João Coutinho Data Privacy

The Dutch Data Protection Authority has imposed a 290 million fine on Uber

In the beginning of this week, the Dutch Data Protection Authority has imposed a €290 million fine on Uber for breaching the GDPR by transferring personal data of European taxi drivers to the US without adequate safeguards. This breach involves sensitive data, including account details, taxi licenses, location data, photos, payment details, identity documents, and even criminal and medical records, transferred over a period of more than two years. The Dutch DPA found that Uber did not use proper transfer tools like Standard Contractual Clauses (SCC) after August 2021, leaving the data inadequately protected. This investigation followed complaints from over 170 French drivers. Uber plans to object to the decision, which constitutes its third penalty imposed by the Dutch DPA, following previous fines of €600,000 in 2018 and €10 million in 2023.

Between 2020 and 2023, following the Schrems II decision, there was uncertainty due to the invalidation of the EU-US Privacy Shield and the lack of a regulatory framework for transatlantic data transfers between the United States and the European Union. This uncertainty ended in 2023 with the approval of the EU-U.S. Data Privacy Framework, which replaced the Privacy Shield and provided a compliant mechanism for these data transfers.

During this period, however, the national Data Protection Authorities (DPAs) and the European Data Protection Supervisor (EDPS) remained highly active in scrutinizing international data transfers, specifically:

  • In March 2021, the Bavarian DPA ruled that a German company's data transfer to Mailchimp was illegal because it didn't perform a Transfer Impact Assessment (TIA) to check for additional measures needed due to potential US surveillance access;
  • In January 2022, the Austrian DPA ruled that an Austrian website's use of Google Analytics violated GDPR and Schrems II due to insufficient data protection against US intelligence access;
  • The EDPS reprimanded the European Parliament for illegal data transfers and inadequate protections on its COVID testing website, based on a new complaint, and required corrections within a month;
  • In April 2021, the Portuguese DPA ordered the National Institute of Statistics to suspend data transfers using Cloudflare within 12 hours due to an inadequate TIA and insufficient safeguards with the SCC; the assessment focused only on security, failed to assess broader risks, and the data processing agreement’s notification provision about government requests was insufficient.

The Uber case is notable not only for being the most recent but also for the significantly high fine imposed, underscoring the severity of the infringement. The future will tell us if there is more to come.