On Monday 26 August, the Dutch data protection regulator fined the digital platform Uber €290 million for illegally transferring the data of French drivers to the United States under the ‘GDPR’ regulation on the protection of personal data.
The Dutch authority found that Uber collected sensitive information (taxi account and licence data, location data, photos, payment details, identity documents and, in some cases, criminal and medical data) from drivers and, between August 2021 and November 2023, transferred it to its US headquarters.
After the Court of Justice of the European Union invalidated the EU-US Privacy Shield (see EUROPE 12529/2) in July 2020, US companies operating in the EU could still use standard contractual clauses for the transfer of personal data to third countries, but only if an equivalent level of protection could be guaranteed in practice.
In the Dutch regulator’s view, given that Uber had not been using these contractual clauses since August 2021, the data of EU drivers was not sufficiently protected.
On behalf of the CCIA Europe organisation, which brings together platforms such as Uber, Amazon, X and Google, Alexandre Roure criticised a decision that “ignores reality”. “The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows”, he said in a statement. Imposing a retroactive fine is especially “worrisome”, given that these privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, he added.
Uber has appealed the Dutch authority’s decision. (Original version in French by Mathieu Bion)