Dutch DPA imposes a fine of 290 million euro on Uber because of transfers of drivers' data to the US

Themes:
Transfer within and outside the EEA
Working in the transport sector
Personnel data

The Dutch Data Protection Authority (DPA) imposes a fine of 290 million euros on Uber. The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers. According to the Dutch DPA, this constitutes a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation.

"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care", Dutch DPA chairman Aleid Wolfsen says. "But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."

Sensitive data

The Dutch DPA found that Uber collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US. It concerns account details and taxi licences, but also location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.

For a period of over 2 years, Uber transferred those data to Uber's headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient. The Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020. 

According to the Court, Standard Contractual Clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice. 

Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected, according to the Dutch DPA. Since the end of last year, Uber uses the successor to the Privacy Shield.

Complaints from drivers

The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.

Pursuant to the GDPR, businesses that process data in several EU Member States have to deal with one DPA: the authority in the country in which the business has its main establishment. Uber's European headquarters is based in the Netherlands. During the investigation, the Dutch DPA closely cooperated with the French DPA and coordinated the decision with other European DPAs.

Fine for Uber

All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business. Uber had a worldwide turnover of around 34.5 billion euro in 2023. Uber has indicated its intent to object to the fine.

This is the third fine that the Dutch DPA imposes on Uber. The Dutch DPA imposed a fine of 600,000 euro on Uber in 2018, and a fine of 10 million euro in 2023. Uber has objected to this last fine.

Also read

View all current affairs