Uber has been slapped with a €290 million fine by the Dutch Data Protection Authority (DPA) for transferring the personal data of European drivers to its US servers, breaching the European Union’s General Data Protection Regulation (GDPR). The DPA deemed these transfers a "serious violation," noting that Uber failed to adequately protect sensitive driver information, including ID documents, taxi licenses, location data, and even some criminal and medical records.
The data transfers occurred over a two-year period, with Uber sending information to its headquarters in the United States. Although cross-border data transfers to the US are permissible under EU law, they require strict adherence to GDPR regulations, which Uber allegedly did not fulfil. The DPA's investigation was sparked by a complaint from over 170 French drivers, which was brought forward by a French human rights group to the country's data protection watchdog.
Uber has announced its intention to appeal the fine, calling the decision "unjustified." A spokesperson for the company argued that Uber’s data transfer process was compliant with GDPR during what they described as a "3-year period of immense uncertainty" between the EU and US regarding data transfers. The company criticized the DPA's decision as "flawed" and the fine as "extraordinary."
Aleid Wolfsen, the DPA chairman, emphasized the seriousness of the violation, stating that Uber failed to ensure the required level of data protection when transferring it to the US. He highlighted the GDPR’s role in safeguarding the fundamental rights of individuals in Europe, particularly when businesses or governments store personal data outside the EU.
This is not the first time Uber has faced penalties under GDPR. The DPA had previously fined the company €600,000 in 2018 and €10 million last year for other breaches. The latest fine adds to the growing list of penalties imposed by European regulators on tech giants for violations of data protection rules.
.jpg)