QUICK FACTS
-
Fine Amount: €290,000,000
-
Date: 22 July 2024
-
Primary Violations: GDPR Breaches
- Unlawful transfer of personal data to a third country without appropriate safeguards (Article 44 GDPR)
Overview
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has imposed a significant administrative fine of €290 million on Uber Technologies Inc. and Uber B.V..
The penalty addresses violations of Article 44 of the General Data Protection Regulation (GDPR). The AP determined that between August 6, 2021, and November 27, 2023, Uber unlawfully transferred the personal data of its European Union drivers to the United States.
This was done without the appropriate legal safeguards required by Chapter V of the GDPR, such as an adequacy decision or Standard Contractual Clauses (SCCs), thereby failing to ensure the continuity of the high level of data protection afforded under EU law.
Details of the CASE
The AP's investigation identified Uber B.V. (UBV), based in the Netherlands, and Uber Technologies Inc. (UTI), based in the U.S., as joint controllers for the personal data of drivers in the European Economic Area (EEA). The regulator established that Uber was in breach of the GDPR from August 6, 2021 - the date Uber removed SCCs from its internal data sharing agreement - until November 27, 2023, when it certified under the new EU-U.S. Data Privacy Framework.
Uber contended that Chapter V of the GDPR should not apply, arguing that because its U.S. entity (UTI) was already subject to the GDPR under Article 3, the data was sufficiently protected. The AP rejected this, clarifying that Chapter V is complementary to Article 3 and its safeguards are essential to protect data from foreign legal frameworks that could undermine the GDPR.
Uber also argued that the data flows did not constitute a "transfer" (and that the concept of a "transfer" is not clearly defined in the GDPR) because drivers directly entered their information into the U.S.-based platform. The AP dismissed this, identifying UBV as the "exporter" because it establishes the contractual relationship with EEA drivers and defines the terms for data collection, leaving drivers with no alternative but to send their data to UTI's U.S. servers.
Finally, Uber claimed the transfers were permissible under Article 49 GDPR exceptions for contractual necessity. The AP concluded these exceptions were not applicable because the data transfers were systematic, repetitive, and continuous, not "incidental" as required by the regulation. Furthermore, the AP found the transfers were not objectively "necessary," as Uber could have used less intrusive alternatives, such as processing the data on servers within the EU.
SPECIFIC EXAMPLES
Driver App Usage
Personal data from drivers in the EEA, collected through the driver app, was directly stored on UTI's servers in the U.S.. This included not only account and location data but also sensitive information such as identity documents, health data, and criminal records, depending on local requirements.
GDPR Rights Requests
When an EEA driver exercised their GDPR rights (e.g., an access request), a structural exchange of personal data occurred between UBV in the Netherlands and UTI in the U.S.. UBV employees in the EEA would access UTI's U.S.-based systems to handle these requests, resulting in data flowing from the U.S. to the EEA and, in some cases, back to the U.S..
fines and Penalties
The AP imposed a single administrative fine of €290,000,000 on Uber B.V. and Uber Technologies Inc. jointly. The regulator classified the infringement's severity as "high" based on several factors:
- Nature and Duration: The violation was systematic and continued for over two years.
- Scale: A large number of drivers across the EU were affected.
- Data Sensitivity: The transferred data included special category data, such as health and criminal records, which require a higher level of protection.
Key quotes
- "The AP is of the opinion that Uber violated Article 44 of the General Data Protection Regulation (GDPR), because Uber allowed transfers of personal data to take place to the United States while no appropriate safeguards were provided as stipulated in Chapter V of the GDPR."
- "The AP has established that the intended interest of Article 44 GDPR, namely the continuity of the high level of protection of the GDPR in the transfer of personal data to third countries, was not guaranteed by Uber."
Sources:
