The Dutch Data Protection Authority (DPA) has fined Uber 290 million eurosโaround $324 millionโfor allegedly transferring the personal data of European taxi drivers to the United States (U.S.) and failing to safeguard the data regarding these transfers appropriately.
According to the Dutch DPA, these transfers were a โserious violationโ of the European Unionโs General Data Protection Regulation (GDPR). However, the DPA added that Uber ended the violation last year.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” said Aleid Wolfsen, Dutch Data Protection Authority (DPA) chairman, in a statement.
The Dutch data watchdog said Uber collected sensitive information about drivers from Europe, including account details and taxi licenses, location data, photos, payment details, identity documents, and, in some cases, even criminal and medical data.
Further, the taxi-riding company transferred those data to Uber’s headquarters in the U.S. for over two years without using transfer tools because the protection of the data was insufficient.
The DPA initiated the investigation into Uber after more than 170 French drivers complained to the French human rights interest group Ligue des droits de lโHomme (LDH), which then submitted the complaint to the French DPA. Since Uberโs European headquarters is in the Netherlands, the Dutch DPA had to lead the investigation.
To calculate the fines for businesses in Europe, the DPAs charge a maximum of 4% of the business’s worldwide annual turnover. In 2023, Uber had a worldwide turnover of around 34.5 billion euros.
Uber said it planned to appeal the ruling and object to the fine.
โThis flawed decision and extraordinary fine are completely unjustified. Uberโs cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail,โ an Uber spokesperson said in a statement.
This is the third penalty the Dutch DPA has imposed on Uber. In 2018, it finedย Uber 600,000 eurosย for not reporting the data breach to the Dutch DPA and the data subjects in time. Further, in 2023, it was fined โฌ10 million for failing to disclose the complete details of its retention periods for data concerning European drivers or to which countries outside Europe this data was forwarded.