Dutch Regulator Fines Uber €290M for Illegal Data Transfers
The ride-sharing giant systematically moved driver data to the U.S. without required safeguards for over two years
Quick Facts
The Dutch Data Protection Authority (DPA) fined Uber Technologies, Inc. and Uber B.V. a combined €290 million on August 26, 2024, for violations of the EU General Data Protection Regulation (GDPR). The enforcement action centers on Uber's systematic transfer of sensitive personal data belonging to European Economic Area (EEA)-based drivers to the United States without implementing legally required safeguards.
The violations span a 27-month period beginning in July 2020, when the European Court of Justice invalidated the EU-U.S. Privacy Shield framework through its Schrems II ruling. During this window, Uber removed Standard Contractual Clauses—critical legal mechanisms designed to protect data in transit—from driver agreements while continuing to transfer information to U.S. servers.
The data transferred included highly sensitive information: driver account details, real-time location data, identity documents, criminal records, and medical records. The scale and sensitivity of the dataset, combined with the systematic and repetitive nature of the transfers over more than two years, prompted the DPA to issue a substantial fine while remaining below the statutory maximum penalty available under GDPR.
The investigation originated with complaints filed by drivers with the French data protection authority. The case was subsequently transferred to the Dutch DPA, which has jurisdiction because Uber maintains its European headquarters in the Netherlands. Rather than treat the transfers as isolated incidents, regulators classified them as a pattern of deliberate non-compliance following a landmark court decision that explicitly required companies to implement stronger data protection measures.
Uber has announced its intention to appeal the decision. The company's response underscores ongoing tension in tech industry operations: major platforms often rely on cross-border data flows to operate their global services, yet European regulators have increasingly demanded explicit legal justification and active safeguards for such transfers—especially following the collapse of the Privacy Shield framework.
