The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has imposed a fine of 290 million euros on the ride-hailing service Uber. The reason for the fine: inadequate protection of personal data of European cab drivers that was transferred to Uber's US headquarters.
French Uber drivers file a complaint
The investigation by the data protection authority followed complaints from more than 170 French Uber drivers. They had complained to the French human rights organization Ligue des droits de l'Homme (LDH) about Uber's data protection practices. The LDH then filed a complaint with the French data protection authority. As Uber's European headquarters are located in the Netherlands, the Dutch data protection authority was responsible for the investigation.
Among other things, Uber had collected sensitive information such as account and driver's license data, location data, photos, payment information, identification documents and, in some cases, criminal and medical data from drivers in Europe and stored it on servers in the USA.
The transfer of this sensitive data took place over a period of more than two years. No necessary protective measures prescribed by the GDPR were implemented.
The data protection authority classifies Uber's breach as serious.
Reading tip: The five highest fines in July 2024
Uber does not use standard contractual clauses
These transfers were carried out without the use of standard contractual clauses (SCCs) or other appropriate instruments required under the GDPR.
The EU-US Privacy Shield, which previously served as the legal basis for data transfers to the USA, was declared invalid by the European Court of Justice (ECJ) in the Schrems II ruling in 2020. The ECJ clarified that companies must guarantee an equivalent level of protection when transferring personal data to countries outside the EU.
However, Uber had refrained from using these standard contractual clauses since August 2021. According to the AP, this meant that the data of EU drivers was not sufficiently protected. Uber only started using standard contractual clauses at the end of last year.
Third fine against Uber for GDPR violations
This is the third fine that the AP has imposed on Uber. Previously, the company was fined €600,000 in 2018 and €10 million in 2023.
The current fine against Uber of 290 million euros is based on the company's annual global turnover. With a global turnover of 34.5 billion euros in 2023, the fine for Uber could amount to up to 4 percent of this sum.
"In Europe, the GDPR protects people's fundamental rights by obliging companies and governments to handle personal data with care. But outside Europe, this is unfortunately not a matter of course," says AP Chairman Aleid Wolfsen.
"Therefore, companies are usually obliged to take additional measures when they store personal data of Europeans outside the European Union. Uber has not guaranteed the level of protection for drivers required by the GDPR when transferring data to the USA. This is very worrying," says the Netherlands' top data protection official, summarizing the supervisory authority's decision.
Uber itself has announced that it will appeal against the current fine.
Source: Fines imposed on Uber by the Autoriteit Persoonsgegevens