£245 million fine for data breach: Uber to appeal Dutch ruling

£245 million fine was imposed on a taxi company by the Dutch authority for transferring the private data of European drivers to the USA. Uber's actions were found to violate EU privacy regulations (GDPR). The company criticised this decision and announced an appeal.

According to the Dutch Data Protection Authority (DPA) Uber transferred drivers' data from Europe to the United States for over two years and did not secure it properly.

The DPA emphasised that "this constitutes a serious violation of the General Data Protection Regulation," referring to the privacy regulations effective in the EU, known by the acronym GDPR.

Uber denies violating EU regulations. "This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and the U.S," the company wrote in a statement. According to Reuters, "the company would appeal and was confident that 'common sense will prevail.'"

According to the AP, the regulation violation was alleged to have occurred following the ruling by the EU Court of Justice in 2020, which invalidated the so-called Privacy Shield—a mechanism used by companies operating in the EU for sending data to the USA—due to concerns it allowed US authorities to access those data.

Uber can appeal the fine decision to the DPA, and if unsuccessful, it can challenge it in a Dutch court. The entire appeal process may take about four years, and until all appeals are exhausted, the fine is suspended - reported Reuters.

The proceedings against Uber were initiated in response to a complaint filed in France by a local human rights organisation on behalf of over 170 drivers. The matter was referred to the DPA because Uber’s European headquarters are registered in the Netherlands. The French Data Protection Authority (CNIL) cooperated with the DPA in the proceedings.

This is not the first fine the DPA has imposed on Uber. In January, the Dutch authority fined the company £8,5 million for failing to disclose how long it stored drivers' data in Europe or to which countries outside the EU it sent them - reminded AP.