Dutch Order Uber to Pay $324 Million Fine Over Drivers’ Data Breach

Uber has been hit with a 290 million euro ($324 million) fine by a Dutch data watchdog for sharing personal information about its European drivers with its parent company in the United States.
The ride-hailing app fell foul of the European Union’s General Data Protection Regulation (GDPR), which was introduced in 2016.
The Autoriteit Persoonsgegevens, or Data Protection Authority (DPA), in the Netherlands said Uber had transferred the personal details of its European drivers to the United States without adequate protection.
Uber said it would appeal, calling the decision flawed and unjustified.
Complaints by 170 Uber drivers in France triggered the investigation, but the Dutch authorities dealt with it because Uber’s European headquarters is in the Netherlands.
In a statement on its website, the DPA said the data transfers, which spanned more than two years, were a serious breach of the GDPR, which requires measures to be produced to protect user data.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” DPA Chairman Aleid Wolfsen said.
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
In January this year, the company received a 10 million euro ($11.1 million) fine for failing to disclose how long it retained data from drivers in Europe and failing to name non-EU nations that could access its data.
Uber said in a statement: “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S.
“We will appeal and remain confident that common sense will prevail.”
In 2020 the European Court of Justice ruled that an agreement known as the EU–U.S. Privacy Shield, which allowed thousands of companies to transfer data to the United States, was invalid because it was open to the U.S. government.
The DPA said following the court’s ruling that companies were meant to introduce standard clauses in contracts to allow for data to be transferred outside the EU, “but only if an equivalent level of protection can be guaranteed in practice.”
“Because Uber no longer used standard contractual clauses from August 2021, the data of drivers from the EU were insufficiently protected,” the authority said.
Uber is now understood to be compliant, having switched to the successor to the EU–U.S. Privacy Shield, known as the EU–U.S. Data Privacy Framework, at the end of 2023.
The Computer and Communications Industry Association, which represents tech companies battling against bureaucracy, said the fine ignored the realities of online business since 2020.
“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” the association’s European head of policy, Alexandre Roure, said in a statement.
“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework.”