Uber hit with 290 million euro fine for data protection violations
The Dutch Data Protection Authority (DPA) has imposed a substantial fine on the ride-hailing company Uber. The US company allegedly transferred personal data from Europe to the US without legal basis. Now it must pay a fine of 290 million euros, the Dutch DPA announced last week.
According to the Dutch authority, for two years Uber transferred its drivers’ personal data to its headquarters in the US without due protections and without legal basis. The data included drivers’ account information and taxi licenses as well as “location data, photos, payment details, identity documents, and in some cases even criminal and medical data.”
Uber’s actions violated Article 44 of the General Data Protection Regulation (GDPR). “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
Uber sees the root of the problem in a 2020 decision by the European Court of Justice (Schrems II) that declared the EU-US Privacy Shield agreement invalid – and led to “immense uncertainty between the EU and US,” a spokesperson for the company said. The Dutch DPA meanwhile argues that in transferring the data Uber should have used standard contractual clauses to provide a level of data protection comparable to that in the EU.
According to the Dutch authority, Uber has since stopped the practices that violated the GDPR; the company’s data transfers are now conducted on an appropriate basis.
Drivers sought help
The Dutch DPA’s investigation was prompted by complaints from more than 170 Uber drivers in France. The drivers had sought help from the Ligue des droits de l’Homme (LDH), a French human rights organization, which in turn lodged a complaint with the French data protection authority. The French authority forwarded the complaint to its counterpart agency in the Netherlands.
Uber processes data from various EU member states, but its European headquarters are in Amsterdam. This gives the Dutch DPA jurisdiction under the GDPR. The Dutch authority worked closely with its French counterpart and consulted other European data protection authorities as well.
No agreement on Uber’s side
A spokesperson for Uber called the Dutch DPA’s decision “flawed” and said the fine was “completely unjustified.” Said the spokesperson: “We will appeal and remain confident that common sense will prevail.”
This is now the third fine that the Dutch authority has imposed on the company. In 2018 the Dutch DPA fined the company 600,000 euros, and in 2023 10 million euros. The company appealed the latter penalty. In the 2023 case, the Dutch DPA determined that Uber did not respond fast enough to its drivers inquiries concerning their data and provided incomplete information in its privacy policy about how the company transfers data to the US.
The Ligue des droits de l’Homme cheered this latest fine imposed by the Dutch authority. Its extraordinary scale was appropriate, given the gravity of the violation, the organization said in a statement. The LDH announced that it would be filing a joint complaint with the INV-FO union against Uber to demand compensation for the 40,000-50,000 drivers in France affected by the company’s actions. (hcz)