Uber Fined €290 Million For Data Privacy Violations

Uber was hit with a €290 million fine today ($324 million) by the Dutch Data Protection Authority (DPA) for unlawfully transferring the personal data of European drivers to the United States, violating European Union (EU) regulations.

This penalty comes as an enforcement of the General Data Protection Regulation (GDPR), which aims to protect the privacy of individuals within the EU.

In the press release, the DPA states that Uber’s actions constitute a “serious violation” of the GDPR, as the company failed to adequately safeguard the sensitive information of its European drivers.

It’s reported that the data transferred included ID documents, taxi licenses, location data, payment details, and in some cases, even criminal and medical records.

In its press release, the DPA noted that Uber transferred this data to its U.S. headquarters over a period of more than two years without implementing the necessary safeguards. This lack of protection occurred despite the EU’s Court of Justice invalidating the EU-U.S. Privacy Shield in 2020.

The press release also says that while Standard Contractual Clauses were suggested as a valid alternative for transferring data outside the EU, these clauses require that an equivalent level of data protection is ensured in practice, which the DPA asserts Uber failed to achieve.

Uber, however, strongly disagrees with the ruling. “This flawed decision and extraordinary fine are completely unjustified,” Uber spokesperson Caspar Nixon told Reuters in an email.

Nixon argued that Uber’s data transfer processes were compliant with GDPR during a challenging three-year period of legal uncertainty between the EU and the U.S. He also indicated that the company plans to appeal the decision, expressing confidence that “common sense will prevail.”

Others in the industry have criticized the fine. “The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” says Alexandre Roure, head of policy for the Computer and Communications Industry Association in a (CCIA) statement.

Roure also expresses concern over the fine, noting that “retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty.”

The investigation that led to this fine began after a French human rights organization filed a complaint on behalf of over 170 taxi drivers. As Uber’s European headquarters are based in the Netherlands, the case was transferred to the Dutch DPA.

This is not the first time Uber has faced penalties from the DPA, which previously imposed fines of €600,000 in 2018 and €10 million in 2023 for other GDPR violations.