Dutch DPA fines Uber €290 Million for unlawful data transfers to US

The Dutch Data Protection Authority (DPA) today announced a substantial fine of €290 million against Uber for violating the General Data Protection Regulation (GDPR). The regulatory body found that the ride-hailing giant had improperly transferred personal data of European taxi drivers to the United States without implementing adequate safeguards.

According to the Dutch DPA, Uber collected sensitive information from drivers across Europe and stored it on servers in the United States for over two years. This data included account details, taxi licenses, location data, photographs, payment information, identity documents, and in some cases, even criminal and medical records.

The investigation revealed that Uber had failed to use appropriate transfer tools when moving this data to its US headquarters. This oversight left the personal information of European drivers insufficiently protected, particularly in light of the 2020 ruling by the Court of Justice of the European Union that invalidated the EU-US Privacy Shield agreement.

Aleid Wolfsen, chairman of the Dutch DPA, emphasized the gravity of the situation: "In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union."

The regulatory action stemmed from complaints filed by more than 170 French drivers to the Ligue des droits de l'Homme (LDH), a French human rights organization. The LDH subsequently submitted these complaints to the French DPA. As Uber's European headquarters is based in the Netherlands, the Dutch DPA took the lead in the investigation, working closely with its French counterpart and coordinating the decision with other European data protection authorities.

The fine imposed on Uber represents a significant portion of the maximum penalty allowable under the GDPR, which can reach up to 4% of a company's worldwide annual turnover. In 2023, Uber reported a global turnover of approximately €34.5 billion, putting the €290 million fine into perspective.

This marks the third time the Dutch DPA has fined Uber. In 2018, the company was ordered to pay €600,000, and in 2023, it faced a €10 million penalty. Uber has indicated its intention to object to this latest fine, as it has done with the 2023 penalty.

The case highlights the ongoing challenges multinational companies face in complying with data protection regulations across different jurisdictions. The invalidation of the EU-US Privacy Shield in 2020 created a complex landscape for transatlantic data transfers, requiring companies to implement alternative safeguards.

Standard Contractual Clauses (SCCs) remained a potential basis for transferring data outside the EU, but only if an equivalent level of protection could be guaranteed in practice. The Dutch DPA found that Uber had stopped using SCCs from August 2021, leaving the data of EU drivers inadequately protected.

The regulatory body noted that Uber has since addressed the violation by implementing new measures. The company now uses the successor to the Privacy Shield agreement, which aims to provide a more robust framework for EU-US data transfers.

This case underscores the importance of data localization and the need for companies to carefully consider their data transfer practices. It also demonstrates the willingness of European regulators to impose significant penalties for GDPR violations, particularly when they involve the transfer of sensitive personal data to jurisdictions with different privacy standards.

The fine against Uber serves as a stark reminder to all companies operating in the EU of the need to:

1. Implement appropriate safeguards when transferring personal data outside the European Economic Area.
2. Regularly review and update data transfer mechanisms in light of evolving legal frameworks.
3. Pay particular attention to the handling of sensitive personal information, including location data, identity documents, and any criminal or medical records.
4. Ensure compliance with GDPR principles across all operations, especially when dealing with cross-border data flows.

As the digital economy continues to grow and data becomes increasingly valuable, cases like this highlight the ongoing tension between global business operations and regional data protection regulations. Companies must navigate these complex waters carefully to avoid similar penalties and maintain the trust of their users and regulatory authorities alike.

Key Facts

• Fine imposed: €290 million
• Date of announcement: August 26, 2024
• Regulatory body: Dutch Data Protection Authority
• Violation: Improper transfer of European drivers' data to the US
• Duration of violation: Over 2 years
• Types of data affected: Account details, taxi licenses, location data, photos, payment details, identity documents, criminal and medical data
• Uber's 2023 global turnover: Approximately €34.5 billion
• Number of complainants: Over 170 French drivers
• Previous fines imposed on Uber by Dutch DPA: €600,000 (2018) and €10 million (2023)