Data transfers outside the EU: UBER fined €290 million
On 22 July 2024, in cooperation with the CNIL, the Dutch Data Protection Authority fined UBER B.V. and UBER TECHNOLOGIES INC. €290 million for transferring personal data outside the EU without sufficient guarantees.
UBER includes UBER B.V., a Dutch company based in Amsterdam, and UBER TECHNOLOGIES INC, a US company headquartered in San Francisco. UBER publishes a platform that connects VTC drivers with users.
The CNIL received a collective complaint from the association La Ligue des droits de l'Homme, representing more than 170 UBER drivers. The complaint concerned in particular the information provided to individuals and the transfer of personal data outside the European Union. On 11 December 2023, the Dutch authority imposed a first fine of ten million euros for a number of breaches to inform drivers.
Cooperation with the CNIL throughout the procedure
Under the procedures for cooperation between authorities introduced by the General Data Protection Regulation (GDPR), the Dutch data protection authority was responsible for conducting the investigations in this case, as UBER has its main establishment in the Netherlands.
The CNIL cooperated closely with its counterpart throughout the procedure, at the time of the investigations and the analysis of the evidence obtained, and then when examining the draft decision as part of the one-stop shop procedure.
The infringement of the GDPR
As a result of its investigations, the Dutch Data Protection Authority has found that the processing of drivers' personal data for which UBER B.V. and UBER TECHNOLOGIES INC. are jointly responsible is subject to transfers to the United States. The Dutch authority points out that between 6 August 2021 and 21 November 2023 (the date on which Uber was included on the Data Privacy Framework (DPF) list), these transfers between UBER B.V. and UBER TECHNOLOGIES INC. were not subject to appropriate safeguards. It concludes that there has been a breach of Article 44 of the GDPR. The CNIL has informed the complainants of this decision in accordance with the GDPR.