logo

Uber objects to Dutch DPA’s third and largest fine for transferring data to US

LetsLaw / Digital Law  / Uber objects to Dutch DPA’s third and largest fine for transferring data to US
Multa a Uber

Uber objects to Dutch DPA’s third and largest fine for transferring data to US

The Dutch Data Protection Authority (DPA) has imposed a hefty fine on Uber due to a series of serious breaches of the General Data Protection Regulation (GDPR). 

Reasons for the sanction

The investigation conducted by the DPA revealed that the technology company had collected and transferred a wide range of personal data of European drivers to its servers located in the United States, without ensuring adequate security measures to protect such information.

Among the personal data collected were:

  • Account information: usernames, passwords and contact details.
  • Cab licenses: licenses and authorizations required to operate as a driver.
  • Location data: real-time information about the driver’s location.
  • Photographs: images of the driver and his vehicle.
  • Payment data: information related to transactions made through the platform.
  • Identity documents: copies of official documents such as ID card or passport.
  • Sensitive data: in some cases, sensitive information such as criminal records and medical data has been collected.

 

The transfer of this data to the United States took place for more than two years, without Uber implementing adequate data transfer tools, such as standard contractual clauses, which guarantee a level of protection equivalent to that set out in the GDPR. This situation was further aggravated following the invalidation of the EU-US Privacy Shield by the Court of Justice. This situation was further aggravated following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union in 2020.

Non-Compliance and Regulation

Uber’s conduct represents a clear violation of the GDPR, which establishes a stringent legal framework for the protection of personal data in the European Union. By transferring personal data to a third country without adequate safeguards, Uber exposed drivers to a significant risk of violation of their fundamental rights.

The Dutch DPA initiated this investigation following complaints filed by more than 170 French drivers, demonstrating widespread concern among those affected. Cooperation between the data protection authorities of different European countries has been instrumental in coordinating this action and ensuring an effective response to Uber’s irregular practices.

The fine imposed on Uber is one of the highest ever recorded in the context of the GDPR, reflecting the seriousness of the infringements committed. This financial penalty is intended to deter other companies from committing similar practices and serve as a reminder of the importance of complying with data protection regulations.

The main violations committed by Uber, according to the Dutch DPA, focus on three key points: 

  1. First, the company unlawfully transferred personal data of European drivers to servers located in the United States, without ensuring the security and data protection measures required by the GDPR. 
  2. Second, Uber failed to provide drivers with transparent and complete information on how their data was used, to whom it was communicated and what rights they had. 
  3. Finally, the company failed to implement the necessary security measures to protect drivers’ personal data against possible breaches or unauthorized access, thus exposing those affected to significant risks.

Other sanctions against Uber

It is important to note that this is not the first time Uber has been sanctioned by the Dutch DPA. Previous fines, imposed in 2018 and 2023, evidence a pattern of non-compliance by the company, calling into question its commitment to protecting its users’ data.

Uber has received several sanctions from the Dutch Data Protection Authority (DPA) prior to the €290 million fine imposed in 2024. These previous sanctions demonstrate a pattern of non-compliance by the company in relation to the data protection of its drivers.

  • 2018: 600,000€ fine. The first sanction imposed by the DPA on Uber occurred in 2018. This fine was due to violations related to data processing transparency and failure to adequately inform drivers about how their personal data was used.
  • 2023: 10€ million fine. In 2023, Uber received a second fine, this time of €10 million. This penalty was due to similar violations as in 2018, but on a larger scale.

 

The repetition of the penalties to Uber suggests that the company has not taken the necessary steps to correct the deficiencies identified in the previous inspections. Despite the fines and warnings, Uber has continued to fail to comply with GDPR when it comes to protecting its drivers’ data.

Contact Us

    By clicking on "Send" you accept our Privacy Policy - + Info

    I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our Privacy Policy - + Info