Dutch regulator fines Uber €290m for GDPR breaches
Uber has been fined €290m by the Dutch data protection regulator Autoriteit Persoonsgegevens (AP) after it found the tech firm transferred personal data of European taxi drivers to the US in breach of the GDPR.
AP said this was a “serious violation” and also found that Uber failed to put in place appropriate safeguards when the data was transferred.
Uber was found to have collected data on its drivers in European countries and held the information on servers at its US headquarters over a period of over two years. Data ranged from account details and licences to location data, photos, payment details, ID and, in some cases, criminal and medical records.
The investigation was launched after complaints from Uber drivers in France led by AP because the company’s European headquarters are in the Netherlands. The latest fine is the third that the Dutch authority has levied against Uber.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” said Dutch DPA chairman Aleid Wolfsen. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020, following the Schrems II ruling, which AP allowed for standard contractual clauses to provide a valid basis for transferring data to countries outside Europe if an equivalent level of protection is in place. Uber ceased to use standard contractual clauses in August 2021, leaving the drivers’ data insufficiently protected, AP said.
Uber has since ended the practices at issue. The company started using Privacy Shield’s successor when it was introduced at the end of last year.
Uber has indicated that it intends to object to the fine, AP said. Th regulator explained that the level of fine was calculated using Uber’s annual worldwide turnover as defined under GDPR.
The Computer & Communications Industry Association said during the intervening period between the Schrems ruling and the new EU-US framework “non-EU companies already subject to the GDPR had virtually no legal basis to move data to the US”.
“European and American companies were left without any clear guidelines for transatlantic data flows for a period of nearly three years,” it added.