Top of page

Article Netherlands: Uber Heavily Fined for Violating EU's General Data Protection Regulation

On July 22, 2024, the Dutch Data Protection Authority (DPA) (Autoriteit Persoonsgegevens, AP) imposed a fine of 290 million euros (about US$324 million) on Uber for violating the European Union’s (EU’s) General Data Protection Regulation (GDPR). The DPA found Uber transferred sensitive personal data of European taxi drivers to the United States and failed to appropriately safeguard the data regarding these transfers.

This is the third time Uber has been fined by the Dutch DPA. It was fined 600,000 euros in 2018 and 10 million euros in 2023. The current fine represents one of the largest imposed under the GDPR to date by a national data protection authority, the largest being a 1.2 billion euro fine imposed on Meta in 2023 by the Irish DPA.

Background and Applicable Law

The GDPR took effect May 25, 2018, and is directly applicable in all EU member states. It covers the processing of all personal data, irrespective of the means of transmission. Controllers processing personal data must comply with the principles in the GDPR, such as the need for a proper legal basis for the processing. (GDPR, arts. 5, 6.)

Personal data may be transferred to a third country outside the EU if the European Commission (Commission) has decided that the third country’s law provides an adequate level of data protection comparable to one within the EU (“adequacy decision”). (Arts. 44, 45.) In the absence of an adequacy decision, data may be transferred if the data controller or processor provides appropriate safeguards, such as data transfers according to binding corporate rules or standard data protection clauses (SCCs) adopted by the Commission, and data subjects are afforded enforceable rights and effective legal remedies. (Art. 46.)

National supervisory authorities may fine businesses that violate these principles. The GDPR sets the maximum amount for fines; it is up to the national authorities to determine an amount that is “effective, proportionate and dissuasive.” (Art. 83, para. 1.) There are two tiers of fines, depending on the nature of the breach. One tier provides for fines as much as 10 million euros (about US$12.1 million), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The other tier provides for fines up to 20 million euros (about US$24.1 million) or up to 4% of the total worldwide annual turnover, whichever is higher. (Art. 83, paras. 4, 5.)

Facts

In 2021, the Dutch DPA informed Uber it was investigating 172 complaints from French Uber drivers. (DPA Decision, paras. 3, 4.) Uber BV, which represents Uber in the European Economic Area (EEA), is headquartered in the Netherlands. (Paras. 60, 64.) It has a centralized IT infrastructure, but its servers are located in the U.S. and the personal data of Uber drivers in the EEA are processed in the U.S. (Para. 16.) For transfers of personal data to the U.S., Uber used SCCs, as there was no adequacy decision in place. (Para. 42.)  A 2016 Commission adequacy decision on the U.S. was declared invalid by the Court of Justice of the European Union on July 16, 2020, when the court found U.S. data protection law fell short of EU standards.

In 2021, Uber decided that no SCCs were required for the processing of personal data of EU drivers in the U.S., because it considered Uber Technologies Incorporated (UTI) in the U.S. and Uber BV to be joint controllers and therefore no “transfer” took place. It did not implement any other safeguards, such as binding corporate rules. On July 10, 2023, the Commission adopted a new EU-US adequacy decision, and Uber certified itself under this new framework on November 27. (Paras. 43-45.)

Decision

The Dutch DPA fined Uber for transferring personal data to the U.S. from August 6, 2021, to November 27, 2023, without providing appropriate safeguards in violation of article 44 of the GDPR, which sets out the general principles of data transfers to third countries.

The DPA determined that to exclude the transfer of personal data between joint controllers, such as UTI and Uber BV, from the GDPR provisions governing international transfers would undermine or circumvent the high level of protection of the GDPR. (Para. 82.) Exceptions codified in article 49 are only applicable to occasional transfers that do not take place within a stable relationship or to those that are “necessary.” The DPA found that the transfers in this case were “systematic, repetitive, and continuous” and not necessary, meaning objectively indispensable, for the performance of a contract. (Paras. 121-133.)

The DPA rejected Uber’s challenge to its fine calculation. The GDPR only sets a maximum amount and authorizes the national authorities to determine what is appropriate. The DPA explained that it based its decision on guidelines issued by the European Data Protection Board (EDPB). It determined that there was an international transfer of personal data without a valid transfer instrument. This infringement of article 44 of the GDPR falls under the second tier of fines, meaning for undertakings such as Uber, a maximum fine of up to 4% of the total worldwide annual turnover may be imposed. (Art. 83, paras. 4, 5.) In 2023, Uber had a worldwide turnover of 34.5 billion euros (about US$38.2 billion), meaning the maximum fine for the infringement is 1.369 billion euros (about US$1.507 billion). To calculate the fine, the DPA considered the severity (high), the considerable duration of the violation (two years and three months), and the categories of personal data transferred (sensitive). According to the EDPB Guidelines, for infringements with a high level of seriousness, the starting amount should be set between 20% and 100% of the maximum fine. The DPA therefore determined that a fine of 290 million euros would be appropriate, as well as effective and dissuasive. (Para. 136-175.)

Jenny Gesley, Foreign Law Specialist
September 12, 2024

Read more Global Legal Monitor articles.

About this Item

Title

  • Netherlands: Uber Heavily Fined for Violating EU's General Data Protection Regulation

Online Format

  • web page

Rights & Access

Publications of the Library of Congress are works of the United States Government as defined in the United States Code 17 U.S.C. §105 and therefore are not subject to copyright and are free to use and reuse.  The Library of Congress has no objection to the international use and reuse of Library U.S. Government works on loc.gov. These works are also available for worldwide use and reuse under CC0 1.0 Universal. 

More about Copyright and other Restrictions.

For guidance about compiling full citations consult Citing Primary Sources.

Credit Line: Law Library of Congress

Cite This Item

Citations are generated automatically from bibliographic data as a convenience, and may not be complete or accurate.

Chicago citation style:

Gesley, Jenny. Netherlands: Uber Heavily Fined for Violating EU's General Data Protection Regulation. 2024. Web Page. https://www.loc.gov/item/global-legal-monitor/2024-09-12/netherlands-uber-heavily-fined-for-violating-eus-general-data-protection-regulation/.

APA citation style:

Gesley, J. (2024) Netherlands: Uber Heavily Fined for Violating EU's General Data Protection Regulation. [Web Page] Retrieved from the Library of Congress, https://www.loc.gov/item/global-legal-monitor/2024-09-12/netherlands-uber-heavily-fined-for-violating-eus-general-data-protection-regulation/.

MLA citation style:

Gesley, Jenny. Netherlands: Uber Heavily Fined for Violating EU's General Data Protection Regulation. 2024. Web Page. Retrieved from the Library of Congress, <www.loc.gov/item/global-legal-monitor/2024-09-12/netherlands-uber-heavily-fined-for-violating-eus-general-data-protection-regulation/>.