On 26/8/2024, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens – DPA) fined Uber Technologies Inc. and Uber B.V. 290 million euros (equivalent to approximately 324 million USD) for seriously violating regulations on transferring personal data from the European Union (EU) to the United States without ensuring appropriate protective measures under the GDPR. This is considered the largest fine ever imposed by the DPA on a technology business in Europe.
The investigation began after over 170 Uber drivers in France and a human rights organization filed complaints with the French data protection authority (CNIL). Since Uber has its European headquarters in the Netherlands, the CNIL transferred the case to the DPA for investigation.
The DPA determined that Uber had collected and processed various types of sensitive data from European drivers—including professional licenses, location data, photos, payment information, identification documents, and in some cases, even health data—and then transferred this data to servers in the US for over 27 months without using appropriate protective measures such as Standard Contractual Clauses (SCCs) or other supplementary measures under Chapter V of the GDPR. This was considered a serious violation of Article 44 of the GDPR, which governs cross-border data transfers.
The context of this penalty was also significantly influenced by the 2020 Schrems II ruling of the Court of Justice of the European Union (CJEU), which invalidated the EU-U.S. Privacy Shield agreement because the level of data protection in the U.S. was deemed not equivalent to EU standards. Businesses transferring data to the U.S. after this ruling were forced to use SCCs along with supplementary measures to ensure an equivalent level of protection as required by the GDPR.
Uber has opposed the DPA’s decision, calling it a “wrong decision” and announced it will appeal. The company argued that during the nearly three-year period of “legal uncertainty” between the EU and the U.S. following Schrems II, clear guidelines on cross-border data transfers were lacking, and during that time Uber still complied with the GDPR.
This is not an isolated case in the EU: previously, Meta (Facebook) had been fined a record 1.3 billion USD by the Irish Data Protection Commission for a similar violation related to data transfers to the U.S.; and several other companies were also penalized by data protection authorities in Sweden for using web analytics services without ensuring data protection.
The Dutch penalty decision is not only one of the largest GDPR fines but also sends a strong message about enforcing cross-border data protection principles. Personal data, especially when transferred to another country, must be protected at a level no lower than EU standards, even when processed by multinational corporations based outside Europe. The lack of technical and organizational measures to protect sensitive data such as location, identification documents, or financial information can lead to significant legal risks.
