UPDATED 15:29 EDT / AUGUST 26 2024

Netherlands fines Uber €290M for breaching EU’s GDPR privacy regulation

The Netherlands’ privacy watchdog today issued a fine of €290 million, or about $324 million, to Uber Technologies Inc. over its data management practices.

The decision relates to a regulatory framework called the EU-US Privacy Shield that was struck down by a court in 2020.

Uber, like many other U.S. tech firms, transfers information it collects about international users to stateside data centers. In July 2020, the European Union’s top court struck down the framework over concerns about U.S. surveillance.

Following the ruling, companies had to use a legal tool known as Standard Contractual Clauses, or SCCs, if they wished to transfer user data to the U.S. SCCs can only be used if certain conditions are met. Notably, tech firms must ensure that consumers will receive the same level of privacy as in the EU once their data leaves the bloc. 

Uber opted not to use SCCs, yet continued streaming user data to servers in the U.S. Today’s fine was issued over that practice. In particular, the Dutch Data Protection Authority took issue with the way Uber moved information about the drivers who find passengers through its ride-hailing app.

Privacy officials found that Uber had transferred drivers’ identity documents, taxi licenses, photos and location data to servers in the U.S. In some cases, the company also moved drivers’ criminal and medical information. Officials have determined that those data transfers breached the EU’s GDPR privacy regulation. 

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care”, said Aleid Wolfsen, the chair of the Dutch Data Protection Authority. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US.”

Last July, three years after the EU’s top court struck down the EU-US Privacy Shield, a new transatlantic data transfer framework went into effect. Uber started using the new framework in late 2023. As a result, the company can now transfer certain user data to U.S. servers without breaching the GDPR.

Today’s fine is the second Uber has received from the Dutch Data Protection Authority since the start of the year. Previously, the watchdog issued a €10 million penalty to the company in January. Privacy officials determined that Uber had made it unnecessarily difficult for drivers to find out what data the company collects about them. 

Photo: Uber

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU