The Personal Data Authority (AP) is fining Uber 290 million euros. The AP found that Uber transferred personal data of European cab drivers to the United States (US) and that in doing so Uber did not adequately protect the data. According to the AP, this is a serious violation of the General Data Protection Regulation (AVG). Uber has since ended the violation.
"In Europe, the AVG protects people's fundamental rights by requiring companies and governments to handle personal data with care," says AP Chairman Aleid Wolfsen. But outside Europe this is unfortunately not self-evident. Think of governments that can intercept data on a large scale."
"Therefore, companies are usually required to take additional measures when storing personal data of Europeans outside the European Union. Uber did not ensure the level of protection for drivers required in the AVG for the transfer of data to the US. This is very serious."
Among other things, Uber collected sensitive information from drivers in Europe and stored it on servers in the US. This included account information and cab licenses, as well as location data, photos, payment information, IDs and, in some cases, even criminal and medical records of drivers.
For more than 2 years, Uber transmitted that data to Uber's U.S. headquarters without using a transfer instrument. As a result, the protection of personal data was not good enough.
The Court of Justice of the EU has approved the EU-US Privacy Shield was declared invalid in 2020. According to the Court, model contracts could still provide a valid basis for data transfers to countries outside the EU. But only if an equivalent level of protection could be guaranteed in practice.
Because Uber did not use a model contract as of August 2021, the data of EU drivers was not sufficiently protected, according to the AP. Uber has been using the successor to the Privacy Shield.
The AP has launched an investigation into Uber after more than 170 French drivers filed a complaint with the Ligue des droits de l'Homme (LDH), a French human rights advocacy organization. LDH then filed a complaint with the French privacy regulator.
The AVG regulates that companies processing data in different EU countries, have to deal with one privacy regulator: that in the country where the company is headquartered. Uber's European headquarters is in the Netherlands. During the investigation, the AP worked closely with the French regulator and coordinated the fine decision with other European regulators.
All privacy regulators in Europe calculate in the same way the amount of fines for companies. Those fines are up to 4% of a company's annual global turnover. Uber had global sales of about €34.5 billion in 2023. Uber has announced it will appeal the fine.
This is the third fine imposed by the AP on Uber. In 2018, the AP imposed a fine of 600,000 euros and in 2023 a fine of 10 million euros. Uber objected to the latter fine.
