The Netherlands’ data protection authority has issued a landmark fine of 290 million euros to Uber, highlighting the stringent enforcement of GDPR within the Eurozone. This penalty stems from an investigation into Uber’s handling of European drivers’ personal data, revealing significant breaches in data transfer protocols.
Initiated following complaints from over 170 French Uber drivers to the Ligue des droits de l’Homme (LDH), the case was escalated to the Dutch Supervisory Authority (SA) as Uber’s lead supervisory authority in the EU. The investigation uncovered that Uber had been collecting and storing a wide array of sensitive driver information on US-based servers for over two years without adequate transfer mechanisms.
The data in question included highly sensitive details such as account information, taxi licenses, location data, photographs, payment details, identity documents, and, in some instances, even criminal and medical records. Crucially, during this period, Uber failed to employ recognized data transfer tools, leaving the data of its European drivers insufficiently protected under GDPR standards.
The Dutch SA emphasized that the 2020 invalidation of the Privacy Shield by the Court of Justice of the EU underscored the necessity for robust data transfer safeguards. While Standard Contractual Clauses (SCCs) remained a potential solution, the court stipulated that an equivalent level of data protection must be practically guaranteed in recipient countries. The Dutch authority found that Uber’s failure to utilize SCCs after August 2021 left European drivers’ data vulnerable and in violation of GDPR. Although Uber has since adopted the Privacy Shield’s successor, the period of non-compliance resulted in this substantial financial penalty.
This significant 290 million euro fine underscores the Netherlands’ commitment to enforcing GDPR and protecting the personal data of individuals within the European Union. It serves as a stark reminder to multinational corporations operating within the Eurozone that adherence to data protection regulations is not optional and that breaches will be met with significant consequences by European supervisory authorities. The decision highlights the importance of compliant data transfer mechanisms and the ongoing scrutiny of data handling practices by companies processing EU citizens’ data.
