Uber Faces $323.7 Million Fine from Dutch Privacy Regulator

Why Trust Techopedia
Key Takeaways

  • Uber has been fined 290 million euros by the Dutch Data Protection Authority (DPA).
  • The fine is for breach of the GDPR.
  • Uber is accused of transferring personal data from European taxi drivers to the United States without safeguarding the data.

The DPA is fining Uber 290 million euros ($323.7 million) for a GDPR breach which saw the ride hailing company fail to use transfer tools when sending European taxi drivers’ personal data to the US.

This personal data included account details, taxi license information, location data, photos, ID documents, payment details and drivers’ criminal and medical data.

The Dutch DPA began its investigation following over 170 complaints from French drivers to a French human rights group, which complained to the French DPA. 

Under GDPR, any company processing data across multiple EU member states must deal with the DPA in the country where their business has its main base. In Uber’s case, its EU headquarters are in the Netherlands, leaving the Dutch DPA to investigate the complaint and impose a fine.

Uber Failed to Protect Drivers’ Data During Transfer

Drivers’ data was transferred over a two year-plus period to Uber’s US headquarters, but as no transfer tool was used, the data wasn’t  adequately protected. 

Though the EU to US Privacy Shield was invalidated in 2020, there are Standard Contractual Clauses which could still form a valid basis for data transfers to countries outwith the EU. Anyone doing so must guarantee an equivalent level of protection.

From August 2021, Uber failed to use Standard Contractual Clauses, with the Dutch DPA determining this led to a compromise of drivers’ data. From the end of 2023, Uber started using the Privacy Shield’s successor to protect data transfers.

Fines for GDPR breaches of this nature are 4% of a company’s worldwide annual turnover. Uber’s worldwide turnover in 2023 was around 34.5 billion euros. 

Uber has stated that it plans to contest the fine.

The Dutch DPA has already fined Uber twice, most recently for 10 million euros in 2023 for infringing privacy regulations. Uber is also objecting to this fine.