The Dutch Data Protection Authority on Monday (26 August) fined Uber €290 million for transferring the personal data of European drivers to the United States without adequate protection for more than two years, in breach of the European Union’s (EU) General Data Protection Regulation (GDPR).
This data included sensitive information such as account details, taxi licenses, location data, photos, payment details, identity documents, criminal records and medical records.
The Dutch authority’s chair, Aleid Wolfsen, said that while the GDPR guarantees strong protection of personal data within the EU, such provisions are not guaranteed outside the bloc.
However, a Commission spokesperson told EURACTIV that all companies operating in the EU are expected to fully comply with EU data protection rules.
The GDPR applies to any company that processes the personal data of EU residents, even if the company is based outside the EU, such as Uber, which is headquartered in the United States. If these data are not effectively protected, offending companies can be fined up to 4% of their global turnover.
Uber has therefore been fined a historic €290 million, or almost 1% of its global turnover, which was €34.5 billion in 2023. This is the third fine imposed on the company by the Dutch authority, following previous fines of €600,000 in 2018 and €10 million in 2023, both of which Uber has contested.
“This is clearly the largest fine ever imposed on Uber in the EU, and in fact the largest fine ever imposed by the Dutch authority,” Maartje de Graaf, a lawyer at the NGO Noyb, the European Centre for Digital Rights, told EURACTIV.
The Dutch authority began investigating Uber in 2021 after more than 170 French drivers contacted the Human Rights League (LDH), which then filed a complaint with the National Commission for Information Technology and Civil Liberties (CNIL). The latter forwarded the complaints to the Dutch agency, which oversees Uber since the US giant’s European headquarters are in the Netherlands.
The Dutch authority collaborated with the CNIL and other European bodies. The fine involved the Norwegian and Swiss supervisory authorities, as well as those of EU countries, with the exception of Bulgaria, Cyprus, Iceland, Latvia, Liechtenstein, Luxembourg and Slovenia.
The Dutch decision “opens a Pandora’s box,” Brahim Ben Ali, a former Uber driver and the leader of the complaint filed by the 170 French Uber drivers, told EURACTIV, arguing that GDPR compliance and data management “are the Achilles heel” of the company.
“The fine could have repercussions for other multinationals that transfer data between the US and the EU,” he added.
Three other complaints filed by the 170 drivers are currently being examined in Amsterdam, including one concerning the automatic disconnection of Uber accounts.
EU-US Privacy Shield Framework
The news of Uber’s GDPR violation also raises questions about the transfer of personal data from the EU to the US.
The Privacy Shield was a framework that allowed companies to transfer personal data from the EU to the US while ensuring its protection in 2016.
However, in 2020, the EU’s highest court struck down the Privacy Shield in a ruling known as Schrems II, finding that US laws did not provide the same level of protection as required by EU standards. The ruling is named after activist and lawyer Max Schrems, co-founder of Noyb, who challenged the adequacy of data protection under the Privacy Shield.
Following this decision, in 2023, the EU-US Privacy Shield was replaced by the EU-US Privacy Shield Framework, to provide legal safeguards for companies transferring sensitive data.
However, even before this new framework, companies could use the Standard Contractual Clauses as a legal agreement to protect personal data sent from the EU to third countries that follow EU data protection standards.
Uber stopped using the Standard Contractual Clauses in August 2021, leading to insufficient data protection, the Dutch authority found during its investigation.
Following the fine, Uber issued a statement describing the decision as “wrong” and “completely unjustified”, confirming that it would appeal the conviction. This appeal would suspend the fine pending a new decision, which could take up to four years.
A spokesperson for the California-based company told EURACTIV that data transfers between the US and the EU remained GDPR-compliant even after the Privacy Shield was invalidated between 2020 and 2023.
The adoption of the Privacy Shield Framework in 2023 would not have resulted in any changes to how Uber manages the protection of its drivers’ personal data, the spokesperson added.
This article is originally published on euractiv.fr