Dutch Agency Hits Uber With Near-Record $324 Million GDPR Fine

The Netherlands’ privacy watchdog has imposed a €290 million (US$324 million) General Data Protection Regulation (GDPR) fine on Uber, one of the largest privacy fines to date.

According to the Dutch data protection authority, the U.S. ride-hailing company sent European drivers’ data—their photos, payment details, identity documents, as well as criminal and medical data—to its San Francisco headquarters without putting in place a proper legal transfer mechanism.

The bloc’s tough 2018 privacy law requires companies that send personal data across the Atlantic to put in place special measures to ensure that the data stays safe once it leaves the European Union (EU). Companies have had to rely on these so-called standard contractual clauses ever since the EU’s top court struck down two successive EU–U.S. data transfer frameworks—the Safe Harbour and the Privacy Shield—over concerns that they did not meet the bloc’s stringent GDPR standards.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe,” the agency’s chair, Aleid Wolfsen, said in a statement. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the U.S. That is very serious.”

The €290 million fine, imposed on Monday, is the sixth-largest fine given to a company since the privacy law went into effect in 2018.

A spokesperson for Uber did not respond to a request for comment by the time of publication.

The Dutch privacy authority opened its investigation into Uber’s handling of drivers’ personal data after a group representing 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Act. Because Uber’s European headquarters are in Amsterdam, the Dutch watchdog took up the complaint.

The U.S. tech company was previously fined €600,000 by the agency over privacy violations in 2018 and €10 million last year.

From: Corporate Counsel