The Dutch Data Protection Authority announced on Monday that it has imposed a fine of €290 million ($320 million) on Uber over its alleged failure to protect drivers’ personal information in EU-US data transfers.
The ride-hailing giant strongly refutes the decision and it plans on filing an appeal. The appeal process can take up to four years and during this time the fine will be suspended.
“This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson told SecurityWeek. “Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
According to the Data Protection Authority (DPA) in the Netherlands, Uber failed to appropriately protect European drivers’ data when transferring it to the United States, which it described as a “serious violation” of the EU’s General Data Protection Regulation (GDPR).
The data protection watchdog says Uber collects information such as taxi licenses, location data, photos, identity documents, payment details, and even criminal and medical data. However, Uber transferred the data to its US headquarters over a period of more than two years without using the proper tools to ensure that it’s safeguarded, according to the DPA.
The fine on Uber is related to a complaint filed in 2021 by French drivers. The complaint was filed in France, but the Dutch DPA became involved in the investigation because Uber’s European headquarters are in the Netherlands.
The problem, highlighted by Uber and others, is that since the complaint was filed, there had been significant uncertainty regarding data transfers between the European Union and the United States, mainly due to the EU declaring the Privacy Shield — the framework that had regulated US-EU personal data transfers — invalid in July 2020 in a case known as Schrems II.
A replacement for Privacy Shield was only announced in July 2023, when the EU signed off on a new agreement, the EU-US Data Privacy Framework.
Uber claims that even during the period when Privacy Shield was no longer in force it continued to safeguard driver data in accordance with GDPR. In addition, the ride-hailing giant claims it reached out to the Dutch data protection watchdog in 2021 to ensure that it was GDPR-compliant in terms of European user data transfers, and it did not receive any indication that it had not been compliant. Uber also says it has not been required to make any changes to its data transfer process following the adoption of the Data Privacy Framework last year.
It’s worth pointing out that data transfers between users, between the company and users, and between different countries is fundamental and inherent to Uber services, which are available worldwide and which can be used by customers wherever they travel.
Uber is backed by several organizations in this matter, including the Computer & Communications Industry Association (CCIA Europe), which told SecurityWeek in a statement, “If data protection authorities now suddenly start to retroactively fine companies for data transfers during the post-Schrems II period, they would effectively make the way the entire internet worked for almost three years illegal. That means great legal uncertainty for anything that happened online between the EU and US from 2020 to 2023, ranging from video conferencing during COVID to the processing of online payments.”
This is not the first time the Dutch DPA has imposed a fine on Uber. In 2018, it issued a fine of $1.2 million (alongside the British Information Commissioner’s Office), and earlier this year it announced a $10.8 million fine for lack of transparency in treating the personal information of drivers. The $10 million fine has been contested by Uber.
Related: Meta Fined Record $1.3 Billion and Ordered to Stop Sending European User Data to US
Related: France Fines Yahoo 10 Mn Euros Over Cookie Abuses
Related: Amazon’s French Warehouses Fined Over Employee Surveillance
