Massive fine for Uber of EUR 290 million

Ius Laboris
Contact
LinkedIn
Facebook
X
Send
Embed

Ius Laboris

[author: Philip Nabben]*

On 26 August the Dutch Data Protection Authority (DPA) fined Uber EUR 290 million for a breach of the General Data Protection Regulation (GDPR). Following a number of complaints from French Uber drivers, the DPA found that Uber transferred personal data relating to European drivers to the US without adequately protecting those data in doing so. The DPA marked this ‘a serious violation of the GDPR’.
 

The reason the Dutch DPA is responsible for the investigation is because Uber’s European headquarters is in the Netherlands. The Dutch DPA worked closely with CNIL, the French DPA, and coordinated the fine decision also with other European data privacy regulators.

Among other things, Uber collected sensitive information from drivers in Europe and stored it on servers in the US. These data included not only account information, licences and location data, but also pictures, payment information, ID copies and in some cases even criminal and health-related data from drivers – which are extra heavily protected under the GDPR.

Uber had been transferring these types of data to the Headquarters of Uber in San Fransico for over two years without using the EU Model Standard Contractual Clauses (SCCs) for transferring the data – and also without the drivers’ explicit consent. As a result, the protection of their personal data was not sufficiently guaranteed.

Instead of using the SCCs, the Uber in the US had been using the successor to the so-called ‘Privacy Shield’ since 2023 (in other words, the previous regime for transferring data to the US – a regime that has since been held to be insufficient), claiming this was enough. The Dutch DPA ruled against this.

The fine is the third one to be imposed by the Dutch DPA on Uber (in 2018 Uber was fined for EUR 600,000 and in 2023 EUR 10 million. The fine of EUR 290 million is by far the biggest fine imposed by the Dutch DPA in its history.

The chairman of the Dutch DPA stated:

“In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care. But outside Europe, unfortunately, this is not self-evident, considering that there are governments that can intercept personal data on a large scale. This is why companies are obliged to take extra measures if they store personal data of Europeans outside the European Union. Uber has not ensured the level of protection required in the GDPR for drivers when transferring data to the US. This is very serious.”

Uber has announced that it will appeal against the fine.

*Bronsgeest Deur Advocaten

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Ius Laboris

Written by:

Ius Laboris
Ius Laboris
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ius Laboris on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide