Uber, one of the world’s largest ride-hailing companies, has been fined €290 million (approximately R$1.7 billion) by the Dutch Data Protection Agency (DPA).
The penalty was imposed due to a “serious breach” of the General Data Protection Regulation (GDPR), one of the world’s strictest data privacy laws, in force in the European Union.
The decision is the result of an investigation that revealed irregularities in the way the American company managed personal information of European drivers.
Uber's Data Collection and GDPR Violation
According to the DPA, Uber collected and stored confidential data from drivers operating on the platform on servers located in the United States.
This information includes taxi license numbers, location data and even medical details of the workers, which should have been handled with extreme care as per GDPR guidelines.
The transfer and storage of this data on US soil was considered a severe violation of European regulations, which require companies to strictly protect the personal data of European Union citizens.
Uber, however, disputes the decision. In a statement, the company described the fine as “completely unjustified” and said it had not committed any wrongdoing. The US company argues that its data storage practices were in line with the guidelines established at the time and that the fine is an incorrect interpretation of the current rules.
Problems with data transfer between continents
The controversy surrounding Uber dates back to a 2020 ruling by the European Union's justice system, which declared that the data transfer framework between the European bloc and the United States no longer met the legal requirements of the GDPR.
This decision created a regulatory vacuum that left many companies, including Uber, without clear guidelines on how to proceed with transatlantic data flows.
During this period, which lasted almost three years, Uber continued to operate under its previous practices, which are now considered inadequate by European authorities.
The European Commission was only able to resolve the issue in July 2023, when it issued a statement stating that the United States had implemented sufficient protection measures for European data.
At the time, Uber said it did not need to make any significant changes to its data storage policy because it believed its practices were already in compliance with the new requirements.
However, the recent investigation and subsequent fine indicate that European authorities disagree with this interpretation.
You need to know this today:
- There I saw an advantage! WhatsApp can be “painted” by Android users
- Android mobile games on Windows PC: learn the complete step-by-step guide to playing
- Android controls Windows! See how to control your PC from your cell phone
Uber's impact and appeal
Uber has already announced that it intends to appeal the fine, reaffirming its position that the punishment is unfair. The company argues that during the period in question, there were no clear guidelines on how to proceed with the transfer of data between Europe and the United States, which would have left the companies operating in a legal limbo.
The investigation that led to the fine was prompted by complaints from 170 French drivers who alleged that Uber was breaching their personal information.
European authorities found that the company failed to respond quickly to data requests from drivers and provided incomplete information in its privacy policy about how data was being transferred to the United States. Uber, for its part, denies these allegations and says it has always acted in accordance with applicable data protection laws.
Impact on the technology sector
This case highlights the ongoing challenges faced by technology companies operating in multiple territories with different privacy regulations.
The GDPR, which came into effect in May 2018, imposed strict requirements on the collection, storage and transfer of personal data, profoundly affecting how global companies like Uber operate.
Violation of these rules can result in substantial fines, as evidenced by the current case.
Furthermore, the fine imposed on Uber could serve as a wake-up call for other technology companies operating in Europe, highlighting the importance of ensuring GDPR compliance, especially when it comes to international data transfers.
The complexity of privacy legislation requires companies to be extremely diligent in their data protection practices to avoid severe sanctions.
