On 26 August the Dutch Data Protection Authority (DPA) fined Uber EUR 290 million for a breach of the General Data Protection Regulation (GDPR). Following a number of complaints from French Uber drivers, the DPA found that Uber transferred personal data relating to European drivers to the US without adequately protecting those data in doing so. The DPA marked this 'a serious violation of the GDPR'.
The reason the Dutch DPA is responsible for the investigation is because Uber's European headquarters is in the Netherlands. The Dutch DPA worked closely with CNIL, the French DPA, and coordinated the fine decision also with other European data privacy regulators.
Among other things, Uber collected sensitive information from drivers in Europe and stored it on servers in the US. These data included not only account information, licences and location data, but also pictures, payment information, ID copies and in some cases even criminal and health-related data from drivers – which are extra heavily protected under the GDPR.
Uber had been transferring these types of data to the Headquarters of Uber in San Fransico for over two years without using the EU Model Standard Contractual Clauses (SCCs) for transferring the data – and also without the drivers' explicit consent. As a result, the protection of their personal data was not sufficiently guaranteed.
Instead of using the SCCs, the Uber in the US had been using the successor to the so-called 'Privacy Shield' since 2023 (in other words, the previous regime for transferring data to the US – a regime that has since been held to be insufficient), claiming this was enough. The Dutch DPA ruled against this.
The fine is the third one to be imposed by the Dutch DPA on Uber (in 2018 Uber was fined for EUR 600,000 and in 2023 EUR 10 million. The fine of EUR 290 million is by far the biggest fine imposed by the Dutch DPA in its history.
The chairman of the Dutch DPA stated:
"In Europe, the GDPR protects people's fundamental rights by requiring companies and governments to handle personal data with care. But outside Europe, unfortunately, this is not self-evident, considering that there are governments that can intercept personal data on a large scale. This is why companies are obliged to take extra measures if they store personal data of Europeans outside the European Union. Uber has not ensured the level of protection required in the GDPR for drivers when transferring data to the US. This is very serious."
Uber has announced that it will appeal against the fine.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.