Uber has said it will challenge a record fine for transferring EU drivers’ personal data to the US.
Shutterstock.com/DenPhotos
The Dutch data protection authority said yesterday that the ride-share company committed a serious GDPR violation by sending drivers’ data to its US headquarters without sufficient guarantees. It said the data included sensitive information such as drivers’ location data, photos, payment details, identity documents, and in some cases criminal and medical data.
The decision and €290 million fine – the regulator’s highest penalty to date – stems from a complaint by 170 French Uber drivers. The Dutch regulator took on the investigation as Uber's main European establishment is in the Netherlands. The complaint noted Uber's legal position regarding data transfers had been unclear following the Schrems II ruling, which struck down the EU-US Privacy Shield transfer mechanism.
The court noted at the time that controllers could still rely on standard contractual clauses (SCCs) to transfer data to the US so long as they ensure that recipients could meet data protection obligations.
The successor to the EU Privacy Shield was approved in July 2023. The Dutch regulator yesterday said Uber did not use any legal transfer mechanism between August 2021 and November 2023, while there was no valid US adequacy decision in place.
The ridesharing company had removed its SCCs after the European Commission updated the clauses in 2021, on the basis that Uber’s Dutch subsidiary and US parent company were joint controllers that were both directly subject to the GDPR. It referred to statements by the commission at the time that the SCCs do not work for importers whose operations fall within the GDPR, and that it was working on an additional set of clauses for this scenario.
The commission has yet to release the clauses.
Uber did not subsequently implement any other transfer instruments such as binding corporate rules, the regulator said, concluding that the company violated article 44 of the GDPR by transferring personal data without safeguards.
While the GDPR protects fundamental rights by requiring businesses and governments to handle personal data with due care, this is not “self-evident” outside of Europe, the regulator’s chair Aleid Wolfsen said. He added that businesses must therefore take additional measures if they store EU data in other countries.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US,” Wolfsen said. “That is very serious.”
In its decision, the regulator addressed Uber’s arguments that the international transfer provisions under chapter V GDPR, which include article 44, do not apply to it. Uber had argued that the simultaneous use of the GDPR’s transfer provisions was meaningless.
“Transfers of personal data between joint controllers covered by article 3 are not excluded from the GDPR's international transfer provisions,” the regulator said yesterday, adding that both provisions are complementary to one another. “This prevents the protection of personal data provided by EU law from being undermined or circumvented.”
The Dutch watchdog also found that a transfer did take place even though the EU drivers themselves, and not the data controller or processor, had provided the personal data to the US entity. It found that Uber has significant influence on the context in which the drivers’ actions took place as the company leaves them no choice but to share their data.
This rationale can have “significant legal consequences,” BarentsKrans partner Marc Elshof told Lexology PRO. “It will often be the case that the party with whom you share data directly from the EU has influence on how that happens,” he said.
This raises questions as to where the line is drawn, and whether this creates a whole new category of transfers, Elshof noted. “I would expect this question to be raised in appeal before the courts.”
According to the Dutch regulator, Uber should have known that a transfer instrument was necessary – especially when sending data to the US where intelligence services could access it – and that an administrative fine was warranted.
A spokesperson for Uber said the company will appeal against the decision.
“Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US,” the spokesperson said.
The Dutch regulator had fined Uber €10 million in 2023 for making it unnecessarily complicated for drivers to request to view or receive their data and for having unclear data retention policies.