Uber has been fined €290 million ($324 million) by the Dutch Data Protection Authority (DPA) for improperly transferring European driver data to the United States without adequate safeguards. This is the largest fine the rideshare company has faced to date.
Dutch DPA Details Uber’s Data Privacy Violations
The penalty comes after an investigation revealed that Uber transferred personal information, including account details, taxi licenses, location data, photos, payment details, identity documents, and other sensitive data, to its U.S. servers over a period of more than two years without using proper “transfer tools,” thus failing to meet the EU’s General Data Protection Regulation (GDPR) standards.
The issue originated from a complaint filed by 170 French Uber drivers to a human rights organization, which was subsequently transferred to the Dutch DPA since Uber’s European headquarters are based in the Netherlands. The Dutch DPA’s investigation concluded that Uber did not adequately safeguard this personal data, violating GDPR requirements that mandate businesses to handle personal data with due care, particularly when transferring such data outside of Europe.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the seriousness of Uber’s failure to protect personal data, stating that GDPR regulations are designed to uphold fundamental rights by ensuring data protection standards are met.
Uber Faces Repeated Fines for Data Privacy Breaches
This isn’t Uber’s first run-in with the Dutch DPA over data privacy issues. In 2018, the company was fined €600,000 ($670,000) for failing to report a data breach within the required 72-hour period. More recently, in 2023, Uber was fined €10 million ($11.2 million) for not adequately disclosing its data retention policies and the non-European countries where it shares driver information.
Despite the DPA’s latest statement that Uber has resolved the violations, Uber has expressed its intention to appeal the €290 million fine in a statement to The Verge.
The case against Uber is part of a broader pattern of strict enforcement of the GDPR by the European Union against major tech companies. In 2021, Amazon faced an $886 million fine for non-compliance with GDPR, while Meta was fined $1.3 billion for improperly transferring data to the United States.
Featured Image courtesy of MOZCO Mateusz Szymanski/Getty Images
Follow us for the latest news on Uber’s GDPR challenges and legal appeals.