Sagsmappe
Dutch Regulator Fines Uber €290M for Illegal Data Transfers
The ride-sharing giant systematically moved driver data to the U.S. without required safeguards for over two years
BEVIS
The Dutch Data Protection Authority (DPA) fined Uber Technologies, Inc. and Uber B.V. a combined €290 million on August 26, 2024, for violations of the EU General Data Protection Regulation (GDPR). The enforcement action centers on Uber's systematic transfer of sensitive personal data belonging to European Economic Area (EEA)-based drivers to the United States without implementing legally required safeguards.
The violations span a 27-month period beginning in July 2020, when the European Court of Justice invalidated the EU-U.S. Privacy Shield framework through its Schrems II ruling. During this window, Uber removed Standard Contractual Clauses—critical legal mechanisms designed to protect data in transit—from driver agreements while continuing to transfer information to U.S. servers.
The data transferred included highly sensitive information: driver account details, real-time location data, identity documents, criminal records, and medical records. The scale and sensitivity of the dataset, combined with the systematic and repetitive nature of the transfers over more than two years, prompted the DPA to issue a substantial fine while remaining below the statutory maximum penalty available under GDPR.
The investigation originated with complaints filed by drivers with the French data protection authority. The case was subsequently transferred to the Dutch DPA, which has jurisdiction because Uber maintains its European headquarters in the Netherlands. Rather than treat the transfers as isolated incidents, regulators classified them as a pattern of deliberate non-compliance following a landmark court decision that explicitly required companies to implement stronger data protection measures.
Uber has announced its intention to appeal the decision. The company's response underscores ongoing tension in tech industry operations: major platforms often rely on cross-border data flows to operate their global services, yet European regulators have increasingly demanded explicit legal justification and active safeguards for such transfers—especially following the collapse of the Privacy Shield framework.
The fine reflects broader regulatory momentum in Europe. Since the Schrems II ruling, data protection authorities have investigated numerous technology companies for similar violations. The Dutch DPA's decision against Uber signals that regulators view the removal or modification of Standard Contractual Clauses without alternative safeguards as a serious breach, particularly when sensitive data categories are involved.
For Uber drivers in Europe, the violation raises questions about how their personal information—including location history and identity documents—was handled during the 27-month period. For Uber itself, the fine represents a significant financial penalty and a legal precedent that could influence how the company structures data governance across its European operations going forward.
The decision also illustrates the distinction between regulatory fines and criminal liability in data protection cases. This enforcement action is a civil regulatory penalty issued by a data protection authority, not a criminal conviction. No individual Uber executives were personally charged or convicted in connection with these violations.
**Sources**
https://www.jdsupra.com/legalnews/buckle-up-uber-fined-eur290m-for-7054727/
https://www.willkie.com/publications/2024/09/dutch-dpa-fines-uber-290m-for-gdpr-data-transfer-violation
https://www.willkie.com/publications/2024/11/dutch-data-protection-authority-fines-uber-290-million-for-gdpr-data-transfer-violation