Dutch DPA fines Uber €290M because of transfers of drivers’ data to the US

Funny thing is, us data is almost always maintained by people outside of the US, at least for banking. The servers may live in the us, but the people accessing it are probably located in Europe or India. This also means that the data lives their temporarily while it is being accessed.

The US definitely needs stronger laws here.

In another article (https://nos.nl/l/2534629, Dutch language) Uber claimed to have been talking to the Autoriteit Persoonsgegevens about what they said was an “unclear law”. Via iOS Translate:

> A spokesperson for Uber explains to the NOS that they have also contacted the AP themselves about the ambiguity surrounding the privacy rules. Then, according to Uber, the watchdog didn't say that the company violated the rules.

Which is all fine and dandy but the rule really is that if it’s not clear to you (as a rich and well-lawyered company) that something is permitted, that doesn’t give you the right to then do it.

And yes, the fine really has to be this high: fines can never be just a part of doing business; colouring within the lines has to have the attention of everybody involved, from the shareholders on down.

> Since the end of last year, Uber uses the successor to the Privacy Shield.

Sounds like they're going to get condemned again in the future, seeing how these things get knocked down again and again. The EU commission is really dropping the ball there.

Funny they are being fined in the Netherlands, because Uber is almost invisible there, as regular taxis have been protected. I don't have accurate data, but it's at least 15€ per inhabitant, so it seems like a very very steep fine. I can't imagine how much this is per driver, €25000?

It seems the dutch regulator is saying "why don't you just go away?". The feeling is likely mutual.

> The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.

I wonder on what the initial suspicion from the drivers was based.

Can anyone explain how this relates to the EU-US Data Privacy Framework (also sometimes called the Trans-Atlantic Data Privacy Framework)?

I thought that that framework was supposed to allow this (as a replacement for the EU–US Privacy Shield framework)? Presumably this wouldn't have been a problem under Privacy Shield (i.e., pre-2020), or am I getting that wrong?

We are fortunate to have lived through a brief period where the internet was truly a global network. A person in the Netherlands or Nigeria [1] could access the best technology services the world had to offer. People could more or less interact freely across borders.

Obviously this is coming to an end. Every fiefdom wants their cut and their say, to the point where the internet being a global network is obviously becoming inviable. It was fun while it lasted.

[1]: https://www.reuters.com/technology/nigerias-consumer-watchdo...

> The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.

i guess we’ll hear more about this in 4 years.

They will filed it under “cost of doing business in Europe” and add it as markup on their prices.

This puts the total fines from the EU on American tech businesses at $14.8B in the last few years: https://loeber.substack.com/p/20-no-more-eu-fines-for-big-te...

I think this substack is good, it makes a pretty clear case that US tech companies may not leave Europe any time soon, but they wield the power in the relationship much more so than the Europeans. Those regulators are overplaying their hands.

At this point, I would pay to have my data stored somewhere outside the jurisdiction of the EU.

I'm confused.

Thanks to the CloudAct there is not protection of EU user data no matter the location of the servers.

Does anyone know good best practices and software/DB patterns to model localized GDPR-compliance into global software systems?

I know ASP.NET Core comes with some GDPR-related helpers but it's more interesting to know general best practices and patterns not related to a specific framework.

Good. This should be applied to Chinese EVs too.

Which big tech company will be the first to stop doing business in Europe? It's going to happen sooner or later.

Seems fair.

Meanwhile the UK handed all of its patient medical records to Palantir.

It’s good to know that GDPR is not just annoying banners

Love it. Maybe one day U.S companies will learn that while they can steal and sell their own peoples information as they please, and they'll even have their own people brainwashed into such a state of stockholm syndrome that they will defend the corporations ability to do so, that's not the culture EU has, and it won't fly here. Corporations are not the peoples identity here, privacy and safety however are.

I guess this is always going to raise some eyebrows, with this amount of money it's hard to say it's not political.

However I would like to say that the Dutch privacy authority actually seems pretty sincere at enforcing privacy legislation. It's just that until recently they were just sending angry letters, and now they've been given power to do more than empty threats.