of data retention, inadequate security measures for cross-border data transfers, and obstructive practices hindering drivers from exercising their privacy rights.
One of the key findings by the DPA was Uber’s failure to specify in its terms and conditions the duration for which it retained drivers’ personal data. Additionally, the ride-sharing giant was faulted for not detailing the security measures in place when transmitting such data to entities outside the European Economic Area (EEA), without disclosing the specific countries involved.
The authority also highlighted Uber’s alleged obstruction of drivers attempting to exercise their right to privacy by creating unnecessary complexities in the personal data access request process. Despite these concerns, the DPA acknowledged that Uber had taken corrective measures to address some of the identified issues, reported Reuters.
In response to the fine, an Uber spokesperson stated in an emailed statement to Reuters, “The Dutch data protection authority has acknowledged that Uber fixed the small number of ‘low impact’ issues raised by the drivers, while dismissing the vast majority of their claims as unfounded.” The spokesperson emphasized that the company is committed to continuous improvement in its data request processes.
The origins of the investigation trace back to more than 170 French drivers who lodged complaints with a French human rights organization. The organization subsequently filed a complaint with the French data protection authority. However, due to Uber having its European headquarters in the Netherlands, the case was transferred to the Dutch DPA.