Uber Fined €290 Million for Transferring Driver Data to US
Dutch Data Protection Authority (DPA) fined Uber €290 million for transferring the personal data of European drivers to U.S. servers, violating EU regulations. The DPA classified these transfers as a serious infringement of the General Data Protection Regulation (GDPR), stating that Uber did not adequately protect driver information. Over a two-year period, sensitive data, including ID documents, taxi licenses, and location data, was transferred to the company’s headquarters in the United States.
In response to the fine, Uber announced plans to appeal, claiming the penalty is unjustified. An Uber spokesperson stated that the company’s cross-border data transfer practices were compliant with GDPR during a challenging period of uncertainty between the EU and the U.S. The spokesperson further criticized the decision as flawed and the fine as excessive, asserting that the company had acted in good faith.
The DPA highlighted that Uber failed to meet the GDPR requirements necessary to ensure adequate protection for data transferred to the U.S. The chairman of the DPA, Aleid Wolfsen, emphasized the seriousness of the violation and noted that Uber did not implement appropriate safeguards for the sensitive data it collected, which included not only taxi licenses and location data but also payment details and, in some cases, criminal and medical information.
The investigation was initiated after over 170 French drivers filed complaints with a human rights group, which subsequently alerted France’s data protection authority. Under GDPR guidelines, businesses processing data in multiple EU countries must coordinate with the data protection authority where their main office is located, which in Uber’s case is in the Netherlands. The DPA’s fine against Uber marks its third penalty, following previous fines in 2018 and 2023, reflecting the increasing scrutiny and enforcement of data protection regulations in the EU.
