“In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care,” says AP chairman Aleid Wolfsen. But outside Europe, that is unfortunately not self-evident. Think of governments that can tap data on a large scale.”
“That’s why companies are usually required to take additional measures when they store personal data of Europeans outside the European Union. Uber has not guaranteed the level of protection required by the GDPR for drivers for the transfer of data to the US. That is very serious.”
Sensitive data
Uber collected sensitive information from drivers in Europe and stored it on servers in the US. This includes account details and taxi licenses, but also location data, photos, payment details, IDs and in some cases even Criminal data is data relating to criminal convictions and offences. Or to security measures related to them.
” tabindex=”0″ class=”inline-wordlist-item”>criminal data in Data about someone’s health are special personal data, because they are very privacy-sensitive.
” tabindex=”0″ class=”inline-wordlist-item”>medical data of drivers.
Uber transferred that data to Uber’s headquarters in the US for over 2 years without using a transfer tool. As a result, the protection of personal data was not good enough.
The Court of Justice of the EU declared the EU-US Privacy Shield invalid in 2020. According to the Court, model contracts could still be a valid Organizations may only process personal data if they have a good reason to do so. The legal term for this is ‘grounds’. The GDPR lists 6 possible grounds foundations.
” tabindex=”0″ class=”inline-wordlist-item”>grondslag provide for the transfer of data to countries outside the EU. But only if an equivalent level of protection could be guaranteed in practice.
Because Uber stopped using a model contract in August 2021, the data of drivers from the EU was insufficiently protected, according to the AP. Uber has been using the successor to the Privacy Shield since the end of last year.
Complaints from drivers
The AP launched an investigation into Uber after more than 170 French drivers filed a complaint with the Ligue des droits de l’Homme (LDH), a French human rights advocacy group. LDH then filed a complaint with the French privacy watchdog.
The GDPR stipulates that companies that process data in different EU countries have to deal with one privacy supervisor: the one in the country where the company is established. Uber’s European headquarters are in the Netherlands. During the investigation, the AP worked closely with the French regulator and the fine decision was coordinated with other European supervisors.
Fine for Uber
All privacy regulators in Europe calculate the amount of fines for companies in the same way. These fines amount to a maximum of 4% of a company’s global annual turnover. Uber had a global turnover of around 34.5 billion euros in 2023. Uber has announced that it will appeal the fine.
This is the third fine imposed by the AP on Uber. In 2018, the AP imposed a fine of 600,000 euros on Uber and in 2023 a fine of 10 million euros. Uber has appealed against the latter fine.
