Uber, the global ride-hailing giant, has been fined €290 million by the Dutch Data Protection Authority (DPA) for improper transfers of personal data from European drivers to the United States without sufficient safeguards.
This substantial fine, equivalent to approximately $324 million, follows a comprehensive investigation triggered by complaints from over 170 French Uber drivers, which were referred to the Dutch DPA by a French human rights group.
The investigation revealed that Uber transferred sensitive information, including location data, payment details, and even criminal and medical records, over a period of more than two years. These transfers lacked the necessary protections mandated by the General Data Protection Regulation (GDPR), a violation of Article 44, which requires that any data transferred outside the European Union ensures an equivalent level of protection.
“Uber did not meet the GDPR requirements to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” Dutch DPA chairman Aleid Wolfsen said in a statement.
The breach occurred after the invalidation of the EU-U.S. Privacy Shield in 2020, a framework that previously governed data transfers between the two regions. Despite the change, Uber failed to implement standard contractual clauses or other appropriate safeguards, resulting in inadequate protection of the data.
According to the Dutch authorities, Uber continued these improper transfers from August 2021 until November 2023, when the company finally complied with the new Data Privacy Framework.
In response to the fine, Uber has criticised the decision and plans to appeal, asserting that their cross-border data transfer processes were compliant with GDPR.
“Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail,” Uber stated.
Despite Uber’s defence, the hefty fine underscores the stringent expectations surrounding data privacy in the European Union and the severe consequences for global corporations that fail to meet these standards. This case also highlights the broader implications for multinational companies operating within the EU, especially concerning strict GDPR requirements.
Under GDPR regulations, companies processing data across multiple EU member states are required to engage with the data protection authority of the country where their main office is located. For Uber, whose European headquarters are in the Netherlands, the Dutch DPA has jurisdiction.
As companies like Uber handle vast amounts of personal data, they face increasing scrutiny to ensure compliance with data protection laws, particularly in the evolving post-Privacy Shield environment.
“In Europe, the GDPR protects the fundamental rights of people by requiring businesses and governments to handle personal data with due care,” Wolfsen stated. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
This fine marks one of the largest penalties imposed under GDPR and represents the third major fine against Uber, following penalties of €600,000 in 2018 and €10 million last year. The decision sets a significant precedent for future enforcement actions, especially regarding data transfers to countries outside the EU.