The Dutch Data Protection Authority (DPA) fined Uber Technologies for violating the European Union’s provisions and regulations on data transfers. According to the DPA’s investigation, the company transferred data from its drivers to servers located in the United States without taking adequate precautions.

Uber was slapped with a large fine of €290 million (approximately $324 million), the largest the company has ever received. It highlights the challenges that US-based companies face now that the EU-US Privacy Shield is no longer active.

The Dutch DPA’s investigation revealed that Uber had been collecting sensitive information from European drivers and storing it on these US-based servers for over two years.

This practice violated the General Data Protection Regulation (GDPR), which requires businesses to handle personal data with due care and implement additional security measures when transferring data outside the EU.

Uber Transferred Data to US Servers Without Proper Safeguards

The data that Uber regularly collected and stored from its drivers included account details, taxi licenses, location data, photos, payment details, identity documents, and in some cases, even criminal and medical data.

Aleid Wolfsen, chairman of the Dutch DPA, emphasized the seriousness of the violation, stating: “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”

A European Union court effectively invalidated the EU-US Privacy Shield in 2020, which had previously provided a framework for transatlantic data transfers. While Standard Contractual Clauses could still be relied on to provide a legal basis for data transfers outside the EU, these operations can only be done if the company can ensure that similar safeguards are in place.

The DPA claims that Uber did not use the Standard Contractual Clauses until the end of 2023, meaning that data from its drivers was unprotected for at least two years.

A group of French drivers initiated a complaint against Uber (UBER) in 2021 and argued that the company had unsafe data-transfer practices. The group, called the Ligue des droits de l’Homme (LDH), ultimately submitted the case to the Dutch DPA as Uber’s headquarters are in the Netherlands.

The Dutch and French DPA worked side by side to investigate the matter and ultimately found that Uber breached the economic bloc’s rules.

Uber Claims the Fine is “Completely Unjustified”

The €290 million fine represents a significant financial blow to Uber. While the company reported a worldwide turnover of around €34.5 billion in 2023, the fine still amounts to a substantial sum that will assuredly impact its bottom line.

Uber stock dropped by 2.3% yesterday after news of the fine started to circulate and are dropping another 0.5% today in pre-market action.

Beyond the immediate financial impact, the fine and its associated negative publicity could have long-lasting reputational consequences for Uber. The company’s data practices may come under increased scrutiny from both regulators and users in other jurisdictions and could result in additional investigations on Uber.

Uber has indicated its intent to object to the fine. Caspar Nixon, a spokesperson for the company said: “This flawed decision and extraordinary fine are completely unjustified.” The company maintains that its cross-border data transfer process complied with GDPR during what it describes as a “3-year period of immense uncertainty between the EU and U.S.”

Also read: What’s Next After EU Fined Facebook $1.3 Billion for Sending Data to the US

Surprisingly, this is not the first time (or even the second) Uber has faced fines for data protection violations in the Netherlands. The Dutch DPA previously imposed a €600,000 fine on the ride-hailing company in 2018 and another €10 million fine in 2023.

Uber has objected to the latter fine. The December 2023 investigation found that Uber did not respond to data requests from their drivers quickly enough and provided incomplete information in its privacy disclosures about how its data was handled and transferred to the US.

Industry reactions to the fine have been mixed. Alexandre Roure, head of policy for the tech industry association CCIA, which includes Uber as a member, criticized the decision by stating: “The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows.”

The CCIA argues that retroactive fines create legal uncertainty for anything that happened online between 2020 and 2023, from video conferencing to the processing of online payments.

Other companies may have been spooked by this huge fine as data-sharing between U.S. and EU-based companies has been an issue in the past few years after the economic bloc dismantled the EU-US Privacy Shield.

eu-us data bridge is rebuilt but retroactive measures like the uber case are dangerous

European and American companies were “left without any clear guidelines for transatlantic data flows” for nearly three years, according to a statement in support of Uber from the Computer & Communications Industry Association (CCIA Europe).

Although a new standard called the EU-US Data Privacy Framework has already been approved to provide clarity to companies on this matter, this retroactive measure is establishing a legal precedent that authorities can tap into to fine other businesses for breaching data privacy laws.

As digital technologies continue to advance and data becomes an increasingly valuable commodity, striking the right balance between innovation and privacy protection remains a critical challenge for businesses and regulators around the world.

Aleid Wolfsen, chairman of the Dutch DPA, emphasized the importance of data protection, stating: “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe.”

Data Protection Remains an Issue of Debate Globally

This case raises questions about the responsibilities of global tech companies in safeguarding user data across borders and the challenges that they face in complying with different and sometimes conflicting regulatory frameworks.

One of the key issues highlighted by the Uber v. Dutch DPA case is the tension between the need for global data flows in an increasingly interconnected world and the imperative to protect individual privacy rights.

As businesses rely more heavily on data-driven technologies and services, the ability to transfer and process data across borders becomes crucial for their operations. However, this must be balanced against the rights of individuals to have their personal information protected, regardless of where it is stored locally or transferred overseas.