The Dutch Data Protection Authority (DPA) has imposed a record fine of €290 million ($324 million) on Uber for transferring personal data of European taxi drivers to the United States without adequate protection, violating the EU’s General Data Protection Regulation (GDPR). This is the largest fine Uber has received globally and the highest ever issued by the DPA.According to the DPA, Uber collected sensitive information from European drivers, including account details, taxi licenses, location data, photos, payment information, and in some cases, even criminal and medical records. The company stored this data on servers in the US and transferred it to their headquarters for over two years without using proper data transfer instruments, leaving the information insufficiently protected.Aleid Wolfsen, chairman of the DPA, stated, “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious”. The investigation was triggered by a complaint from over 170 French drivers to a human rights organization, which was then passed on to the Dutch authority as Uber’s European headquarters is located in the Netherlands.Uber plans to appeal the decision, with spokesperson Caspar Nixon calling it “completely unjustified”. The company claims its cross-border data transfer process was compliant with GDPR during a three-year period of “immense uncertainty” between the EU and the US regarding data protection regulations.This is the third fine imposed on Uber by the Dutch DPA in recent years, following a €600,000 fine in 2018 for a data breach and a €10 million fine in January 2024 for violating privacy rules. The case highlights the ongoing challenges tech companies face in navigating international data protection laws, especially in the context of transatlantic data transfers.
Key points
- Uber fined €290 million by Dutch DPA for transferring European drivers’ data to US without adequate protection.
- The fine is the largest ever received by Uber globally and the highest issued by the Dutch DPA.
- Uber plans to appeal the decision, claiming GDPR compliance during a period of regulatory uncertainty.
Contradictions👾Uber claims compliance with GDPR during the data transfers, while the Dutch DPA asserts that Uber failed to meet GDPR requirements.
