The DPA is fining Uber 290 million euros ($323.7 million) for a GDPR breach which saw the ride hailing company fail to use transfer tools when sending European taxi drivers’ personal data to the US.
This personal data included account details, taxi license information, location data, photos, ID documents, payment details and drivers’ criminal and medical data.
The Dutch DPA began its investigation following over 170 complaints from French drivers to a French human rights group, which complained to the French DPA.
Under GDPR, any company processing data across multiple EU member states must deal with the DPA in the country where their business has its main base. In Uber’s case, its EU headquarters are in the Netherlands, leaving the Dutch DPA to investigate the complaint and impose a fine.
Uber Failed to Protect Drivers’ Data During Transfer
Drivers’ data was transferred over a two year-plus period to Uber’s US headquarters, but as no transfer tool was used, the data wasn’t adequately protected.
Though the EU to US Privacy Shield was invalidated in 2020, there are Standard Contractual Clauses which could still form a valid basis for data transfers to countries outwith the EU. Anyone doing so must guarantee an equivalent level of protection.
From August 2021, Uber failed to use Standard Contractual Clauses, with the Dutch DPA determining this led to a compromise of drivers’ data. From the end of 2023, Uber started using the Privacy Shield’s successor to protect data transfers.
Fines for GDPR breaches of this nature are 4% of a company’s worldwide annual turnover. Uber’s worldwide turnover in 2023 was around 34.5 billion euros.
Uber has stated that it plans to contest the fine.
The Dutch DPA has already fined Uber twice, most recently for 10 million euros in 2023 for infringing privacy regulations. Uber is also objecting to this fine.