Another day, another cautionary tale: Uber fined €290m for European data being sent to the US, breaching GDPR ❌ Generally speaking, there has been a loss of control when it comes to collecting and routing customer data. The prevalent use of disparate tracking technologies means businesses have limited ownership over how data is collected and users are tracked. This fragmentation leads to a diminished ability to enforce consistent governance, posing risks to data security, compliance, and overall strategy. To complicate this even further, most companies don't know what tracking tags are on their site, what data those tags are collecting, what those tags are doing, or where that data is going (is it staying in the EU, going to US servers?). And compliance teams are losing sleep. Rightfully so when the consequences result in hundreds of millions in fines. We are here to help. Our private cloud deployment via GKE and GCP Load Balancing can install dedicated clusters for global companies, like Allegro's various European service regions, to help ensure data sovereignty in transit. Ensure no European data leaves the EU, and take back control of your customer data with trailblazing tools like consent enforcement (utilising your CMP like OneTrust)! Learn more here: https://lnkd.in/epJsJcp6 Read about the allegations against Uber here: https://lnkd.in/eCNQTHdR
MetaRouter’s Post
More Relevant Posts
-
Global Data Privacy, Artificial Intelligence & Compliance Leader | Expert in Building & Operationalizing Privacy Programs for Biotech, Healthcare, Life Sciences and Pharma Companies | Fractional General Counsel
What's the risk? This question is crucial, especially when balancing business risk with data privacy compliance requirements. Recently, I was discussing the August 2024 Uber GDPR enforcement action with a few CEO's which helped to shed light on the growing trend of regulators targeting companies beyond tech giants like Amazon, Google, and Meta, for data privacy violations. While I predicted this shift was coming, now more than ever, it's evident that businesses face increasing complexity and uncertainty due to the proliferation of diverse privacy regulations affecting data handling here in the US and around the world. Even seemingly minor issues like data transfers will draw regulators' attention. Uber's preventable infraction serves as a valuable lesson for companies engaging in EU to US data transfers. Utilizing available transfer tools can avert costly penalties and litigation, while preserving trust and reputation. Interested in safeguarding your company against data transfer risks? Connect with me at todd@privacyaviator.com. At Privacy Aviator, we specialize in assisting companies with personal data transfer strategies to ensure data privacy compliance.
Dutch DPA imposes a fine of 290 million euro on Uber because of transfers of drivers' data to the US
autoriteitpersoonsgegevens.nl
To view or add a comment, sign in
-
MarTech Chief Operating Officer (COO)| Top Digital Marketing Voice | Speaker | Professor| Digital Marketing Risk & Governance Advisor | Creator of P for Platforms Modernizing the 4P's Media Mix Model
🚘 Uber goes from "Rideshare King" to "Data Breach Queen", they have found themselves in a Data Privacy Debacle. A Global Lesson for all companies that collect personal data. 🔍 As a marketing professional focused on risk and compliance, I've been closely following the evolving landscape of GDPR, US state and Canadian provincial data privacy laws. While juggling morning back-to-school chaos, I stumbled upon a headline from the BBC that caught my attention: "Uber fined €290m for personal data transfer." 🌍 The ride-hailing app Uber was hit with a hefty fine for illegally transferring European driver data to US servers, violating EU's GDPR, according to the Dutch Data Protection regulator. Uber calls the fine unjustified. Regardless, this highlights the global reach and importance of data protection, no matter where you are in the world. 📜 While many marketers today generally associate privacy laws with EU’s GDPR, California’s CCPA, and Canada's Quebec Law 25, there's a growing patchwork in the US. 6 US states now have data privacy laws, with 12 more, including Texas, on the horizon as early as Oct 1, 2024! 