The Dutch Data Protection Authority (DPA) has imposed a massive fine of 290 million euros on ride-hailing giant Uber, after it was found lacking adequate safeguards for the transfer of personal data of European taxi drivers to the United State, marking the third time the Dutch DPA has taken action against Uber.
The company had previously been fined 10 million euros in 2023 and 600,000 euros in 2018 .
Uber’s Violation of GDPR Principles
According to the Dutch DPA, Uber collected and retained sensitive information of drivers from Europe, including account details, taxi licenses, location data, photos, payment details, identity documents, and in some cases, even criminal and medical records. For over two years, Uber then transferred this data to its headquarters in the United States, without using the necessary data transfer tools to ensure an equivalent level of protection as required by the EU’s General Data Protection Regulation (GDPR).
Dutch DPA chairman Aleid Wolfsen stated, “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care.” He added:
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The Dutch DPA’s decision comes against the backdrop of a series of high-profile data privacy rulings in Europe. In 2020, the Court of Justice of the EU invalidated the EU-U.S. Privacy Shield, a framework that had previously allowed for the transfer of personal data between the EU and the U.S.
While the court stated that Standard Contractual Clauses could still provide a valid basis for such data transfers, it stipulated that an equivalent level of protection must be guaranteed in practice to meet its standards.
According to the Dutch DPA, Uber’s data transfer practices fell short of this requirement. The regulator found that from August 2021 onwards, when Uber no longer used Standard Contractual Clauses, the data of EU drivers was “insufficiently protected.” It was only at the end of last year that Uber began using the successor to the invalidated Privacy Shield.
EU Investigation and Uber’s Response
The Dutch DPA’s investigation into Uber’s data practices was prompted by complaints from over 170 French drivers, who had filed a grievance with a French human rights interest group, the Ligue des droits de l’Homme (LDH). The LDH subsequently submitted a complaint to the French DPA, which then worked closely with its Dutch counterpart to coordinate the decision.
The fine imposed on Uber, which amounts to 4% of the company’s worldwide annual turnover in 2023, is the third such penalty levied by the Dutch DPA. The regulator had previously fined Uber €600,000 in 2018 and €10 million in 2023, both of which the company has contested.
Uber has indicated its intent to object to the latest €290 million fine, with the case awaiting further development.
