Ride-hailing platform Uber has been fined €290 million — around $324 million at current exchanges rates — by the Netherlands’ privacy watchdog for breaching the European Union’s General Data Protection Regulation (GDPR).
The penalty is related to transfers of personal data of drivers out of the European Union to the US, where Uber’s main business is located. The GDPR allows for fines of up to 4% of global annual turnover to be levied for non-compliance.
Uber’s full year revenue for 2023 was around €34.5 billion — so the level of sanction is well below that maximum. However, it is still a notable amount as it’s among the largest penalties levied on a tech company since the GDPR began operating back in 2018.
The fine is the outcome of a series of complaints made by more than 170 Uber drivers in France back in 2021. The Dutch regulator, the Autoriteit Persoonsgegevens (or AP), leads on GDPR oversight of Uber as the company has its main EU establishment in the country. It investigated complaints over how the company processes the drivers’ personal data. Complaints were submitted through a human rights organization, Ligue des droits de l’Homme (LDH), to France’s privacy watchdog and then passed to the AP.
In January, Uber was fined €10 million for data access rights pertaining to the same complaints. But the new fine announced Monday dwarfs the earlier penalty — landing it a new spot on the list of tech giants stung with the ten biggest GDPR fines, just below mid-table.
The size of the penalty reflects the seriousness of the breach, per the AP, which wrote in a press release that Uber had failed to “appropriately safeguard” data which it transferred out of the EU — dubbing that “a serious violation”.
The data safeguarding problem relates to US national security intelligence agency surveillance programs which — in the wake of the 2013 disclosures by NSA whistleblower Edward Snowden — courts in Europe have repeatedly found to pose a risk to the data protection and privacy rights of EU people. This is an issue because GDPR protections are supposed to travel with Europeans’ data.
US tech giants, which are responsible for driving much of the EU-US data flows, have essentially been caught in the middle of this clash for years. Business models that rely on data mining (and therefore access to personal data in the clear) are also particularly exposed to the privacy legal risk.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe,” wrote Dutch DPA chairman Aleid Wolfsen in a statement. “Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The complaints against Uber were made during a period when there was no high level data transfer framework agreed between the EU and the US. In July 2020 the bloc’s top court struck down a mechanism known as Privacy Shield that the company, and thousands of others, had been relying on for authorizing their data exports.
A new EU-US data transfer deal was not agreed and adopted until July 2023 — meaning there was a period of three years with high legal uncertainty around data exports.
Digital companies have been particularly exposed over this period, given the data-driven nature of their businesses. And Uber is not the only tech giant to have been stung: Meta was hit with a record-breaking GDPR penalty of €1.2BN back in May 2023 over the same core issue. Several DPAs also warned against use of Google Analytics.
In Uber’s case the Dutch DPA said the data it collected and exported included “sensitive” driver information, including account details, taxi licences, location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.
“For a period of over 2 years, Uber transferred those data to Uber’s headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient,” it wrote.
Uber is not happy about the penalty. It denies any non-compliance and has vowed to file an appeal against the enforcement in court.
Uber spokesman Caspar Nixon emailed TechCrunch a statement in which the company writes: “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
The company claims it sought guidance from the AP during the period where there was no high level EU-US data transfer deal but says the regulator did not provide it with any clarity that there were problems with its processes.
The AP suggests Uber has been in compliance since the end of last year when it started to use the successor to Privacy Shield. Uber claims the processes that are now considered compliant under this new data transfer framework are the same ones it used before. So, basically, its argument is that the legal goalposts have moved.
However, during the period when there was no high level EU-US transfer deal, the bloc’s privacy regulators warned companies they were responsible for ensuring any data exports complied with the rules.
European Data Protection Board guidance from this period provided information on additional measures the data supervisor said companies may need to apply to raise the level of protection on data exports to ensure their data flows were GDPR compliance — such as switching to data localization or applying forms of ‘zero access’ encryption that mean exported data cannot be accessed.
Uber’s spokesman could not immediately confirm whether it applied any such additional measures during the period.