💼 It is important for businesses that serve the US to note that each of the 17 states have data privacy laws unique to their state, therefore businesses are required to navigate a complex and ever-changing regulatory environment when obtaining and storing personal information of any person for which data is collected in relation to their business. Read the state-to-state privacy summary here: https://lnkd.in/gZ884ug5 Uber's hefty fine serves as a stark reminder of the global reach and importance of data privacy regulations. It’s pretty clear that over time companies must prioritize compliance, regardless of their international operations and varying regulations because all of these rules are coming close to home. 🤔 Do you think it’s worth putting in significant effort to understanding the daunting data privacy laws by state to avoid becoming the next Uber now or wait until more North American laws are in place? #dataprivacy #marketing #compliance #statelaws #uber #gdpr #digitalmarketing Links: https://lnkd.in/gZ884ug5
To view or add a comment, sign in
-
🚨 Take aways from the Dutch Uber case On 22 July 2024, the Dutch Data Protection Authority fined UBER B.V. and UBER TECHNOLOGIES INC. €290 million for transferring personal data outside the EU without sufficient guarantees. 💼 For a period of over 2 years, Uber transferred sensitive information of drivers to Uber's headquarters in the US, without using transfer tools such as the Standard Contractual Clauses (SCCs). It is interesting to note that Uber refrained from using the SCCs because of a statement made by the EU Commission in its FAQ. 📝 In the procedure, Uber specifically argued that according to the EU Commission's FAQ, the SCCs cannot be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR. Therefore, given that the US entity is subject to the GDPR according to Article 3 of the GDPR, Uber stated that it decided not to use the EU SCCs. However, the Dutch DPA concluded that Uber could in no way have inferred from these statements that SCCs or other transfer instruments need not be used, and imposed the fine. Ultimately, this decision is a reminder that: 📌 As mentioned in the EDPB's guidelines 05/2021, the specific rules for data transfers to third countries (Chapter V GDPR) apply in particular where "the importer is in a third country, whether or not that importer is subject to the GDPR". The question therefore remains as to whether there is an appropriate transfer tool for this situation. 🛠️ 📌 Similar to the EU Commission's FAQs, the EDPB states in its guidelines that the "Article 3 situation should be taken into account in order not to duplicate the GDPR obligations but rather to address the elements that are related specifically to the risks associated with the importer being located in a third country". 🌐 📌 As there are no SCCs yet that address these situations (although the Commission has announced them), it is better to use the SCCs than no transfer tools to minimise the risks. In its second report on the application of the GDPR, published at the end of July 2024, the Commission confirmed that it is working on new SCCs addressing these cases (pp. 27 and 28). 🔍 📌 Finally, the case shows that the risks associated with transfers to third countries often cannot be eliminated simply by concluding SCCs, but that other measures need to be taken. 🔐 👉 The press release including a link to the decision (only available in Dutch) can be found here: 🔗 https://lnkd.in/eiwU2VDS #GDPR #DataProtection #EURegulations #DataTransfers #CyberSecurity #DataGovernance
Dutch DPA imposes a fine of 290 million euro on Uber because of transfers of drivers' data to the US
autoriteitpersoonsgegevens.nl
To view or add a comment, sign in
-
The Dutch Data Protection Authority (AP) has imposed a fine of €10 million against Uber Technologies, Inc. and Uber B.V. (‘Uber’). The fine is in response to the company's failure to disclose the full details of its retention periods for data concerning European drivers, or to name the non-European countries in which it shares this data. The DPA also found that Uber had obstructed its drivers’ efforts to exercise their right to privacy. The DPA imposed the fine after more than 170 French drivers complained to the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH), which in turn submitted a complaint to the French data protection authority. As Uber has its European headquarters in the Netherlands, this complaint was forwarded to the Dutch DPA. AP chairman Aleid Wolfsen: ‘Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity. It should have informed its drivers better and more diligently in this regard. Transparency is a fundamental part of protecting personal data. If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights.’ The DPA found that Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data. Although the app for drivers contained a form for requesting access to their data, it was located deep within the app and spread across various menus, and could have been placed in a more logical location. Uber dealt with access requests by placing information in a file, in which personal data was not always arranged in a clear manner, thereby making it difficult to interpret. In addition, Uber did not specify in their privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA. Link in the comments! #Privacy #GDPR #Tietosuoja
