Uber has been fined €290 million by the Dutch data protection authority for transferring the personal data of its European drivers to the US without putting in place adequate safeguards.
The Dutch data protection authority said the data transfer, which Uber has now stopped, was a serious breach of the EU’s General Data Protection Regulation (GDPR).
“In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care, but unfortunately this is not self-evident outside Europe,” said Aleid Wolfsen, president of the Dutch DPA.
“Think about governments that have access to data on a massive scale. So companies are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the GDPR’s requirements to ensure a level of data protection for transfers to the US. This is a very serious issue.”
The investigation was triggered by complaints from more than 170 French drivers to the French human rights group Ligue des droits de l’Homme (LDH), which then submitted a complaint to the French DPA.
However, Uber’s European headquarters is based in the Netherlands, which is the official regulator.
The Dutch data protection authority found that Uber had collected sensitive information about its European drivers and stored it on servers in the United States, including account details and taxi licences, as well as location data, photos, payment information, identity documents and, in some cases, the drivers’ criminal records and medical data.
The relocation lasted more than two years.
There have been and still are many ways to transfer data to the US without violating the GDPR, but the European Court of Justice invalidated the EU-US Privacy Shield in 2020, and Uber stopped using the Standard Contractual Clauses alternative in August 2021. Uber has since switched to a successor to the Privacy Shield.
The Computer and Communications Industry Association (CCIA Europe) said Uber had been put in a difficult position by the EU’s decision to invalidate Privacy Shield in 2020. The move left Western companies without clear guidelines for transatlantic data flows for almost three years, CCIA Europe said.
Meanwhile, the European Commission has banned the use of standard contractual clauses for non-EU companies that are already subject to European data protection rules, meaning companies no longer have an easy mechanism for moving EU data to servers in the US.
“The fact that the Dutch data protection authority decided today to impose huge fines on technology companies for data flows between the EU and the US that occurred in 2021 ignores reality: the world’s busiest internet route could not be shut down for a full three years while the government works to establish a new legal framework for these data flows,” said Alexandre Roulet, head of policy in Europe at CCIA.
“In the absence of a clear legal framework, the retrospective fines imposed by data protection authorities are particularly worrying given that privacy watchdogs have failed to provide any useful guidance at this time of considerable legal uncertainty.”
This is the third fine imposed on Uber by the Dutch DPA, with the company previously fined €600,000 in 2018 and €10 million in 2023. Uber is contesting this latest fine.
