Skip page header and navigation

Netherlands fines Uber €290M for transferring driver data to US

Netherlands fines Uber €290M for transferring driver data to US

Craig Johnson
| August 27, 2024
Ride share driver in car using the rideshare app in mobile phone.

Main article

The Dutch Data Protection Authority fined Uber Technologies €290 million (USD 324.0 million) for transferring the personal data of European drivers to the US.

“The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States and failed to appropriately safeguard the data with regard to these transfers,” the agency said in a press release. “According to the Dutch DPA, this constitutes a serious violation of the General Data Protection Regulation. In the meantime, Uber has ended the violation.”

Uber refutes the allegations and plans to appeal the decision. The appeals process will take up to four years, though the fine will be suspended during the process.

“This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson said in a note to SIA. “Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”

The Dutch DPA said data collected included sensitive information such as account details and taxi licenses as well as location data, photos, payment details and identity documents. In some cases, drivers’ criminal and medical data was collected.

Uber transferred that data to its headquarters in the US during a two-year period without using proper transfer tools, according to the agency. As a result, the protection of personal data was not sufficient.

“In Europe, the [General Data Protection Regulation] protects the fundamental rights of people by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said in a press release. “But sadly, this is not self-evident outside Europe.”

Wolfsen continued, “Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”

The decision relates to a complaint that dates back to 2021 which took place during a three-year period where there was significant uncertainty regarding data transfers between the US and EU, according to Uber. The uncertainty stemmed from a ruling by the Court of Justice of the European Union that found the EU-US Privacy Shield Agreement was invalid. The situation wasn’t resolved until July 2023, when the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework that found the US ensures an adequate level of data protection.

The data of European Uber users has always remained protected under GDPR, according to Uber. The company did not need to make any changes to its data transfer processes in order to certify under the EU-US Data Privacy Framework in 2023.

Uber has been fined previously by the Dutch DPA, which imposed a fine of €600,000 (USD 686,274) in 2018 and a fine of €10 million (USD 11.0 million) in 2023.