Back to Cases
technologyTechnology · 2024
Uber Technologies Inc.
Uber transferred personal data of European drivers — including location data, photos, payment details, and taxi licence information — to the US without adequate GDPR Chapter V transfer safeguards after the Privacy Shield invalidation. The Dutch AP, acting as lead supervisory authority following complaints filed by the French drivers' rights association LLLM, found that Uber's Standard Contractual Clauses were not correctly implemented in practice and that no supplementary measures addressed US government surveillance risks. This remains the largest ever GDPR fine for unlawful international data transfers.
Fine Imposed€290M
Regulation
Algemene Verordening Gegevensbescherming (Dutch GDPR Implementation)
Max fine€20M or 4% of global annual turnover (Tier 2); €10M or 2% (Tier 1)
Statusactive
Key Takeaways
- Post-Schrems II, SCCs alone are insufficient — organisations must conduct a Transfer Impact Assessment and implement supplementary measures; improper implementation of SCCs can result in nine-figure fines.