Uber Fined €290 Million by Dutch Data Protection Authority for Illegal Data Transfers

Uber has been hit with a substantial €290 million (U.S. $323.7 million) fine by the Dutch Data Protection Authority (DPA) for illegally transferring data on European drivers to American servers and failing to ensure appropriate safeguards for these transfers. The Dutch DPA announced the fine on Monday, emphasizing the gravity of Uber’s violations.

The violations spanned two years, during which Uber collected and transferred sensitive data from European drivers to U.S. servers. This data included account details, taxi licenses, location data, photos, payment details, identity documents, as well as criminal and medical records. The Dutch DPA highlighted that these actions violated the European Union’s General Data Protection Regulation (GDPR).

The investigation that led to this hefty fine began with a complaint filed with the French DPA, which accused Uber of transferring data related to 170 French drivers to the U.S. In response, the Dutch and French DPAs collaborated closely under the GDPR’s one-stop-shop mechanism to investigate and impose the fine.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” stated Aleid Wolfsen, chairman of the Dutch DPA, in the press release. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the U.S. That is very serious.”

This fine is notable as it marks the largest GDPR-related penalty of the year and the most significant since the Irish DPA fined Meta €1.2 billion (U.S. $1.3 billion) in May 2023, according to the GDPR enforcement tracker.

The compliance issues surrounding this case also touch on the EU-U.S. Data Privacy Framework, which succeeded the Safe Harbor and Privacy Shield agreements and aims to ensure that data transferred to the U.S. maintains the same level of protection as it does in the EU. However, opinions are divided on whether this framework, signed in July 2023, is sufficient or even legal.

The Dutch DPA pointed out that Uber ceased using Standard Contractual Clauses in August 2021, leaving the data of EU drivers “insufficiently protected.” This is not the first time Uber has faced penalties from the Dutch DPA, which previously fined the company €10 million (U.S. $11 million) in January and €600,000 (U.S. $674,000) in 2018.

In response to the latest fine, Uber expressed strong disagreement. An Uber spokesperson stated in an emailed response, “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and U.S. We will appeal and remain confident that common sense will prevail.”

By fLEXI tEAM