Dutch Data Protection Authority Fines Uber €290 Million for Illegal EU Data Transfers to the U.S.
HomepageBlog
Dutch Data Protection Authority Fines Uber €290 Million for Illegal EU Data Transfers to the U.S.

Dutch Data Protection Authority Fines Uber €290 Million for Illegal EU Data Transfers to the U.S.

Kaamel Lab
Kaamel Lab

On August 26, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) announced in a press release that it has decided to fine Uber €290 million for violating regulations by transferring the personal data of drivers in the EU to the United States. This is the highest fine ever imposed by the agency and marks the third penalty issued by the Dutch Data Protection Authority against Uber, following previous fines of €10 million and €600,000.

Case Background

The AP stated that it launched an investigation into Uber after receiving complaints from over 170 French drivers who had filed their grievances with the French human rights advocacy organization "Ligue des droits de l’Homme" (LDH). Initially, the case was handled by the French National Commission on Informatics and Liberty (CNIL), which received the LDH's complaint in June 2020. However, because Uber's European headquarters is located in the Netherlands, the CNIL forwarded the complaint to the AP in January 2021, and the two agencies closely cooperated in the subsequent investigation.
The investigation revealed that Uber collected sensitive information from European drivers, including account details, vehicle operation licenses, location data, identification documents, and, in some cases, criminal records and medical information. This data was then stored on servers in the United States.
The AP pointed out that after the EU-U.S. Privacy Shield framework was invalidated by the European Court of Justice in the Schrems II case, Standard Contractual Clauses (SCC) remained a valid basis for transferring data to countries outside the EU, provided that equivalent levels of protection could be ensured in practice. However, since August 2021, Uber had stopped using SCCs. As a result, the AP determined that from August 6, 2021, to November 27, 2023, Uber failed to establish an appropriate transfer mechanism for transferring personal data to the U.S., leading to insufficient data protection and a violation of Article 44 of the GDPR.
Since the end of 2023, Uber has begun using the new EU-U.S. data privacy framework.

Compliance Insights

Necessity of Data Transfers

Uber claimed that its cross-border data transfers were necessary for the performance of a contract, as stipulated under Article 49(1)(b) of the GDPR. However, the AP rejected this claim. Article 49 of the GDPR is intended as an exception when data transfers to a country not on the "whitelist" cannot be safeguarded by measures such as SCCs or Binding Corporate Rules (BCRs). The AP provided two main reasons for rejecting Uber's claim:
  1. Continuous and Systematic Data Transfers: The AP reiterated that Article 49(1)(b) of the GDPR only applies to occasional data transfers. Uber, however, was continuously transferring information of EU data subjects to the U.S., which does not meet the definition of "occasional."
  1. Lack of Necessity: The AP noted that while Uber’s cross-border data activities played a role in its business operations, these activities were not necessary for the signing and performance of contracts. "Necessity" refers to the objective requirement that the primary purpose of a contract cannot be fulfilled without the cross-border data transfer. The AP illustrated this with an example: when a travel agency books a hotel overseas for a customer, the cross-border data transfer is necessary to complete the service, and no other feasible alternative exists. The AP referenced the 2023 court ruling in the Meta case, emphasizing that merely including data transfers in a contract is insufficient to prove "necessity." Companies must demonstrate that there are no equally effective and less intrusive alternatives. In Uber's case, the company failed to prove that its data transfers were necessary for providing global services or ensuring data security, nor did it demonstrate the absence of other feasible alternatives. Therefore, the AP did not accept Uber’s claim.

Changes in Regulatory Requirements

The violations of cross-border data transfers in the Uber case occurred during the transition period between the old framework’s invalidation and the introduction of the new framework. Although this period has passed for Uber and other companies that have joined the new EU-U.S. Data Privacy Framework, many international businesses have not yet applied or do not plan to apply to join the new framework for various reasons. Therefore, the Uber case serves as a warning of potential risks that these companies may face.
Cases from Schrems' actions against Meta to Uber and subsequent cases demonstrate that transferring personal data from the EU to the U.S. involves significant risks due to the high level of scrutiny from users and regulatory agencies. However, this does not mean that international companies cannot achieve compliance. In the Uber case, the company mistakenly concluded that SCCs did not apply to its data processing scenarios based on an EU FAQ guide. Consequently, when the EU updated the SCCs, Uber removed SCC-related clauses from its data processing contracts without implementing any alternative measures, resulting in the AP deeming this a violation. The AP's decision emphasized the compliance requirements that Uber failed to meet, which are key areas of focus for other businesses. The AP reiterated that when companies transfer data from the EU to non-whitelisted countries, they must ensure sufficient privacy and data protection measures are in place. This includes conducting data transfer risk assessments, implementing appropriate safeguards based on the assessment, and entering into agreements with data recipients (such as SCCs or BCRs).
The core issue in this case was Uber's failure to establish an appropriate transfer mechanism in a timely manner in response to changing regulatory requirements, leading to a substantial fine. As a professional privacy compliance company, Kaamel has successfully assisted many companies in achieving international compliance. We constantly monitor the latest developments in privacy protection and regulatory requirements, and we are here to serve you if needed!