Uber hit with €290m fine for storing European driver data in the US

Uber has been fined €290 million by the Dutch data protection authority for transferring the personal data of European drivers to the US without appropriate safeguards.

According to the Dutch DPA, the transfers - which Uber has now halted - were a serious violation of the EU's General Data Protection Regulation (GDPR).

"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due careBut sadly, this is not self-evident outside Europe,” said Dutch DPA chairman Aleid Wolfsen.

"Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."

The investigation was prompted by complaints from more than 170 French drivers to the French human rights interest group the Ligue des droits de l’Homme (LDH), which subsequently submitted a complaint to the French DPA. 

However, Uber's European headquarters is based in the Netherlands, making it the official supervisory authority.

The Dutch DPA found Uber collected sensitive information of drivers from Europe and retained it on servers in the US. The data included account details and taxi licenses, as well as location data, photos, payment details, identity documents, and in some cases even the criminal and medical data of drivers.

The transfers continued for more than two years.

There are, or have been, various ways to make US data transfers without breaching the GDPR. However, the European Court of Justice invalidated the EU-US Privacy Shield in 2020, and Uber stopped using the alternative of Standard Contractual Clauses in August 2021. It has since switched to using the successor to the Privacy Shield.

The Computer & Communications Industry Association (CCIA Europe) said Uber was put in a difficult situation by the EU's decision to invalidate Privacy Shield back in 2020. This move, it said, left European and American companies without any clear guidelines for transatlantic data flows for a period of nearly three years.

Meanwhile, the Commission ruled out the use of Standard Contractual Clauses for non-EU companies already subject to European data protection rules, leaving companies without any straightforward mechanism to move EU data to servers in the US.

"The fact that the Dutch Data Protection Authority today decided to issue a massive fine to a tech company for EU-US data flows that happened back in 2021 ignores reality. The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows," said CCIA Europe’s head of policy, Alexandre Roure.

"Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework."

This is the third fine imposed on Uber by the Dutch DPA, which hit the company with a €600,000 penalty in 2018 and another for €10 million in 2023. Uber has objected to this latest fine.