DECISION SUMMARY
What happened
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the AP) adopted a decision on 22 July 2024, announced on 26 August 2024, imposing a €290 million administrative fine on Uber. The AP found that Uber had transferred the personal data of EU and EEA-based drivers to servers in the United States for around two years without the appropriate safeguards that Chapter V of the GDPR requires for transfers to a third country. The AP acted as lead supervisory authority because Uber's European headquarters are in the Netherlands.
The case began with a complaint to the French human-rights organisation the Ligue des droits de l'Homme (LDH) by more than 170 French Uber drivers, which the LDH escalated to the French CNIL. Because Uber's main EU establishment is Dutch, the matter was handled through the one-stop-shop mechanism with the AP as lead authority and the CNIL among the concerned authorities. The AP's inquiry focused on the period after August 2021, during which Uber had ceased relying on Standard Contractual Clauses and, until late 2023, had no adequate replacement mechanism in place.
What the AP found
The decision concerned Chapter V of the GDPR, which governs transfers of personal data to third countries. Article 44 sets out the general principle that any such transfer may only take place if the controller complies with the Chapter V conditions, so that the level of protection guaranteed by the GDPR is not undermined. Article 46 requires that, in the absence of an adequacy decision under Article 45, the controller provides appropriate safeguards, such as Standard Contractual Clauses or binding corporate rules, together with enforceable data-subject rights and effective remedies.
The AP found that Uber met none of these conditions for the relevant period. After the Court of Justice invalidated the EU-US Privacy Shield in its July 2020 Schrems II judgment, a US transfer needed SCCs supported by supplementary measures, or another valid basis. Uber stopped using SCCs from August 2021 and did not put an adequate alternative in place, so the transfers of driver data to the United States lacked any valid Chapter V mechanism. The data transferred was extensive and sensitive: account details, taxi licences, location data, photos, payment details and identity documents, and in some cases criminal-record and medical data. Storing that data on US infrastructure without safeguards exposed it to the very access risks Schrems II had identified.
Why the fine was this size
Infringements of the Chapter V transfer rules fall within the upper tier of Article 83(5), capped at €20 million or 4% of total worldwide annual turnover, whichever is higher. Uber Technologies reported group revenue well above €30 billion, so the 4% ceiling sat far above €290 million; the fine reflects the AP's Article 83(2) assessment rather than the cap. The AP weighed the duration of the infringement (around two years), the very large number of affected drivers, and the sensitive categories of data involved as aggravating factors. The €290 million amount made this one of the largest transfer-related fines issued under the GDPR, in the same Chapter V family as Meta's €1.2 billion fine, though on a different factual footing: Meta relied on SCCs that were found substantively inadequate, whereas Uber had no transfer mechanism at all for the relevant period.
Resolution and status
By the time of the decision, Uber had ended the violation: from late 2023 it relied on the EU-US Data Privacy Framework, the successor to Privacy Shield, which the European Commission declared adequate in July 2023. The fine therefore addressed historical transfers rather than ongoing conduct. Uber publicly disputed the decision and indicated it would object and, if necessary, appeal through the Dutch courts, so the fine's formal status remains subject to challenge.
What this decision tells controllers
The Uber fine is the clearest warning yet that having no transfer mechanism is even more dangerous than relying on a weak one. Controllers must maintain a continuous, valid Chapter V basis for every transfer to a third country: an adequacy decision (such as the EU-US Data Privacy Framework for certified US recipients), Standard Contractual Clauses with a documented transfer-impact assessment and supplementary measures, or binding corporate rules. A gap, even a temporary one created by retiring an old mechanism before a new one is in place, exposes the controller to upper-tier liability. The sensitivity of the data (location, identity documents, criminal and health data here) directly drives the size of the fine, so transfer governance should be tightest exactly where the data is most sensitive.