Massive €290 Million Uber fine for EU-US data transfers

Last week the Dutch Data Protection Authority fined Uber a massive €290 million for transferring personal data from EU to US servers without adequate protections. This is a massive fine – one of the largest seen to date under GDPR.

According to the Dutch DPA, Uber collected sensitive information (eg account details, taxi licenses, location data, photos, identity documents and some criminal and medial data) from its EU drivers and stored it on servers in the US without protective transfer tools for 2 years. There were 170 complaints from French drivers (French complaints, but the Dutch DPA issued the fines as Uber’s European Office is in the Netherlands).

When did the breach happen?

The two-year period spanned the time that the Privacy Shield was invalidated, and the Data Privacy Framework came into force. According to the DPA, Uber stopped using SCCs in August 2021, so it found that the data of EU drivers had not been protected adequately. Of course, now that the Data Privacy Framework is in force, there is no ongoing breach.

How could it have been avoided?

Uber could have used Standard Contractual Clauses to transfer its personal data to the US.

What does this mean for others?

This gives an indication of how significant data transfer mechanisms and risk assessments are. Uber intends to appeal the fine and the outcome of the appeal will be of interest to many businesses. The 2020 EU Court ruling that invalidated Privacy Shield really left a great deal of legal uncertainty over how to continue the data flows that were already in place. There was also very limited help or guidance after the invalidation of Privacy Shield. And it took until 2023 – that’s three years – for the Data Privacy Framework to be established. There will be many companies who would have been slow to – or failed to – build Standard Contractual Clauses into their contracts, and who will be concerned about the nature of this retroactive fine.

Victoria Tuffill –2nd September 2024

If you have any questions or concerns about data protection, please call 01787 277742 or email dc@datacompliant.co.uk

And please take a look at our services.

 

Data Compliant International

International data protection consultants and DPOs.

22 Friars Street, Sudbury, Suffolk, CO10 2AA

Email:          dc@datacompliant.co.uk

Tel No.:       +44 (0) 1787 277 742

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.

Privacy Settings

Website Translator

Privacy Settings

This tool helps you to select and deactivate various tags / trackers / analytic tools used on this website.

Select all services
Website Translator
More
Save Settings