Uber has been slapped with a €290 million (£246 million; $324 million) fine by the Dutch Data Protection Authority (DPA) for unlawfully transferring European drivers’ personal data to US servers, a violation of EU General Data Protection Regulation (GDPR) rules.
The DPA described the transfers as a “serious violation” due to inadequate protection of driver information.
The DPA’s investigation revealed that Uber transferred sensitive data—including ID documents, taxi licenses, and location information—to its US headquarters over a two-year period.
Aleid Wolfsen, Chairman of the DPA, criticized Uber for failing to meet GDPR requirements and ensure adequate protection of the data during cross-border transfers.
Uber has announced its intention to appeal the fine, calling it “unjustified.”
An Uber spokesperson argued that “Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US” and labeled the fine as “completely unjustified.”
While EU law permits data transfers to the US, such transfers must comply with strict conditions to ensure data protection.
The DPA noted that Uber not only failed to meet these requirements but also inadequately safeguarded sensitive data, including criminal and medical information of drivers.
The investigation was prompted by complaints from over 170 French drivers, leading to a complaint filed with France’s data protection authority.
Under GDPR, businesses processing data across multiple EU countries must address issues with the data protection authority of their main office, which in Uber’s case is located in the Netherlands.
The fine marks the DPA’s third penalty against Uber, following previous fines of €600,000 (£508,000) in 2018 and €10 million (£8.5 million) last year.
The EU has increasingly targeted big tech firms with significant fines for regulatory breaches, including a €345 million (£296 million) fine against TikTok last year for violating children’s privacy under GDPR.
Source-BBC
