The Dutch Data Protection Authority (DPA) has imposed a €290 million ($324 million) fine on Uber Technologies in a landmark decision for illegally transmitting the personal data of European drivers to the US. This penalty, one of the largest ever under the European Union’s General Data Protection Regulation (GDPR), highlights the ongoing challenges that online companies face in complying with stringent data privacy laws.
The legal dispute involving Uber began in 2021 when over 170 French drivers lodged complaints with the Ligue des droits de l’Homme (LDH), a human rights organization. The case initially came to the attention of France’s privacy agency due to Uber’s primary EU headquarters being located in the Netherlands, leading to the issue being forwarded to the Dutch DPA.
During its investigation, the Dutch DPA found that Uber had transmitted sensitive data about its European drivers—including taxi permits, location details, and medical information—to servers in the US. This action violated the GDPR’s mandate that data about EU citizens must be securely protected when transferred outside the EU.
The GDPR requires that entities implement both technological and organizational measures to safeguard personal data. However, the DPA concluded that Uber did not provide the necessary safeguards, particularly against the backdrop of surveillance by U.S. national security agencies, which are seen as a risk to the privacy rights of EU citizens.
Uber has declared that its method of transferring data across borders adhered to GDPR during a period marked by significant ambiguity between the EU and the U.S., labeling the ruling as mistaken and illogical. The company, believing that rationality will ultimately prevail, plans to challenge the verdict.
Aleid Wolfsen, the chair of the Dutch DPA, underscored the importance of GDPR in safeguarding the fundamental rights of individuals in Europe. He highlighted that companies are required to implement extra precautions when managing the personal data of Europeans stored outside the EU to guarantee a comparable level of protection:
“In Europe, the GDPR is instrumental in protecting people’s fundamental rights by mandating that businesses and governments handle personal data carefully,” said Dutch DPA chairman Aleid Wolfsen. “Unfortunately, this principle is not a given outside of Europe. Consider governments that have the capability to access data extensively. For this reason, companies are generally expected to adopt additional measures when they process personal data of Europeans outside of the European Union. Uber failed to fulfill the GDPR stipulations to ensure adequate data protection during transfers to the U.S. This is a grave issue.”
The €290 million penalty imposed on Uber highlights the critical nature of data protection and privacy, emphasizing the necessity for businesses to prioritize the security of personal data and adhere to international standards as the digital environment evolves, thus protecting the privacy rights of individuals.