Uber has been hit with a €290 million fine (£245.5 million, US$323.7 million) by the Dutch DPA. It relates to the transfer of personal data belonging to European Uber drivers to the USA. In addition to transferring data illegally, in the view of the Dutch DPA, Uber also failed to protect that data. While Uber has since stopped transferring data, the DPA ruled its actions constituted a serious violation of GDPR.

Aleid Wolfsen, Chairman of the Dutch DPA (Image Credit: Aleid Wolfsen)
Aleid Wolfsen, Chairman of the Dutch DPA

Aleid Wolfsen, Chairman of the Dutch DPA said, “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care.

“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”

What did Uber do, and when?

Uber collects an extensive amount of data on its drivers in the EU. Some of that data drivers would expect to be collected. That includes their names, taxi details, taxi licence payment details, location data, photos and identity documents.

Uber’s facial recognition system uses data such as photos and identity documents to verify drivers when they log on. However, other data, such as criminal records and medical data, are also collected.

In transferring that data to the US, Uber relied on the Standard Contractual Clauses option in the GDPR. However, an organisation has to prove that an equivalent protection to the GDPR is in place in the country where the data is sent.

Uber ceased using the Standard Contractual Clauses in August 2021. That meant that data transfers should have ceased immediately, but they did not. For two years, Uber continued to transfer data until it eventually adopted the Privacy Shield in late 2023. This meant that data transferred at that time was unprotected.

After 170 French drivers complained, the Dutch DPA opened a case against Uber. As Uber is located in the Netherlands, the Dutch DPA is the ruling authority for any GDPR claims against Uber. As a result, this ruling now applies to all EU countries.

Dutch DPA is not applying the maximum fine

The DPA has now fined Uber three times for breaches of the GDPR. In 2018 it was fined €600,000, and in 2023, it was fined €10 million. That latter fine is currently being contested.

Therefore, it comes as no surprise that the Dutch DPA has ratcheted up the fine again. The GDPR allows a DPA to fine an organisation up to 4% of its global turnover. With a global turnover of €34.5 billion in 2023, Uber could have been facing a potential bill of €1.38 billion. Instead, it has been fined less than 1% of its global turnover, which is still a substantial figure.

So far, Uber has not said if it will contest this latest fine. However, it would be surprising if it didn’t look to reduce the fine substantially.

Enterprise Times: What does this mean?

The Dutch DPA is sending an unequivocal message to Uber and other companies, especially big tech. It is making it clear that European DPAs can and will take tough action, especially if they act together.

Its action here will be noted in boardrooms across Europe, especially in Ireland, where a large number of tech companies are headquartered. Those companies are perceived as having a sweetheart relationship with the Irish DPA. This will increase the pressure on the Irish DPA and tech giants like Meta, Twitter, and others, who are currently in the spotlight for how they treat PII.

However, the statement from the Dutch DPA announcing this action contains a dose of irony. Wolfsen talks about GDPR “requiring businesses and governments to handle personal data with due care.” Unfortunately for the EU Parliament, its record on data breaches is poorer than that of most organisations.

Last week noyb launched two actions against the European Parliament for a massive leak of highly sensitive personal data. The cause and source of the leak still remains unknown. More importantly, the EU Parliament has refused to delete data from its systems despite requests from people using the GDPR Right to be Forgotten clause.

In that case, Noyb has asked the European Data Protection Supervisor to issue an appropriate administrative fine. Given the size of the EU budget, how big will that fine be?

LEAVE A REPLY

Please enter your comment!
Please enter your name here