• GL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

Uber fined €290m for unlawful EU-US transfer of personal data

17 December 2024

In August 2024, the Dutch Data Protection Authority ("DPA") imposed a fine of €290m on Uber for transferring personal data of its drivers from the EU to the US without appropriate safeguards in place.  

Background 

Ligue des droits de l'Homme (a French human rights interest group) submitted a complaint to the CNIL (the French DPA), on behalf of 170 French Uber drivers. The CNIL subsequently forwarded the complaints to the Dutch DPA, as the Lead Supervisory Authority for Uber. 

Findings 

The Dutch DPA's investigation found that Uber had collected sensitive information relating to its European drivers (such as taxi licence information, location data, photographs, payment information, identity documents, criminal offence data and health data) and stored this on its US servers. Over a two year period, Uber had transferred this personal data to its headquarters located in the US. 

Since the EU-US Privacy Shield had been invalidated by the judgment of the Court of Justice of the European Union in Schrems II, the EU Standard Contractual Clauses ("SCCs") could have been used as an appropriate safeguard for the transfer, but only if an equivalent level of protection was guaranteed by the recipient country.  

Uber had stopped using the EU SCCs from August 2021, and as a result the Dutch DPA found that Uber had transferred this personal data to the US without having an appropriate safeguard in place.  

The Dutch DPA stated this was a "very serious" contravention of the requirements of the GDPR, although it highlighted that the breach was rectified at the end of 2023 when Uber signed up to the EU-US Data Privacy Framework.      

Uber's response 

Uber has insisted that its transfer of the personal data was done so in compliance with the GDPR, stating that "we will appeal and remain confident that common sense will prevail". To date, there has been no updates on Uber's appeal but we will share more information as it becomes published.      

Data transfers help 

If you have any questions relating to this decision, simplifying the complexity of international personal data transfers or any other data protection-related issues, please do contact DWF's Data Protection and Cyber Security team or contact the article author directly - Kelly Marum

Further Reading