by Sarah Pearce and Ashley Webber
On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), as lead supervisory authority, announced that it had imposed a fine of 290 million euros ($324 million) on Uber. The fine related to violations of the international transfer requirements under the EU General Data Protection Regulation (the “GDPR”).
The Dutch DPA launched an investigation into Uber following complaints from more than 170 French Uber drivers to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Authority (the “CNIL”). The CNIL then forwarded the complaints to the Dutch DPA as lead supervisory authority for Uber.
Through the investigation, the Dutch DPA found that Uber collected personal data, including sensitive data, from drivers in Europe and retained such data in the U.S. The personal data included account details and taxi licenses, and in some instances, location data, photos, payment details, identity documents, and criminal and medical data of the drivers. It was found that for a period of more than two years, Uber transferred such data to its U.S. headquarters without using transfer tools, such as the Standard Contractual Clauses, as required by Chapter V of the GDPR.
Sarah Pearce is a Partner and Ashley Webber is an Associate at Hunton Andrews Kurth LLP. This post first appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).