Fine against Uber for failing to guarantee the data protection of its drivers
Case Context
In recent years, VTC (ride-hailing) platforms have revolutionized the way people move around cities. However, this revolution has also brought about a series of regulatory challenges and data protection issues.
Recently, Uber has been involved in a controversy that has resulted in a multi-million euro penalty. The Dutch Data Protection Authority (DPA) has imposed a €290 million fine on the company for violating its drivers’ privacy. This is one of the highest penalties issued since the General Data Protection Regulation (GDPR) came into effect in 2018.
With this new sanction, Uber now accumulates three fines imposed by the Dutch DPA: €600,000 in 2018 and €10 million in 2023.
Following an exhaustive investigation, the suthority discovered that the company was collecting sensitive information from drivers located within the European Union and storing it on servers in the United States. This information included taxi accounts and licenses, but also location data, photos, payment information, identity documents, and, in some cases, medical and criminal records of the drivers.
Aleid Wolfsen, president of the DPA, pointed out that the violation of the VTC drivers’ privacy occurred over two years before the company implemented protective measures.
European legislation, especially the GDPR, sets out a strict regulatory framework to ensure the security and privacy of personal data. This regulation prohibits the transfer of personal data to countries outside the European Union that do not offer an equivalent level of data protection.
Uber’s Violation
The investigation revealed that Uber failed to implement the necessary technical and organizational measures to protect its drivers’ data and did not transparently inform them about the transfer of their data to a third country.
These actions by the company resulted in a violation of Article 44 of the GDPR regarding the general principle of transfers, which states that “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
The period between 2020 and 2023 was characterized by a complex legal situation regarding data transfers between Europe and the United States. The GDPR imposed severe restrictions, allowing only those transfers that met very specific requirements, such as the existence of the Privacy Shield or the use of standard contractual clauses.
For its part, the United States argued that its intelligence services should have the right to access and view the data of EU citizens. However, the European Court of Justice ruled that in such a case, the Privacy Shield would not provide sufficient protection for sensitive data.
It was not until 2023 that a new legal framework was established to address this situation. However, by then, the violation had already occurred.
The fine imposed on Uber not only represents a financial blow to the company but also calls into question its commitment to protecting the personal data of its users and collaborators. Following the announcement of the sanction, Uber issued a statement expressing its disagreement with the authorities’ decision, though it also acknowledged that the protection of personal data is a priority and pledged to improve its security protocols.
However, for many critics, this case is yet another example of how large tech companies prioritize growth and innovation at the expense of the privacy and security of their users. Driver associations, for their part, have welcomed the sanction, arguing that it is a necessary step to ensure that platforms respect workers’ rights and take their responsibility for data protection seriously.
IP/IT Lawyer