Uber head office in Netherlands shared drivers' data with foreign law enforcement

The Uber headquarters in the Netherlands shared drivers’ personal data with foreign law enforcement agencies that requested it, including those of non-European countries. The company states on its website that it now only shares data with European law enforcement. It is unclear when it stopped sending drivers’ names, photos, income, and other information outside Europe, Trouw, the Financieele Dagblad, and Investico report based on leaked documents.

Last week, the Dutch Data Protection Authority fined Uber 290 million euros for storing European driver data on its own servers in the United States. The leaked documents show that Uber shares this data not only within its organization but also with third parties.

According to the investigative journalists, Uber shared drivers’ data to get on good terms with authorities in other countries. The company even has a separate helpdesk site where foreign officials can submit a request for information about a driver.

For example, in 2018, the Colombian government asked for data on a Colombian driver. Uber responded by sending the government a list of all rides, personal data, and income for this driver, leaked documents in the hands of journalist collective OCCRP show.

Another leak, the 2022 Uber Files, which are in the hands of the collective ICIJ, shows that Uber used data sharing as a strategy to gain the authorities’ trust. “It was a strategy to get governments on our side,” said Mark MacGann, the former head of Uber’s European policy and communications department and the whistleblower who leaked the Uber Files. The company came up with that strategy after its Dutch headquarters were raided several times by the judiciary and transport inspectorate around 2014 and 2015. “We wanted to show that we were ‘great’ for Europe,” MacGann said.

Uber told the Dutch media that its public safety response team, which handles information requests, works with law enforcement agencies to solve crimes. The team “assesses and responds to each request in accordance with its privacy policy and applicable laws and regulations.” It no longer shares data with law enforcement agencies outside Europe, Uber said.

But the fact that it happened at all is in conflict with European privacy laws, ICT and privacy lawyer Dafne de Boer told Trouw. Companies established in Europe may only share personal data within the EU or with countries that have similar data protection requirements.

Uber also bypasses the Dutch authorities by sharing information with other countries without their knowledge, Geert-Jan Knoops, a lawyer at the International Criminal Court, told the newspaper. “As a company, you should never simply transfer information about citizens to other states on your own initiative,” Knoops said. “After all, how can a company test whether there is a solid criminal suspicion and whether there are sufficient guarantees that the rights of citizens are protected?”