The Dutch Data Protection Authority (DPA) has levied a significant fine, nearing the Euro Million mark, against Uber, highlighting the severe consequences of inadequate data protection practices. This decision, finalized on July 22, 2024, stems from a cross-border case managed under the One-Stop-Shop (OSS) procedure of the GDPR, with the Netherlands acting as the lead supervisory authority.
The investigation into Uber’s data handling was initiated following complaints from over 170 French Uber drivers, who raised concerns through the Ligue des droits de l’Homme (LDH). These complaints were subsequently forwarded to the Dutch DPA, the primary supervisory body for Uber in Europe. The core issue revolved around Uber’s collection and transfer of European drivers’ sensitive personal data to servers located in the United States.
The data in question included a wide array of sensitive information, ranging from account details and taxi licenses to more private data such as location information, photographs, payment details, identity documents, and in some instances, even criminal and medical records. For a period exceeding two years, Uber transferred this extensive dataset to its US headquarters without employing appropriate data transfer mechanisms. This lack of adequate safeguards meant that the personal data of European drivers was not sufficiently protected under GDPR standards.
The Dutch DPA emphasized that following the Court of Justice of the EU’s invalidation of the Privacy Shield in 2020, the legal landscape for international data transfers shifted dramatically. While Standard Contractual Clauses (SCCs) remained a viable tool for data transfers outside the EU, their validity hinged on ensuring an equivalent level of data protection in practice within the recipient country. The DPA found that Uber’s failure to utilize SCCs after August 2021 meant that EU drivers’ data was exposed to unacceptable risks. Although Uber has since adopted the Privacy Shield’s successor framework, the period of non-compliance resulted in substantial repercussions.
Consequently, the Dutch DPA imposed a substantial administrative fine of 290 million euros on Uber. This penalty underscores the financial implications for companies failing to uphold GDPR’s stringent data protection requirements, particularly concerning international data transfers. This case serves as a critical reminder for businesses operating globally about the necessity of robust and compliant data transfer mechanisms to protect individuals’ personal information and avoid penalties that can reach figures comparable to a euro million prize.
Disclaimer: This news is based on information published by the Dutch Supervisory Authority and is for informational purposes only, not official EDPB communication.
