Uber has been hit with a €290m (324m) fine for failing to safeguard the data of its drivers while transferring it to the US.
The fine was brought by Autoriteit Persoonsgegevens, the Dutch Data Protection Authority, in collaboration with the French DPA CNIL and other European DPAs, and is the third levied fine on Uber by the Dutch authority.
By failing to safeguard the data during the transfers, Uber was found to have seriously violated EU GDPR, especially Article 44.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” said Aleid Wolfsen, Dutch DPA chairman.
Sensitive data
According to the findings, Uber transferred data to the US for two years with any transfer tools, and kept the data on servers there.
The EU-US Privacy Shield was invalidated in 2020, yet, according to the Court, Standard Contractual Clauses could have provided “a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice.” But Uber did not use the clauses after August 2021, and therefore failed to safeguard the data during the transfers.
The data included sensitive information about the drivers, including:
- account details and taxi licences;
- location data;
- photos;
- payment details;
- identity documents; and
- criminal and medical data of some of the drivers.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Wolfsen said.
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
Uber has now stopped making the unsafe transfers.
Other fines
The Dutch authority first fined Uber in 2018, imposing a €600,000 fine ($666,966) for not reporting a data breach within 72 hours after discovering it. The breach concerned 57 million Uber users worldwide, including 174,000 Dutch citizens.
The breach data included names, e-mail addresses and telephone numbers of customers and drivers.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
Aleid Wolfsen, chairman, Dutch DPA
This investigation arose after complaints from more than 170 French drivers, who complained to the French human rights organization Ligue des droits de l’Homme et du citoyen. It then decided to submit the matter to the French data protection authority CNIL. CNIL handed the complaint to AP since Uber has its European headquarters in the Netherlands.
Uber was first fined €10m over privacy violations on driver data in 2023 – which the company has objected to.
According to the Dutch DPA, Uber failed to disclose the full details of its retention periods for the European drivers’ data, or to name the non-European countries where the data was shared. It was also found that Uber had “obstructed the drivers’ efforts to exercise their right to privacy” by making it unnecessarily difficult to send requests to view or get copies of their personal data.
“Drivers have the right to know how Uber handles their personal data. However, Uber did not explain this with sufficient clarity. It should have informed its drivers better and more diligently in this regard. Transparency is a fundamental part of protecting personal data,” Wolfsen said at the time.
“If you don’t know how your personal data is being handled, you can’t determine whether you are being put at a disadvantage or treated unfairly. And you can’t stand up for your rights.”