According to the DPA, Uber transferred personal information, including taxi licences, identity documents, photos, payment details, and, in some cases, criminal and medical records, to the US from August 2021 to November 2023. The watchdog emphasised that these transfers did not meet the GDPR’s requirements for data protection outside the EU.
Aleid Wolfsen, Chairman of the DPA, criticised Uber for failing to ensure sufficient data protection, stating, “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data about transfers to the US. That is very serious.”
Investigation and Complaints
The fine follows an investigation initiated by complaints from over 170 French drivers, who approached the Ligue des droits de l’Homme (LDH), a human rights organisation. LDH subsequently filed a complaint with France’s data protection authority, CNIL, which led to the Dutch regulator’s involvement due to Uber’s European headquarters being in the Netherlands.
Uber’s Response
Uber has announced its intention to appeal the fine, describing the decision as “flawed” and “unjustified.” An Uber spokesperson argued that the company’s data transfer process complied with GDPR during significant uncertainty between the EU and the US. “This flawed decision and extraordinary fine are completely unjustified,” the spokesperson stated.
Previous Penalties
This recent fine marks the third time Uber has faced a significant penalty from the Dutch DPA. The company was fined €600,000 in 2018 for failing to report a data breach and €10 million earlier this year for further privacy violations.
Conclusion
The substantial fine reflects the EU’s stringent approach to data protection and the importance of adhering to GDPR standards. As Uber prepares to contest the decision, the case highlights ongoing tensions between global tech companies and European data protection regulations.
