Dutch Data Protection Authority fines Uber €10M over privacy regulations infringement

|

|

Last update:

The Dutch Data Protection Authority (AP) is fining the US-based ride-hailing company Uber €10M for not fully disclosing data retention details of European drivers and not revealing non-European countries with whom the data is shared. 

The DPA also noted Uber’s obstruction of drivers’ right to privacy.

AP chairman Aleid Wolfsen says, “Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity. It should have informed its drivers better and more diligently in this regard.”

“Transparency is a fundamental part of protecting personal data. If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights,” adds Wolfsen.

Uber’s criticism from DPA

The DPA discovered that Uber made it difficult for drivers to access their personal data. The access request form was buried in the app, spread across menus, and could have been placed more logically. 

Uber’s handling of requests resulted in unclear organisation of personal data, complicating interpretation.

In addition, they did not specify in their privacy terms and conditions how long Uber retains its drivers’ personal data or which specific security measures it takes when sending this information to entities in countries outside the EEA. Aleid Wolfsen: 

Additionally, Uber failed to specify in its privacy terms and conditions the duration for which it retains drivers’ personal data and the security measures employed when transmitting this information to entities outside the European Economic Area (EEA). 

Wolfsen says, “This shows that Uber put all sorts of obstacles in place that blocked drivers from exercising their right to privacy, and that is prohibited. In fact, Uber should be facilitating drivers in their rights. This is laid down by law.”

Complaints from France

The DPA imposed the fine following complaints from over 170 French drivers who approached the French human rights organisation Ligue des droits de l’Homme et du citoyen (LDH). 

LDH then filed a complaint with the French data protection authority, which, due to Uber having its European headquarters in the Netherlands, redirected the case to the Dutch Data Protection Authority (DPA).

The DPA calculated the fine by considering the organisation’s size and the severity of the infringements. At the time of the violations, approximately 120,000 drivers were working for Uber in Europe. 

Despite Uber lodging a notice of objection to the DPA’s decision, the authority acknowledged that Uber has since implemented improvement measures to address the infringements.

Brief about the Dutch Data Protection Authority

According to DPA, every individual has the right to the protection of their personal data, a fundamental right that the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) upholds. 

As an independent regulator in the Netherlands, the DPA ensures that all entities adhere to privacy legislation, safeguarding the privacy rights of individuals.

Topics:

Follow us:

Vishal Singh

Vishal Singh is a News Reporter and Social Media Marketing Lead at Silicon Canals. He covers developments in the European startup ecosystem and oversees the publication's social media presence. Before joining Silicon Canals, Vishal gained experience at the Indian digital media outlet Inc42, contributing to its growth with insightful content. Despite being a college dropout, his passion for writing has driven his career in journalism.

Partner eventsMore events

Current Month

02apr(apr 2)8:00 am04(apr 4)6:00 am0100 Europe 2025

Share to...