Uber Hit with €290 Million GDPR Fine by Dutch DPA
Uber, the renowned ride-hailing service provider, was recently hit with a record-breaking fine of €290 million by the Dutch privacy regulator for failing to comply with EU regulations by transferring driver data collected in Europe to the United States for storage.
The Dutch Data Protection Authority, one of the EU’s primary privacy regulators, conducted an investigation and discovered that Uber had collected European driver information, including taxi licenses, location data, photographs, payment details, and identification documents. In some cases, the data also included criminal and medical records.
Contrary to regulatory requirements, this data was not stored on servers within the EU but was instead unlawfully transferred to servers in the United States, a clear violation of the General Data Protection Regulation (GDPR).
Under GDPR, any company collecting data on EU citizens must store it on servers within the EU and is prohibited from transferring it elsewhere, including to the United States. Previously, Microsoft and Meta were both warned by the EU for issues related to data transfers.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care“, Dutch DPA chairman Aleid Wolfsen says. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The Dutch Data Protection Authority found that Uber had been sending various sensitive data to its headquarters in the United States for over two years, without employing privacy-protecting data transfer tools, meaning the data was not adequately safeguarded.
Although Uber ceased transferring sensitive data to the U.S. following last year’s investigation, the Dutch Data Protection Authority still imposed the fine in accordance with EU law, leading to the €290 million penalty.
The reason the Dutch regulator is responsible is that Uber’s EU headquarters is located in the Netherlands. However, this investigation and penalty were actually the result of a joint effort between Dutch and French regulators. The initial complaint was lodged by a privacy alliance and drivers based in France and given Uber’s headquarters situation, France announced its collaboration with the Dutch regulator.
Uber, however, has pushed back against the violation and fine, arguing that the ruling and the penalty are entirely unreasonable, primarily due to the ongoing dispute over cross-border data transfers between the EU and the United States.
It was only last year that the EU adopted a new data privacy framework to resolve this dispute. Before that, both the EU and the U.S. had amended relevant provisions, allowing companies to transfer data without needing to sign complex agreements. Based on these circumstances, Uber has announced plans to appeal the decision.
