Dutch Data Protection Authority fines Uber €290M for this “serious” GDPR violation

The Dutch Data Protection Authority (DPA), on Monday, announced that it has imposed a fine of €290M on Uber.

This is the third fine that the Dutch DPA imposed on Uber.

The Dutch DPA imposed a fine of €600,000 on Uber in 2018, and a fine of €10M  in 2023. Uber has objected to this last fine.

The reason behind the fine

The announcement comes as the Dutch DPA found that Uber transferred the personal data of European taxi drivers to the United States (US) for over two years without using any transfer tools and failed to appropriately safeguard the data about these transfers.

As a result, the protection of personal data was not sufficient. The Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020. 

According to the court’s ruling, Standard Contractual Clauses can still be used to transfer data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice.

The Dutch Data Protection Authority (DPA) found that Uber’s use of Standard Contractual Clauses ended in August 2021, resulting in insufficient protection for the data of EU drivers.

Since the end of last year, Uber has used the successor to the Privacy Shield.

The personal data includes account details and taxi licences, location data, photos, payment details, identity documents, and in some cases, even criminal and medical data of drivers, claims the Dutch DPA.

According to the Dutch DPA, this is a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation, claims the Dutch DPA.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care”, says Dutch DPA chairman Aleid Wolfsen.

“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection of the data about transfers to the US. That is very serious,” adds Wolfsen.

Complaints from over 170 French drivers

The Dutch DPA started the investigation on Uber after more than 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA.

Under the GDPR, businesses that process data in several EU Member States have to deal with one DPA: the authority in the country in which the business has its main establishment. Uber’s European headquarters is based in the Netherlands.

During the investigation, the Dutch DPA closely cooperated with the French DPA and coordinated the decision with other European DPAs.

Calculation behind the fine

All DPAs in Europe calculate fines for businesses in the same way.

The fines can amount to a maximum of 4 per cent of the business’s worldwide annual turnover.

In 2023, Uber had a worldwide turnover of around €34.5B. Uber has indicated its intention to object to the fine.