On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), announced that it had imposed a fine of 290 million euros ($324 million) on Uber for its failure to fulfil international transfer requirements established by the EU General Data Protection Regulation (the “GDPR”). In imposing the fine, the DPA sent a clear message to companies moving data from the EU to the U.S.: Authorities will bring actions against organizations that do not implement Standard Contractual Clauses and Binding Corporate rules when required by law.

The case involved more than 170 French Uber drivers who complained to the French human rights advocacy group the Ligue des droits de l’Homme that Uber was storing their personal data in the United States. The Ligue then submitted a complaint to the French data protection authority (the “CNIL”), which forwarded the complaints to the Dutch DPA as the lead supervisory authority for Uber.

In its investigation, the Dutch DPA found that Uber collected, among other things, sensitive data about drivers from Europe and retained it on servers in the US. The data included account details, taxi licenses, location data, photos, payment details, identity documents, and in some drivers’ criminal and medical data.

For over two years, Uber transferred the data noted in the complaint to Uber's U.S. headquarters without implementing necessary transfer mechanisms, such as Standard Contractual Clauses (SCCs). Because the U.S. has not been deemed by the European Data Protection Board to adequately protect data, Chapter V of the General Data Protection Regulation requires that these data transfer arrangements be put in place when data is transferred to the U.S. Because Uber no longer used SCCs beginning in August 2021, the Dutch DPA found that the drivers’ data was not sufficiently protected. It should be noted that the UE had invalidated the EU-U.S. Privacy Shield in 2020. As of the end of 2023, Uber participates in its successor, the EU-U.S. Privacy Framework, bringing itself back into compliance.