Hey, for once it’s not Meta! 😉 The Netherlands’ privacy watchdog has hit Uber with a €290M GDPR fine for data privacy violations.

As reported on Legaltech^® News, the €290 million General Data Protection Regulation (GDPR) fine is the sixth-largest privacy fine given to a company since the GDPR went into effect in 2018.

According to the Dutch data protection authority, the U.S. ride-hailing company sent European drivers’ data—their photos, payment details, identity documents, as well as criminal and medical data—to its San Francisco headquarters without putting in place a proper legal transfer mechanism.

The bloc’s tough 2018 privacy law requires companies that send personal data across the Atlantic to put in place special measures to ensure that the data stays safe once it leaves the EU. Companies have had to rely on these so-called standard contractual clauses ever since the EU’s top court struck down two successive EU-U.S. data transfer frameworks—the Safe Harbor and the Privacy Shield—over concerns that they did not meet the bloc’s stringent GDPR standards.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe,” the agency’s chair, Aleid Wolfsen, said in a statement. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”

A spokesperson for Uber described both the agency’s investigation and the fine as “completely unjustified.”

“Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S., the spokesperson said. “We will appeal and remain confident that common sense will prevail.”

The Dutch privacy authority opened its investigation into Uber’s handling of drivers’ personal data after a group representing 170 French drivers complained to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Act. Because Uber’s European headquarters are in Amsterdam, the Dutch watchdog took up the complaint.

In terms of top fines all time, Meta related entities have three of the top five (first, third and fourth overall, with Amazon (second) and TikTok (fifth) rounding out the top five. With Uber now at number six, that pushes Meta and WhatsApp (a Meta app) down to seventh and eighth in the list, giving Meta related companies five of the top eight.

I haven’t seen many large data privacy fines lately, so this one stood out to me. Perhaps Uber feels a lot like Nigel Powers right now, who said: “There are only two things I can’t stand in this world: People who are intolerant of other people’s cultures, and the Dutch.” 😀

So, what do you think? Does the €290M GDPR fine for Uber signify that European data protection authorities are beginning to broaden their oversight to other companies besides Meta? Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © New Line Cinema

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.