The Netherlands’ privacy watchdog today issued a fine of €290 million, or about $324 million, to Uber Technologies Inc. over its data management practices.
The decision relates to a regulatory framework called the EU-US Privacy Shield that was struck down by a court in 2020.
Uber, like many other U.S. tech firms, transfers information it collects about international users to stateside data centers. In the European Union, such data transfers were governed by a regulatory framework called the EU-US Privacy Shield until about four years ago. In July 2020, the EU’s top court struck down the framework over concerns about U.S. surveillance.
Following the ruling, companies had to use a legal tool known as Standard Contractual Clauses, or SCCs, if they wished to transfer user data to the U.S. SCCs can only be used if certain conditions are met. Notably, tech firms must ensure that consumers will receive the same level of privacy as in the EU once their data leaves the bloc.
Uber opted not to use SCCs, yet continued streaming user data to servers in the U.S. Today’s fine was issued over that practice. In particular, the Dutch Data Protection Authority took issue with the way Uber moved information about the drivers who find passengers through its ride-hailing app.
Privacy officials found that Uber had transferred drivers’ identity documents, taxi licenses, photos and location data to servers in the U.S. In some cases, the company also moved drivers’ criminal and medical information. Officials have determined that those data transfers breached the EU’s GDPR privacy regulation.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care”, said Aleid Wolfsen, the chair of the Dutch Data Protection Authority. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US.”
Last July, three years after the EU’s top court struck down the EU-U.S. Privacy Shield, a new transatlantic data transfer framework went into effect. Uber started using the new framework in late 2023. As a result, the company can now transfer certain user data to U.S. servers without breaching the GDPR.
Today’s fine is the second Uber has received from the Dutch Data Protection Authority since the start of the year. Previously, the watchdog issued a €10 million penalty to the company in January. Privacy officials determined that Uber had made it unnecessarily difficult for drivers to find out what data the company collects about them.