The Netherlands has fined Uber hundreds of millions of dollars for failing to provide adequate protection for driver data transferred to the US. The fine covers activity dating back to 2021, when Uber stopped using EU-approved model contracts to cover data transfers out of the EU. The model contracts underwent significant revision in 2021, following a series of court decisions about the legality of transferring data to the US and overturning the Privacy Shield program negotiated between the EU and US regulators.
WHY IT MATTERS
The fine is a large one, especially considering the short time period (two years) it covers. It provides continuing evidence of EU regulators' skepticism about transfer of EU data to the US absent tangible privacy measures.
On the plus side: many US companies have wondered whether the model contracts remain a valid mechanism for data transfer. The decision signals that, despite all the court cases about data transfers, model contracts remain a good option (when used correctly) for US companies doing business in the EU.
Uber collected sensitive information from drivers from Europe and stored them on servers in the US. It concerns account details and taxi licenses, but also location details, photos, payment details, identity documents and in some cases evenCriminal data- and andMedical records- of drivers. Uber has transferred that data to Uber's U.S. headquarters for over 2 years, without using a transfer tool. As a result, the protection of personal data was not good enough.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.