The following case proves that data transfer to the USA still requires special attention despite the EU-U.S. Data Privacy Framework.
The Dutch Data Protection Authority (DPA) has fined Uber 290 million euros. The background to this is the transfer of personal data of European taxi drivers to the USA without taking appropriate protective measures. The authority considers this to be a serious breach of the General Data Protection Regulation (GDPR). Uber has since put an end to this offence.
According to the chairman of the Dutch Data Protection Authority, companies must continue to take additional protective measures when storing data of EU citizens outside the EU.
Handling of sensitive driver data
The Dutch Data Protection Authority found that Uber stored sensitive information of drivers from Europe, including account data, taxi licences, location data, photos, payment information, identification documents and, in some cases, criminal and medical data, on servers in the US. Over a period of more than two years, this data was transferred to Uber's US headquarters without adequate transfer mechanisms in place, which significantly jeopardised the protection of the data.
In 2020, the European Court of Justice declared the EU-US Privacy Shield invalid.Standard contractual clauses can still be a legal basis for data transfers to third countries, but only if an equivalent level of protection is guaranteed in practice. However, from August 2021, Uber decided not to apply these clauses, which in the view of the Dutch Data Protection Authority led to insufficient protection of European drivers' data. Since the end of 2023, Uber has been using the successor to the Privacy Shield, the EU-U.S. Data Privacy Framework.
Background to the investigation
The investigation into Uber was launched after more than 170 French drivers lodged complaints with the Ligue des droits de l'Homme (LDH), which forwarded them to the French data protection authority. As Uber operates in several EU countries, the Dutch data protection authority was responsible, as Uber's European headquarters are located in the Netherlands. During the investigation, the Dutch authority worked closely with its French counterpart and coordinated its decision with other European data protection authorities.
Penalty and consequences
The fine of 290 million euros was imposed in accordance with the standardised European calculation methods, which provide for a maximum fine of up to 4% of a company's global annual turnover. In view of Uber's turnover of around 34.5 billion euros in 2023, the fine is considerable. Uber has already announced that it will appeal against the fine.
It should be noted that this is not the first fine imposed on Uber by the Dutch Data Protection Authority: the company already had to pay 600,000 euros in 2018 and a further 10 million euros in 2023. Uber also appealed against