Uber Faces €290M Fine for GDPR Violation Over Data Transfer to US
Uber has been slapped with a massive €290 million fine by the Dutch Data Protection Authority (DPA) for violating the European Union’s General Data Protection Regulation (GDPR). The fine comes after it was discovered that Uber had unlawfully transferred the personal data of its European drivers to servers in the United States over a two-year period, failing to protect the information as required by EU law.
The DPA described these data transfers as a „serious violation“ of GDPR, emphasizing that Uber did not take the necessary steps to ensure the protection of sensitive driver information, such as ID documents, taxi licenses, location data, payment details, and even criminal and medical records. These actions were flagged after a complaint was filed by over 170 French drivers, which prompted an investigation by France’s data protection watchdog.
Uber, however, has pushed back against the fine, announcing plans to appeal the decision. The company argues that its data transfer practices during a period of legal uncertainty between the EU and the US were compliant with GDPR. An Uber spokesperson stated that the fine and the decision were “completely unjustified.”
This is not the first time Uber has been fined by the DPA for GDPR violations. Previous fines include €600,000 in 2018 and €10 million last year. The case also highlights the broader trend of the EU’s stringent enforcement of data protection rules, with significant penalties being levied against major tech firms. For instance, last year TikTok was fined €345 million by Irish regulators for violating children’s privacy under GDPR.