The Dutch Data Protection Authority (DPA) has fined Uber Technologies and Uber BV 290 million euros because of transfers of drivers’ data to the US without adequate assurances.

Uber Technologies Inc., an American company headquartered in San Francisco, California, operates in 70 countries and 10,500 cities worldwide. It is the largest ridesharing company worldwide with over 150 million monthly active users and 6 million active drivers and couriers. Uber BV is a Dutch company that owns the rights in Uber’s smartphone application. The work of Uber drivers is arranged through the Uber app.

In 2020, the group La Ligue des droits de l’Homme, filed a complaint with the French data protection authority, the CNIL, on behalf of 170 French Uber drivers. The French authority forwarded the complaints to the Dutch authority, the lead supervisory authority for Uber. Since Uber has its main office in the Netherlands, the Dutch DPA was in charge of carrying out the investigations under the protocols for cooperation between authorities provided by the General Data Protection Regulation (GDPR).

The Dutch DPA determined that Uber gathered various types of sensitive information from European drivers and stored this data on servers located in the United States. This information included account details, taxi licenses, location data, photographs, payment information, identity documents, and, in certain instances, criminal and medical records of the drivers.

For more than two years, Uber sent this data to its headquarters in the United States without employing any transfer mechanisms. As a result, the safeguarding of personal data was inadequate.

In 2020, the Court of Justice of the European Union ruled that the Privacy Shield, which allowed companies to transfer data from the EU to the U.S., was invalid as the U.S. government could tap into the transferred personal data.

The Court stated that while Standard Contractual Clauses could still serve as a legitimate foundation for data transfers to non-EU countries, this is contingent upon the assurance of an equivalent level of protection in practice.

Due to Uber’s discontinuation of Standard Contractual Clauses as of August 2021, the Dutch DPA determined that the data of drivers from the European Union was inadequately safeguarded until November 2023, when Uber adopted the successor mechanism to the Privacy Shield (the Data Privacy Framework).