Uber Technologies Inc., Uber B.V.

Summary

The Dutch DPA has imposed a fine of EUR 290 million on Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards. The DPA launched an investigation after 170 French drivers filed complaints with the "Ligue des droits de l'Homme". The DPA's investigation revealed that Uber had stored sensitive personal data—such as location information, payment details, identity documents, and health data—on US servers without adequate safeguards for over two years. Since the European Court of Justice declared the EU-US Privacy Shield invalid, the transfer of personal data to the USA is only permitted under certain conditions that must ensure a level of protection for personal data that is equivalent to the level of protection within the EU. However, Uber had not used sufficient safeguards such as the so-called "standard contractual clauses" since August 2021, which meant that the personal data of drivers from the EU was inadequately protected. Only at the end of 2023 did Uber begin to apply the successor to the Privacy Shield, the EU-US Data Privacy Framework, to secure the transfer of data to the USA.