The Netherlands has issued a significant fine of €290 million to Uber, highlighting the stringent enforcement of GDPR regulations within the European Union. This decision, finalized on July 22, 2024, stems from an investigation into Uber’s data transfer practices and their impact on the privacy of European drivers. The case, processed under the One-Stop-Shop mechanism of the GDPR, underscores the collaborative effort among European Data Protection Authorities (DPAs), with nearly all SAs across the EU, excluding Bulgaria, Cyprus, Iceland, Latvia, Liechtenstein, Luxembourg, and Slovenia, involved in this cross-border decision.
The investigation by the Dutch Supervisory Authority (SA) was initiated following complaints from over 170 French Uber drivers, who raised concerns through the Ligue des droits de l’Homme (LDH). These complaints, initially lodged with the French SA, were subsequently forwarded to the Dutch SA, which served as the Lead Supervisory Authority for Uber in this instance.
Key findings from the Dutch SA revealed that Uber collected a wide array of sensitive data from its European drivers, including account details, taxi licenses, location data, photos, payment information, identity documents, and in some instances, even criminal and medical records. This data was then transferred and stored on Uber’s servers located in the United States. Crucially, for a period exceeding two years, these data transfers occurred without employing appropriate transfer mechanisms as required by GDPR.
The Dutch SA emphasized that following the 2020 Court of Justice of the EU ruling which invalidated the Privacy Shield, and after Uber ceased using Standard Contractual Clauses (SCCs) from August 2021, the data protection for EU drivers became insufficient. While SCCs can provide a valid basis for international data transfers if an equivalent level of protection is guaranteed, the Dutch authority found this was not the case with Uber’s practices during the specified period. Although Uber has adopted the successor to the Privacy Shield more recently, the violations pertained to the preceding period.
Consequently, the Dutch SA imposed a substantial administrative fine of 290 million euros on Uber. This penalty, issued by the Netherlands within the framework of the euro currency zone, serves as a stark reminder of the financial implications for companies failing to adhere to GDPR’s data transfer regulations and highlights the importance of data protection for individuals within the European economic area, particularly when data is transferred outside of the EU. This case underscores the commitment of European regulators, especially within The Netherlands Euro system, to uphold data privacy rights and enforce GDPR across international borders.
