Personal data protection /

Hundreds of millions of euros in fines for Uber for GDPR violations

The Dutch Data Protection Authority has found that ride-hailing platform Uber failed to apply adequate safeguards when transferring the personal data of European drivers to the United States between August 2021 and November 2023. These data transfers were carried out without adequate legal safeguards, in violation of the GDPR

Uber used Standard Contractual Clauses (SCC) as a primary security tool to transfer personal data of European drivers to the United States.

However, following the annulment of the Privacy Shield mechanism by the Court of Justice of the European Union, Uber should have used the Standard Contractual Clauses (SCC) as the legal basis for data transfers. 

Unfortunately, Uber has not implemented these changes as of August 2021, leading to a situation in which the personal data of European drivers was not covered by adequate protection measures when transferred to the US.

According to the Dutch Data Protection Authority, Uber had been in breach of GDPR regulations for more than two years.

Serious consequences due to inadequate safeguards

The Dutch DPA found that negligence had resulted in the personal data of European drivers, including location data, photos, payment details and sometimes health and criminal records, were insufficiently protected during transfers to the US.

Only at the end of 2023. Uber began to use the new Data Privacy Framework mechanism, which is the successor to the Privacy Shield, canceled in 2020.

Why is the penalty imposed so high?

Uber was fined as much as €290 million.

The penalty reflects a serious breach of data protection obligations, particularly in the transfer of data outside the European Union, where the level of data protection was not equivalent to Europe.

The financial fine imposed is one of the highest ever imposed on Uber. It is also one of the largest data breach sanctions in Europe. This underlines the importance of compliance with GDPR requirements by multinational companies operating in the EU market.

Uber has been fined €290 million for improper data transfer from Europe to the US.

Uber’s response and the controversy surrounding the interpretation of the legislation

Uber has announced an appeal of the decision, arguing that its data transfer processes complied with GDPR regulations during a period of high regulatory uncertainty.

The issue of transfers of personal data outside the European Economic Area is a momentous issue from a privacy perspective. The DPA provides several mechanisms that can be used to secure this process, among them standard contractual clauses, binding corporate rules, and basing the transfer on specific consent.

However, this is not the end of the obligations related to safeguarding the legality of transfers. If you would like to know more details about data protection, including on issues related to data transfers outside the EEA, please do not hesitate to contact us. Our law firm has extensive experience in this area and will be happy to assist you.

Author team leader DKP Legal Alicja Mruczkiewicz
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Alicja Mruczkiewicz

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]