The Dutch Data Protection Authority (DPA) has issued a staggering fine of 290 million euros on the popular ride-hailing company Uber for its failure to implement adequate safeguards in transferring the personal data of European taxi drivers to the United States. This recent penalty marks the third instance where the Dutch DPA has taken regulatory action against Uber.
In a detailed report by the Dutch DPA, it was revealed that Uber had been collecting and retaining sensitive information of drivers from Europe, ranging from account details to taxi licenses, location data, photos, payment information, identity documents, and in certain cases, even criminal and medical records. Over a span of two years, Uber proceeded to transfer this data to its headquarters in the United States without utilizing the necessary data transfer mechanisms to ensure an equivalent level of protection as mandated by the European Union’s General Data Protection Regulation (GDPR).
Chairman of the Dutch DPA, Aleid Wolfsen, emphasized the importance of safeguarding personal data, stating that the GDPR in Europe exists to protect the fundamental rights of individuals. He highlighted the significance of additional measures for storing personal data of Europeans outside the EU, given potential risks such as government surveillance. Uber’s failure to meet GDPR requirements for data protection during transfers to the US was deemed a serious violation by the Dutch DPA.
This enforcement action comes amidst a series of prominent data privacy rulings in Europe, including the annulment of the EU-U.S. Privacy Shield by the Court of Justice of the EU in 2020. While Standard Contractual Clauses remain a valid avenue for data transfers, the court stressed the need for an equivalent level of protection to uphold privacy standards, which Uber was found lacking in its practices.
The investigation into Uber’s data handling practices was initiated following complaints from over 170 French drivers, who raised concerns about the company’s data transfers to the US. The fine imposed on Uber amounts to 4% of its global annual turnover in 2023 and marks the third penalty issued by the Dutch DPA, following previous fines of €600,000 in 2018 and €10 million in 2023, both of which Uber has contested.
In response to the latest 290 million euro fine, Uber has expressed its intention to challenge the decision, setting the stage for further developments in this ongoing regulatory dispute. The case remains unresolved as both parties navigate the legal ramifications of the Dutch DPA’s stringent enforcement action.