Uber has been hit with a €290 million ($324 million) fine by the Dutch Data Protection Authority (DPA) for improperly transferring driver data from the European Union to the United States. This penalty marks one of the largest fines imposed under the EU’s General Data Protection Regulation (GDPR) since its establishment.
The DPA accused Uber of failing to “properly safeguard” the personal data of European drivers during its transfers to the US. The data in question included sensitive information such as account details, taxi licences, location data, payment information, identity documents, and in some instances, even criminal and medical records.
According to the DPA, Uber moved the data without utilising adequate transfer tools, leading to insufficient protection during the transfer process. The regulator stated, “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The investigation was initiated after 170 French Uber drivers lodged complaints with a human rights organisation, which then referred the issue to the French DPA. Given that Uber’s European headquarters are based in the Netherlands, the Dutch authority took the lead in the inquiry.
Uber has announced plans to appeal the ruling, with spokesperson Caspar Nixon saying, “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
The GDPR is legislation enacted by the EU in 2016, with the goal of establishing new guidelines for how organisations handle and share personal information. Since its introduction, EU regulators have utilised this regulation to convey a clear message to major technology firms—the protection of data privacy is important, and that noncompliance will lead to unprecedented fines.
In 2023, the largest fine to date, amounting to €1.2 billion ($1.3 billion), was imposed on Meta for a comparable infraction. The parent company of Facebook was accused of transferring data belonging to EU citizens to the US without adequate safeguards. Other companies that have faced significant penalties include TikTok, WhatsApp (also owned by Meta), and Clearview AI.