The Dutch Data Protection Authority (DPA) has fined Uber an unprecedented €290 Million fine related to a breach of GDPR cross-border data transfer rules.  In a case that has somewhat divided opinion in the data protection and privacy space, the regulator ruled that transferring EU drivers’ personal data to U.S. servers without adequate Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) fell below minimum GDPR requirements.  

The investigation started after a complaint was lodged by the French human-rights interest group the Ligue des droits de l’Homme to the French Data Protection Authority (CNIL), based on 170 complaints from French Uber drivers. The complaint was passed on to the Dutch DPA as Uber’s Lead Supervisory Authority. Under GDPR if a business processes data in several EU member states, (thereby engaging in cross-border data processing), they only have to deal with one DPA as per the one-stop-shop mechanism.   

The investigation relates to the aftermath of the Court of Justice ruling in a Schrems II case and found that for a period spanning more than 2 years, Uber collected sensitive information of drivers from Europe, transferred it without using appropriate transfer tools, and retained it on servers in the US.  The information collected included account details, taxi licenses, location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers. The Dutch DPA has previously issued guidance that transfers could be based on contractual clauses but only where an equivalent level of protection can be guaranteed in the jurisdiction to which the data is being transferred. However, as Uber stopped using standard contractual clauses in August 2021, the DPA found that the data of EU drivers was insufficiently protected.   

This is the third fine imposed on Uber by the Dutch DPA. Uber has issued a statement describing the decision as “flawed” and “completely unjustified”. They, furthermore, confirmed that they are planning to appeal against the decision. Lastly, the trade union INV-FO and the LDH (Ligue des droits de l’Homme) have indicated that they are planning to launch a group action against Uber for all Uber drivers in France to be compensated for the damage suffered.   

Understanding and deciding which international data transfer mechanisms to use is critical when a business operates in several jurisdictions. As an external global Data Protection Officer, HewardMills offers its multinational clients regular reviews of their data protection practices to ensure a holistic approach to building out GDPR-compliant programmes. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.