Uber to appeal Dutch DPA fine of €290m on data transfers to US
Uber will contest the Netherlands’ Data Protection Authority’s (DPA) decision and fine of €290 million relating to Uber’s transfer of personal data of European taxi drivers to the United States.
Uber’s spokesperson said: “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
According to the DPA, the company failed to appropriately safeguard the data in transfers that took place in the period between the invalidation of the EU-US Privacy Shield in 2020, and relying on its successor, the Data Privacy Framework from the end of 2023. Uber no longer used Standard Contractual Clauses (SCCs) from August 2021, and the transfers were therefore in breach of the GDPR Article 44 (data transfers), the DPA says.
In its data sharing agreement between Uber BV (Netherlands) and its parent Uber Technologies Incorporated UTI (US), both are defined as joint controllers. Referring to the updated SCCs of the European Commission, Uber told the DPA: “In light of this, Uber revisited its joint controller agreement to delete the SCCs, and to clarify joint controller responsibilities. Therefore, Uber has adopted a new version of its joint controller agreement, in which the new regulatory requirements and relationship between UTI and UBV are reflected.”
Uber says that its data transfers to the US remained compliant with the GDPR at all times, and that it did not have to make any changes to its data transfer processes in order to certify under the EU-US Data Privacy Framework in 2023.
The case, which was brought by 170 French Uber drivers via a human rights interest group, was dealt with by the One-Stop-Shop procedure with the Netherlands as the lead DPA (Uber has its European headquarters in the Netherlands). During the investigation, the Dutch DPA closely cooperated with France’s DPA, the CNIL.
See: