Blog Details

  • Home
  • Blog
  • Uber Fined €290 Million by Dutch DPA for GDPR Violations in Data Transfers
Uber Fined €290 Million by Dutch DPA for GDPR Violations in Data Transfers

Uber Fined €290 Million by Dutch DPA for GDPR Violations in Data Transfers

The Dutch Data Protection Authority (DPA) has imposed a record €290 million ($324 million) fine on Uber for allegedly failing to comply with European Union (E.U.) data protection standards when transferring sensitive driver data to the United States.

"The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (U.S.) and failed to appropriately safeguard the data with regard to these transfers," the agency stated.

The data protection watchdog labeled the action a "serious" violation of the General Data Protection Regulation (GDPR). In response to the ruling, Uber, which provides ride-hailing, courier, and food delivery services, has ceased the data transfer practice in question.

Nature of Data Involved

Uber is believed to have collected sensitive information from drivers and stored it on U.S.-based servers for over two years. This data included account details, taxi licenses, location data, photos, payment details, and identity documents. In certain instances, the data also contained criminal and medical records of the drivers.

The DPA accused Uber of conducting these data transfers without using appropriate mechanisms, particularly after the E.U. invalidated the E.U.-U.S. Privacy Shield in 2020. A replacement framework, known as the E.U.-U.S. Data Privacy Framework, was announced in July 2023.

"Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the E.U. were insufficiently protected, according to the Dutch DPA," the agency noted. "Since the end of last year, Uber uses the successor to the Privacy Shield."

Uber's Response

Uber, in a statement shared with Bloomberg, called the fine "completely unjustified" and expressed its intention to contest the ruling. The company claimed that its cross-border data transfer processes were in compliance with GDPR regulations.

Previous Penalties and Issues

Earlier this year, Uber was fined €10 million by the DPA for not disclosing full details about its data retention periods for European drivers and the non-European countries to which this data was shared.

"Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data," the DPA remarked in January 2024.

Additionally, the DPA criticized Uber for not specifying in its privacy terms and conditions how long it retains drivers' personal data or detailing the specific security measures implemented when transferring this information to entities outside the European Economic Area (EEA).

Broader Context

This case is part of a broader trend of E.U. data protection authorities scrutinizing U.S. companies over inadequate privacy protections for E.U. data transferred to the U.S., especially concerning potential exposure to U.S. surveillance programs.

In 2022, regulators in Austria and France determined that the transatlantic transfer of Google Analytics data violated GDPR laws.

"Think of governments that can tap data on a large scale," said DPA chairman Aleid Wolfsen. "That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union."

 

Reference: www.thehackernews.com

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067