Privacy & Information Security Law Blog

On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), as lead supervisory authority, announced that it had imposed a fine of 290 million euros ($324 million) on Uber.  The fine related to violations of the international transfer requirements under the EU General Data Protection Regulation (the “GDPR”). 

The Dutch DPA launched an investigation into Uber following complaints from more than 170 French Uber drivers to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Authority (the “CNIL”).  The CNIL then forwarded the complaints to the Dutch DPA as lead supervisory authority for Uber.

Through the investigation, the Dutch DPA found that Uber collected personal data, including sensitive data, from drivers in Europe and retained such data in the U.S.  The personal data included account details and taxi licenses, and in some instances, location data, photos, payment details, identity documents, and criminal and medical data of the drivers.  It was found that for a period of more than two years, Uber transferred such data to its U.S. headquarters without using transfer tools, such as the Standard Contractual Clauses, as required by Chapter V of the GDPR.