Uber is facing a hefty €290 million ($324 million) fine from the Netherlands' privacy watchdog for breaching the European Union’s General Data Protection Regulation (GDPR). This penalty, one of the largest imposed on a tech company since the GDPR's inception in 2018, stems from Uber's transfer of personal data of drivers from the EU to the US without adequate safeguards, raising serious concerns about privacy rights.
The Autoriteit Persoonsgegevens (AP), the Dutch regulator responsible for overseeing GDPR compliance for Uber within the EU, led the investigation following complaints from over 170 Uber drivers in France. These complaints, initially lodged in 2021 through the human rights organization Ligue des droits de l’Homme (LDH), centered on how Uber managed and transferred drivers' personal data out of the EU.
Uber's data practices during a period of legal uncertainty between the EU and the US have been under scrutiny. Specifically, the lack of a high-level data transfer agreement from July 2020, when the EU's top court invalidated the Privacy Shield framework, left companies like Uber in a precarious position. Despite this, Uber continued to transfer sensitive data—including driver identities, location data, payment details, and even criminal and medical records—without employing the necessary safeguards mandated by GDPR.
The AP emphasized that this breach is particularly serious due to the nature of the data involved and the risk posed by US national security surveillance programs, which have been a point of contention in Europe since Edward Snowden’s revelations in 2013. The regulator highlighted that businesses are obligated to ensure a high level of protection for EU citizens' data, regardless of where it is transferred. Uber's failure to meet these standards resulted in this significant fine.
Uber has expressed strong disagreement with the ruling. The company contends that its data transfer processes were compliant with GDPR during the three-year period of legal uncertainty and has vowed to appeal the fine. Uber maintains that the legal framework has shifted, and the processes now deemed compliant under the new EU-US data transfer agreement are the same as those it previously used.
This €290 million fine against Uber underscores the heightened scrutiny and legal risks tech companies face regarding data privacy in Europe. As regulators continue to enforce stringent data protection laws, especially concerning cross-border data transfers, companies must ensure they meet GDPR standards to avoid such severe penalties. Uber's forthcoming appeal will likely draw significant attention, as it may set a precedent for how similar cases are handled in the future.