To view or add a comment, sign in
-
Uber Hit with $324 Million EU Fine for Improper Data Transfer Uber is facing a hefty fine of €290 million ($347 million) for mishandling the transfer of driver data from the EU to the US. Since its inception, this is one of the largest penalties levied under the GDPR. The Dutch Data Protection Authority accused Uber of failing to safeguard European drivers' personal data during the transfer adequately. The data included sensitive information such as account details, taxi licenses, location data, photos, payment details, identity documents, and even criminal and medical data. Uber's transfer methods were deemed insufficient to protect this data, violating GDPR regulations. The fine serves as a stark reminder to companies that data privacy is a top priority in the EU, and failure to comply can result in severe financial consequences. If you would like a free consultation to explore how MatrixPoint can assist you in mitigating data privacy risks, please email MatrixPoint at info@matrixpointconsulting.com https://lnkd.in/e2WJ2fwJ
Uber hit with $324 million EU fine for improper data transfer
theverge.com
To view or add a comment, sign in
-
Not local news, but news that impacts a well-known company. Uber, a ride-hailing app, has recently been fined for transferring personal data of European drivers to US servers. While this may seem harmless on the surface, the act violates EU rules as the company allegedly failed to appropriately protect the information of drivers. Uber, however, shares their perspective, stating that the data transfer process was compliant. You can read the full article linked below, and let me know--what are your thoughts on the matter? #DataPrivacy #Compliance #Data
Uber: Dutch watchdog fines app €290m for driver data transfer
bbc.com
To view or add a comment, sign in
-
Data Protection Compliance | Ethics & Trustworthiness under AI & ML | EU & US Digital Laws | Digital Consumer Protection Law | Lecturer @ Reichman University & BGU University | Ph.D in EU Digital Law | Author
𝗜𝘁 𝘁𝗼𝗼𝗸 𝗺𝗲 𝗮 𝗳𝗲𝘄 𝗱𝗮𝘆𝘀 𝘁𝗼 𝗮𝗱𝗱𝗿𝗲𝘀𝘀 𝘁𝗵𝗲 𝗨𝗯𝗲𝗿 𝗰𝗮𝘀𝗲, 𝗯𝘂𝘁 𝗶𝘁'𝘀 𝘄𝗼𝗿𝘁𝗵 𝗽𝗮𝘆𝗶𝗻𝗴 𝗮𝘁𝘁𝗲𝗻𝘁𝗶𝗼𝗻 𝘁𝗼 𝘉𝘰𝘵𝘵𝘰𝘮 𝘭𝘪𝘯𝘦: 𝘜𝘣𝘦𝘳’𝘴 𝘧𝘪𝘯𝘦 𝘸𝘢𝘴 𝘭𝘢𝘳𝘨𝘦𝘭𝘺 𝘢𝘷𝘰𝘪𝘥𝘢𝘣𝘭𝘦, 𝘢𝘯𝘥 𝘵𝘩𝘦𝘳𝘦’𝘴 𝘢 𝘴𝘵𝘳𝘰𝘯𝘨 𝘤𝘢𝘴𝘦 𝘧𝘰𝘳 𝘳𝘦𝘷𝘦𝘳𝘴𝘪𝘯𝘨 𝘵𝘩𝘦 𝘥𝘦𝘤𝘪𝘴𝘪𝘰𝘯. Recently, Uber was slammed with a staggering €290 million fine for multiple violations involving cross-border intra-company data transfers. The penalty stemmed from Uber’s failure to adequately safeguard the personal data of European drivers transferred to the U.S. over two years, without appropriate data transfer mechanisms following the invalidation of the Privacy Shield. Following the #Schrems II ruling and the introduction of updated Standard Contractual Clauses (SCCs) in 2021 (see article 1 of the SCCs), Uber decided to remove the SCCs from its internal data sharing agreement on August 6, 2021. This was because Uber’s subsidiaries were already fully subject to GDPR regulations, making the inclusion of SCCs unnecessary. This decision led the Dutch DPA to conclude that the protection of drivers’ data was insufficient, ultimately resulting in the substantial fine.(BTW, Uber did refer to Article 49 of the GDPR, which provides derogations for specific situations, but it remains unclear if this was the most appropriate or strongest argument they could have made.) This brings us to a strong case for reconsidering the decision. Essentially, Uber didn’t need to implement SCCs between its European and US subsidiaries, as they were already fully subject to GDPR requirements. The delay in writing this post was worthwhile, as the European Commission recently announced a public consultation on new SCCs, expected to be adopted in the second quarter of 2025. These SCCs will address situations where the data importer is located in a third country but is directly subject to the #GDPR — a gap in the current SCC framework and precisely the issue at the center of the Uber fine. (https://lnkd.in/dP2Mjq4p) Even today, challenges remain in implementing compliance in certain situations. Despite companies investing significant effort in this area, we are still navigating a relatively new era—although the GDPR may sometimes feel less like a novel regulation. https://lnkd.in/dDaw2UuF
