The Dutch data protection authority Autoriteit Persoonsgegevens (AP) has filed a complaint against the ride-hailing service Uber. Fine in the amount of 290 million euros. The reason for the fine: inadequate protection of personal data of European cab drivers that was transmitted to Uber's US headquarters.
French Uber drivers file a complaint
The investigation by the data protection authority followed complaints from more than 170 French Uber drivers. They had complained to the French human rights organization Ligue des droits de l'Homme (LDH) about Uber's data protection practices. The LDH then filed a Complaint to the French data protection authority. As Uber's European headquarters are located in the Netherlands, the Dutch data protection authority was responsible for the investigation.
Among other things, Uber had sensitive information such as account and driver's license data, location data, Photospayment information, identification documents and, in some cases, criminal and medical data of drivers from Europe are collected and stored on servers in the USA.
This sensitive data was transferred over a period of more than two years. In the process, no necessary protective measures were implemented that could have been prevented by the GDPR are prescribed.
The data protection authority classifies the Infringement of Uber as serious.
Reading tip: The five highest fines in July 2024
Uber does not use standard contractual clauses
These transfers were carried out without the use of Standard contractual clauses (SCCs) or other suitable instruments, which are carried out in accordance with the GDPR are required.
The EU-US Privacy Shieldwhich previously served as the legal basis for data transfer to the USA, was declared invalid by the European Court of Justice (ECJ) in the Schrems II decision in 2020. The ECJ made it clear that companies must comply with the Transmission of personal data to countries outside the EU must guarantee an equivalent level of protection.
However, since August 2021, Uber had refrained from using these Standard contractual clauses waived. According to the AP, this meant that the data of EU drivers was not sufficiently protected. It was only at the end of last year that Uber began using Standard contractual clauses.
Third fine against Uber for GDPR violations
This is already the third Finethat the AP imposed on Uber. The company was previously fined €600,000 in 2018 and €10 million in 2023.
The current Fine against Uber in the amount of 290 million euros is based on the company's global annual turnover. With a global turnover of 34.5 billion euros in 2023, the fine for Uber could amount to up to 4 percent of this sum.
"In Europe, the GDPR It protects people's fundamental rights by obliging companies and governments to handle personal data with care. Unfortunately, this is not a matter of course outside Europe," says AP Chairman Aleid Wolfsen.
"This is why companies are generally obliged to take additional measures if they personal data of Europeans outside the European Union. Uber has done this in the GDPR required level of protection for drivers at the Transmission of data to the USA is not guaranteed. This is very worrying," says the Netherlands' top data protection official, summarizing the decision of the Supervisory authority together.
Uber itself has announced that it will appeal against the current fine.
Source: Fines imposed by the Autoriteit Persoonsgegevens against Uber
German 
English 
Italian 
French