The EU has bared its cyber teeth for the second time in a week. Hard on the heels of the arrest of Telegram founder and owner, Pavel Durov, Uber has been slapped with a $290 million fine for allegedly violating the European Union (EU)’s General Data Protection Regulation (GDPR) by failing to protect personal data of European taxi drivers held on servers located in the US.
The Dutch Data Protection Authority (DPA) enforced the regulation by imposing a fine on Uber, which transmitted European drivers’ personal data to the US, including drivers’ account details, taxi licenses, location data, photos, payment details, identity documents and, in some cases, even criminal records and medical data.
Uber is alleged to have transferred the driver data to Uber’s headquarters in the US over a period of more than two years without using any transmission tool, thereby failing to meet the security standards stipulated in the EU’s GDPR.
“Companies are usually obliged to take extra measures if they store personal data of Europeans outside the European Union. Uber has not ensured the level of protection required by the GDPR for drivers for the transfer of data to the US, which is very serious,” says DPA chairman Aleid Wolfsen.
The DPA also imposed a fine of 10 million euros on Uber at the start of this year, claiming that the company had not provided sufficient transparency about the length of time the company kept European drivers’ data and to where outside Europe it had been transferred.
The EU’s tentacles now reach right across the Atlantic
But the size of the latest fine being announced only days after Durov’s shock arrest after he landed in Paris on Saturday is now fuelling fears that the EU has taken off the gloves in its fight to control and regulate the internet outside as well as inside its own borders. Having begun as it obviously intends to continue, it seems likely that Telegram and Uber will only be the first in a series of examples the EU intends to make.
The EU’s GDPR extends to any company that holds data on European citizens, even if its corporate headquarters and servers are located theoretically outside EU jurisdiction. Any US company which has any business in Europe would, therefore, be well-advised to monitor its GDPR compliance closely over the coming days and months.