To view or add a comment, sign in
-
💶 Uber has been fined €290 million in the Netherlands for transferring drivers' personal data - such as taxi licences, location data and even medical records - to the United States. Uber made these transfers without " appropriately safeguarding the data", according to the Dutch DPA. Uber claims it complied with the GDPR during three years of "immense uncertainty" between the US and the EU over how the rules would be applied. The problem, according to Uber, dates back to 2020, when the EU Court of Justice ruled that the current EU-US data transfer framework was no longer compliant with the GDPR. Read more 👇 --- #SypherPrivacyTalks Stay tuned for more:📌 follow the Sypher Solutions company page. We'll keep you updated on #dataprotection, #privacy, #privacymanagement, #GDPR, #GDPRcompliance, #DPO, #cookies, #consent.
Uber fined €290 million for transferring EU driver data to the US
euronews.com
To view or add a comment, sign in
-
Tech & Privacy Lawyer | Founder and Partner @ Nordx Legal | IT Law, Data Protection, Privacy & Cybersecurity
The Dutch Data Protection Authority (AP) is imposing a fine of €10 million on Uber Technologies, Inc. and Uber B.V. (‘Uber’). The fine is in response to the company's failure to disclose the full details of its retention periods for data concerning European drivers, or to name the non-European countries in which it shares this data. The DPA also found that Uber had obstructed its drivers’ efforts to exercise their right to privacy. This is interesting and the next paragraph from the press release is worth paying attention to by anyone developing applications which process personal data (just yesterday, I was explaining similar problem in data processing as an example in a #privacybydesign training - the message should be clear: data protection needs to be embedded into the system design so that the user would be in control of his or her data): "Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data. Although the app for drivers contained a form for requesting access to their data, it was located deep within the app and spread across various menus, and could have been placed in a more logical location. Uber dealt with access requests by placing information in a file, in which personal data was not always arranged in a clear manner, thereby making it difficult to interpret." #GDPR #dataprotection #personaldata #transparency #enforcement #uber
Uber fined €10 million for infringement of privacy regulations
autoriteitpersoonsgegevens.nl
To view or add a comment, sign in
-
"Drivers have the right to know how Uber manages their personal data. However, Uber has not explained this with sufficient transparency," said Aleid Wolfsen, chairman of the Dutch Data Protection Authority (#DPA). On Wednesday January 31, the Dutch regulator declared that Uber should pay a fine of $10.8 million (€10 million) for lack of transparency in the handling of its European drivers' personal #data. The sanction was triggered by a collective complaint filed by the Ligue des droits de l'Homme (#LDH), after 170 French drivers raised the alarm. The LDH complaint was then forwarded to the Netherlands, as Uber's European headquarters are in Amsterdam. First of all, the DPA criticizes Uber for having made it "unnecessarily complicated" for its European drivers to consult and copy their personal data. However, the Uber application does contain a form for accessing this data. But according to the regulator, this was very difficult to find and "could have been placed in a more obvious place". The authority also felt that the files they were given "were not always organized in a clear manner, making them difficult to interpret". Secondly, the multinational, which employs 120,000 drivers in Europe, did not inform its drivers how long their personal data would be stored. Finally, the regulator denounces the lack of information on the security measures put in place, when these personal data are transferred outside the European Economic Area (#EEA). "This shows that Uber has put in place all kinds of obstacles preventing drivers from exercising their right to privacy," adds Aleid Wolfsen.
To view or add a comment, sign in
1,574 followers