The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) has issued a €290 million fine to Uber for violating the EU’s General Data Protection Regulation (GDPR). The fine relates to the transfer of personal data of European drivers to the U.S. without implementing required adequate safeguards.
Uber has announced plans to appeal the decision.
What Happened?
According to the AP, Uber transferred personal and sensitive personal data — including account details, location data, identity documents, and even criminal and medical records — from its European drivers to its U.S. headquarters for over two years without sufficient safeguards. The AP determined this to be a serious breach of GDPR requirements for international data transfers, particularly in the wake of the 2020 ruling that invalidated the EU-U.S. Privacy Shield.
Key Takeaways:
Cross-Border Data Transfers Under Scrutiny: Entities should ensure that personal data transferred outside the EU is afforded the same level of protection as it would receive within the bloc. This means using mechanisms like Standard Contractual Clauses (SCCs) or other GDPR-compliant transfer tools.
Significant Financial Penalties: GDPR fines can reach up to 4% of a company’s global revenue, making compliance a business-critical priority. For Uber, this fine follows two previous penalties from the AP, signaling that data protection authorities are increasingly willing to take strong enforcement actions.
Evolving Legal Frameworks: This matter highlights the continued scrutiny around EU-U.S. personal data transfers following the Privacy Shield invalidation. As the EU-U.S. Data Privacy Framework has replaced Privacy Shield, businesses should closely monitor developments in order to ensure compliance.