Dutch Regulator Fines Uber €290 Million for Data Protection Violations

Allegations of Inadequate Data Protection

The Dutch Data Protection Authority (DPA) has levied a €290 million (approximately $324 million) fine on Uber Technologies Inc. (NYSE:UBER). The alleged violation stems from the company’s transfer of personal data belonging to European drivers to the United States without adequate safeguards. This fine is a direct consequence of Uber’s non-compliance with the European Union’s General Data Protection Regulation (GDPR), which mandates rigorous measures for safeguarding user data.

The DPA’s decision was prompted by complaints filed by 170 French Uber drivers. The decision is based on the fact that Uber’s European headquarters is situated in the Netherlands. The authority maintains that Uber did not fulfill GDPR requirements for securing data transferred to the U.S., a situation further complicated by the invalidation of the Privacy Shield agreement in 2020.

Uber’s Response and Industry Reactions

Uber has publicly criticized the fine, deeming it flawed and unjustified. The company asserts that its data transfer practices were in line with GDPR during a period marked by regulatory ambiguity between the EU and the U.S. Uber intends to challenge the decision through an appeal, expressing confidence in the appeal’s ability to overturn the fine.

Following the EU court’s 2020 ruling, which invalidated the Privacy Shield agreement previously enabling data transfers to the U.S., Uber’s reliance on Standard Contractual Clauses was deemed insufficient in August 2021. The Dutch DPA emphasizes that while Uber has since adopted the successor to Privacy Shield, the alleged breach transpired during the transition period.

The Computer & Communications Industry Association, representing tech companies, argues that the fine disregards the practical challenges inherent in online business and the lack of clear guidance during a period of legal uncertainty. Alexandre Roure, the association’s European head of policy, expressed concern over the retroactive nature of the fine amidst the absence of a new legal framework for data transfers.

This is not the first time the Dutch DPA has imposed a penalty on Uber. In January, the company was fined €10 million for failing to disclose data retention practices and details on data sharing with non-EU countries.

elong