Uber faces a massive €290 million penalty for violating the GDPR by illegally transferring European driver data. Authorities accuse Uber of unlawfully transferring personal data from the European Economic Area (EEA) to servers in the United States without implementing the appropriate security measures required under Chapter V of the General Data Protection Regulation (GDPR).
This penalty marks one of the most significant actions taken under the European Union’s General Data Protection Regulation (GDPR) since its implementation, highlighting the serious consequences of GDPR violations.
Sensitive information on the company’s drivers is allegedly gathered and kept on servers located in the United States for more than two years. This information includes account information, taxi licenses, location information, images, payment information, proof of identification, and, occasionally, criminal and medical histories.
Uber failed to use the appropriate data transfer mechanisms while transferring this data to its US headquarters, which resulted in insufficient security of personal information.
In 2020, the EU’s Court of Justice rejected the EU-US Privacy Shield, stating that while Standard Contractual Clauses may still be acceptable for data transfers outside the EU, they must provide an equivalent level of security.
The Dutch Data Protection Authority (DPA) claims that Uber stopped using Standard Contractual Clauses in August 2021, leaving EU drivers’ data inadequately protected.
The Dutch DPA started looking into Uber after more than 170 French drivers submitted concerns through the French human rights organisation Ligue des droits de l’Homme (LDH), which then filed a complaint with the French DPA.
Uber Disputes GDPR Fine
Uber plans to appeal the decision, claiming that despite its doubts over its data transfer methods under the GDPR, it operated in a lawful manner. The company thinks that the new EU-US Data Privacy Framework, which takes effect in 2023, will alleviate data transfer concerns.
Uber claims that Chapter V of the GDPR does not apply since Article 3 already covers its US processing activities. They further assert that no GDPR-defined data transfer happens since drivers send data directly to Uber’s US servers via the app.
Uber also claims that its data processing policies, as detailed in its privacy notice, are compliant with GDPR rules. The company considers the exchange of data between users and between users and Uber to be important to its services.
However, the Autoriteit Persoonsgegevens (AP) rejected these reasons and issued a severe penalty. The supporting document contains additional information about the AP’s investigation and decision.
The penalty is suspended for four years in the event of an appeal. Due to Uber’s Amsterdam headquarters serving Europe, the Middle East, and Africa, the Dutch Data Protection Authority (DPA) will continue to investigate the case.
The ongoing disputes between U.S. corporations and EU data protection authorities over insufficient privacy safeguards for EU data transfers to the U.S. raise concerns about potential U.S. surveillance.
Authorities from Austria and France declared in 2022 that Google Analytics violated GDPR restrictions by transferring data over international borders.
In 2023, Meta was fined the most amount—$1.3 billion (€1.2 billion)—for sending the personal information of EU residents to the United States without taking appropriate precautions.
The Uber case highlights the challenges multinational technology companies face in navigating data privacy regulations, particularly in light of the EU-US Privacy Shield’s invalidation.
Following the Uber case could set a precedent for similar actions in the future, prompting businesses to reconsider their compliance strategies. Businesses and authorities are likely to closely monitor the judicial review process, as it could have significant implications for the industry in the years to come.
The European Data Protection Board (EDPB) has issued guidelines and suggested further steps to improve data security. These security measures, which maintain exported data’s GDPR compliance and prevent unauthorised parties from accessing it, include data localisation and “zero access” encryption.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.