Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

DPA issues Uber €290 million fine for GDPR data transfer breach


The Dutch Data Protection Authority (DPA) has imposed a €290 million fine on Uber for allegedly transferring personal data from EU to US servers without adequate protections in place.

The Dutch authority deemed the alleged breach as a “serious violation” of the General Data Protection Regulation (GDPR). However, Uber has said it considers the decision and subsequent fine to be “flawed and unjustified” and has vowed to lodge an appeal.

According to the DPA, Uber collected the sensitive information of drivers from the EU and retained it on servers in the US. Uber is said to have transferred the data to its US headquarters without using protective transfer tools over a period of more than two years.

The DPA said the absence of these transfer tools meant the protection of personal data was insufficient and therefore breached GDPR rules, which require technical and organisational measures to be put in place to protect and handle user data with due care.

The case was initiated by 170 complaints filed by French Uber drivers. The Dutch authority issued the fine because Uber’s European headquarters are situated in the Netherlands.

As reported by Associated Press, an Uber statement read: “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”

The decision follows a Court of Justice of the EU (CJEU) ruling in 2020 that found an agreement known as a ‘privacy shield’ which allowed companies to transfer data to the US was invalid as the US government has the ability to tap into the transferred personal data.

The DPA has previously stated that standard clauses in contracts could provide a basis for transferring data outside of the EU, including to the US. However, this is only applicable in circumstances where an equivalent level of protection can be guaranteed in the jurisdiction to which the data is being transferred.

However, as Uber stopped using standard contractual clauses in August 2021, the DPA found that the data of EU drivers was insufficiently protected.

The DPA added that since Uber has been using the successor of the ‘privacy shield’ since the end of 2023, the alleged breach is no longer ongoing.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.