Dutch DPA imposes € 290M fine on Uber for transferring drivers’ data to the US
The Autoriteit Persoonsgegevens has issued a fine of € 290 million to Uber for transferring personal data of European taxi drivers to the United States and failing to properly safeguard the data.
The Dutch data protection authority (DPA) launched an investigation into Uber after more that 170 French drivers had filed a complaint with the Ligue des Droits de l’Homme (LDH). The human rights group in return handed their complaints over to the French DPA, the Commission Nationale de l'Informatique et des Libertés (CNIL).
Europe’s one stop shop mechanism dictates that all cross-border privacy-related grievances must be handled by a single lead supervisory authority (LSA). That’s the EU member state where the headquarter of the company that reportedly violates the General Data Protection Regulation (GDPR) is located. That’s how the case ended up with the Dutch DPA.
The Autoriteit Persoonsgegevens found that Uber was collecting sensitive information of European drivers and transferred and stored it on servers in the United States. The transportation company gathered data like location, photos, identity documents, payment details and taxi licenses. In some cases criminal records and medical information of drivers were collected.
For over two years, Uber transferred personal information of its European drivers to the U.S. without using transfer tools. The Court of Justice of the European Union invalidated the EU-US Privacy Shield back in the Summer of 2020. Since then, data can only be transferred from the EU to the United States with so-called Standard Contractual Clauses (SCCs).
Because Uber didn’t use SCCs as a valid legal basis to transfer data to the U.S. from August 2021, the protection of private data was inadequate. Uber argued SCCs weren’t necessary, because the company consisted of separate legal entities that could exchange data among each other due to a joint controller agreement.
According to the Dutch DPA, data was being transferred from the EU to the U.S., even with separate legal entities and a joint controller agreement in place. That’s a violation of article 44 of the GDPR, which sets the general principles for data transfers between European and non-European countries. When the EU-US Data Privacy Framework went into effect in August 2023, Uber ended the privacy violation.
Despite the fact that Uber has ended the privacy violation, the Dutch DPA imposes a € 290 million fine because it believes there was a “major invasion of privacy”.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” Dutch DPA chairman Aleid Wolfsen says.
Uber disputes the outcome of the DPA’s investigation and intends to object to the fine.
This is the third fine imposed by the Autoriteit Persoonsgegevens on Uber. In 2018, the transportation company received a € 600,000 fine for reporting a data breach too late. In 2023 Uber got a ten million euro fine for a number of breaches to inform drivers.
Your email address will not be published. Required fields are marked