Dutch DPA Imposes a Fine on Uber Because of Transfers of Data to the US

Data Protection Law

The European Data Protection Board (“The Board”) published an announcement (“Announcement”) on the Board's official website on 26/08/2024 regarding Uber's data breach.

According to the Announcement;

The Dutch Data Protection Authority (“The Dutch DPA”) started the investigation on Uber after more than 170 French Uber drivers complained to the French human rights interest group the Ligue des droits de l’Homme (“LDH”), which subsequently submitted a complaint to the French SA. The French SA forwarded the complaints to the Dutch DPA, which is the Lead Supervisory Authority for Uber.

The Dutch DPA found that Uber collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US. It concerns account details and taxi licences, but also location data, photos, payment details, identity documents, and even in some cases criminal and medical data of the drivers.


For a period of over two years, Uber transferred those data to Uber's headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient. The Court of Justice of the EU invalidated the Privacy Shield in 2020.

According to the Court, Standard Contractual Clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice. Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected, according to the Dutch SA. Since the end of last year, Uber uses the successor to the Privacy Shield.

The Dutch DPA imposed a fine of 290 million euros on Uber.

You can access the Announcement here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr