Uber Slapped with £250 Million Fine for Data Transfers to US

The Dutch Data Protection Authority (DPA) has imposed a hefty £250 million fine on ride-hailing giant Uber for its handling of driver data, citing breaches of the General Data Protection Regulation (GDPR).

The DPA's investigation found that Uber had been collecting and storing sensitive information of European drivers on servers located in the US without adequate safeguards in place. This included personal details like account information, taxi licences, location data, photographs, payment information, identity documents, and in some cases, even criminal and medical records.

“In Europe, the GDPR protects the fundamental rights of people, requiring businesses and governments to handle personal data with due care,” said Aleid Wolfsen, Chairman of the Dutch DPA. “But sadly, this is not self-evident outside Europe. Consider governments that can access data on a large scale. That's why businesses are typically obliged to take extra measures when storing the personal data of Europeans outside the European Union. Uber did not meet the GDPR requirements to ensure adequate data protection for transfers to the US. This is a serious matter.”

For over two years, Uber transferred data to its US headquarters without using approved transfer mechanisms. This practice fell short of GDPR standards, particularly after the EU's Court of Justice invalidated the EU-US Privacy Shield in 2020.

While Standard Contractual Clauses (SCCs) were considered a valid method for transferring data outside the EU, they require a guarantee of equivalent data protection levels in the destination country. However, Uber ceased using SCCs in August 2021, leaving EU driver data inadequately protected, according to the Dutch DPA. Uber has since implemented the successor to the Privacy Shield.

The investigation was triggered by complaints from over 170 French drivers who contacted the Ligue des droits de l’Homme (LDH), a French human rights group, which subsequently filed a complaint with the French DPA. Under the GDPR, businesses processing data across multiple EU Member States are required to deal with the DPA in the country where their main establishment is located. As Uber’s European headquarters are in the Netherlands, the Dutch DPA took the lead on the investigation, closely cooperating with the French DPA and coordinating the decision with other European DPAs.

All DPAs in Europe apply the same formula to calculate fines for businesses, with a maximum penalty of 4% of global annual turnover. Based on Uber’s 2023 global turnover of approximately £30 billion, the £250 million fine represents a significant financial blow.

This is the third time the Dutch DPA has fined Uber for data protection violations. In 2018, a £500,000 fine was imposed, followed by a £8.5 million fine in 2023. Uber has appealed the latter fine and has indicated its intention to appeal the latest penalty as well.