Uber has been ordered to pay a record €290 million fine by the Dutch data protection watchdog, as the authority has ruled that Uber transferred personal information about European taxi drivers to the US without appropriate safeguards.
The Dutch DPA found that Uber collected sensitive information of drivers from Europe and retained it on servers in the US. This includes account details and taxi licences, location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.
The authority said this was a "serious violation" of the EU's General Data Protection Regulation (GDPR), as Uber failed to appropriately safeguard data from being transferred.
Previously the EU-US Privacy Shield provided the legal framework for personal data to be shared between the European Union and the US for commercial reasons.
Evolving data transfer rules between EU and US
In 2020, the EU's Court of Justice ruled that this framework was invalid. However, the court said that companies could still transfer data if they used standardised contracts approved by the European Commission (Standard Contract Clauses).
The EU and US agreed on a new data transfer framework – the Trans-Atlantic Data Privacy Framework – in 2022.
The Dutch DPA highlighted that as Uber stopped using Standard Contract Clauses in 2021, and began using the new data transfer framework at the end of 2023, for more than two years the protection of personal data being transferred between the EU and the US "was not sufficient".
"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care," said Aleid Wolfsen, chairman of the Dutch DPA.
"But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store the personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious," he added.
An 'unjustified' decision
The Dutch DPA launched the investigation into Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which submitted a complaint to the French DPA. As Uber's European headquarters is in the Netherlands, the complaint came under the remit of the Dutch DPA.
This is the third fine that the Dutch DPA has imposed on Uber, following a fine of €600,000 in 2018 and €10 million in 2023.
Fines imposed on companies under EU data protection regulations can reach a maximum of 4% of the worldwide turnover of a business. Uber reported a worldwide turnover of around €34.5 billion last year.
Related News
- Deliveroo and Uber Eats drivers use fake accounts to dodge taxes, investigation reveals
- Uber now available in Charleroi
- Over three million Belgian WhatsApp users affected by data leak
Uber spokesperson Caspar Nixon said that the "flawed decision and extraordinary fine are completely unjustified".
The ride-sharing tech giant maintains that it continued to safeguard data in accordance with GDPR during the period that the EU-US data privacy transfer framework was disputed. "Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail," he said.
Uber has said it "strongly refutes" the decision of the Dutch DPA, and said it will be appealing the decision and fine "in due course".