UBER: Dutch data protection authority imposes €10 million fine

31 January 2024

On December 11th 2023, in cooperation with the CNIL, the Dutch data protection authority fined Uber B.V. and Uber Technologies Inc. 10 million euros for several breaches of driver information.

Uber is a company that publishes a platform that brings together chauffeur-driven cars (VTCs) and users.

The CNIL has received a collective complaint from the association La Ligue des droits de l'Homme, representing more than 170 drivers on the Uber platform, concerning the difficulties encountered in exercising their rights.

Cooperation with the CNIL throughout the procedure

Under the procedures for cooperation between authorities introduced by the General Data Protection Regulation (GDPR), it was the Dutch data protection authority that was competent to conduct the investigations in this case, as Uber has its main establishment in the Netherlands.

The CNIL cooperated closely with its counterpart throughout the procedure, as part of the checks and analysis of the evidence obtained, and then when examining the draft decision as part of the one-stop shop procedure.

The breaches identified

Following its investigations, the Dutch Data Protection Authority found that Uber B.V. and Uber Technologies (jointly responsible) had failed to fulfil their obligations:

  • by failing to provide the data requested under the right of access in an accessible format and by providing drivers with information about the processing operations carried out on them in English;
  • by not making the online form for exercising rights within the application used by drivers sufficiently accessible;
  • by providing incomplete information in their privacy statement about data transfers outside the European Union, as well as overly general information about data retention periods;
  • by not explicitly mentioning the right to data portability in their privacy statement.

The CNIL has informed the complainants of this decision in accordance with the provisions of the RGPD.

This decision reaffirms the importance of the obligation to provide transparent information and the need to ensure that the rights of data subjects are respected.