The Dutch data protection watchdog fined Uber on 26 August for a "serious violation" of the GDPR requirements by transferring the data of European drivers to servers in the United States.
The Regulator’s Decision
The Dutch Data Protection Authority (DPA) issued a €290 million (roughly $324 million) penalty for a breach of the EU’s General Data Protection Regulation (GDPR). DPA said Uber collected sensitive information of European drivers, including taxi licenses, identity documents, photos, exact geo-location information, payment details, "and in some cases even criminal and medical data of drivers."
According to the DPA, Uber violated the GDPR rules by transferring sensitive information to the US and failed to safeguard the data appropriately. Over two years the information was transferred to Uber's US headquarters without adequate protection or encrypting of the users’ information.
The investigation was initiated after a French human rights organization filed a complaint on behalf of more than 170 French taxi drivers with France’s data protection authority, CNIL. Since Uber has its European headquarters in the Netherlands, the complaint was forwarded to the Dutch Data Protection Authority. CNIL said that it had cooperated with the DPA.
Uber can appeal the decision with the DPA. If unsuccessful, it can then file a case with the Dutch courts. The appeals process is expected to take around four years. According to the DPA, any fines are suspended until the final decision is reached.
It's the third fine by the DPA against Uber in the Netherlands. Uber also received penalties of €600,000 in 2018 and €10 million last year for its failure to disclose how long it retained data from drivers or to name non-EU countries it shared the data with.
The Response from Uber
The DPA informed that Uber has stopped this practice.
Uber believes it did nothing wrong and is planning to appeal the fine.
"This flawed decision and extraordinary fine are completely unjustified," a representative of Uber said. Uber spokesperson Caspar Nixon added that "Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S."
The Computer & Communications Industry Association, an advocacy organization for tech companies, noted that the fine ignored the realities of online business after the 2020 EU court ruling, when there were no regulation for the cross-border data transfer.
The association’s European head of policy added that “Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in the absence of any clear legal framework.”
Read more about how to comply with the EU – US Data Privacy Framework.
Frequently Asked Questions
Why was Uber fined by the Dutch Data Protection Authority?
The Dutch Data Protection Authority (DPA) issued a €290 million penalty for a breach of the EU’s GDPR. DPA said Uber collected sensitive information of European drivers, including taxi licenses, identity documents, photos, exact geo-location information, payment details, "and in some cases even criminal and medical data of drivers", transferred it to the US and failed to safeguard the data appropriately. Use CookieScript CMP to comply with the GDPR, the EU – US Data Privacy Framework, and avoid penalties.
What are the fines Uber received for breaches of the GDPR?
On 26 August 2024, the Dutch Data Protection Authority (DPA) issued a €290 million penalty for a breach of the GDPR regarding data transfer to the US. Uber also received penalties of €600,000 in 2018 and €10 million last year for its failure to disclose how long it retained data from drivers or to name non-EU countries it shared the data with. Use CookieScript CMP to comply with the GDPR, the EU – US Data Privacy Framework, and avoid penalties.