Uber Fined EUR 290M for Transferring Driver Data to US
The Dutch Data Protection Authority imposed a EUR 290 million fine on Uber in August 2024 for transferring European driver personal data to the United States for over two years without a valid transfer mechanism under GDPR Chapter V. Following the Schrems II invalidation of the EU-US Privacy Shield in July 2020, Uber continued transferring sensitive driver data--including identity documents, location data, and criminal records--using a standard questionnaire rather than implementing proper Standard Contractual Clauses.
01
KEY FACTS
- .What: Uber transferred EU driver data to the US without valid GDPR mechanisms.
- .Who: All EEA Uber drivers over a two-year period post-Schrems II.
- .Data Exposed: Identity documents, GPS location data, criminal records, and financials.
- .Outcome: Dutch DPA fined Uber EUR 290M; appeal filed by Uber.
02
SOURCES
Dutch DPA Decision, CJEU Schrems II ruling, GDPR Chapter V, EDPB Recommendations 01/2020