Dutch Data Protection Authority (DPA) imposed a significant fine of $324 million on Uber for violating the European Union’s General Data Protection Regulation (GDPR). The fine was levied due to Uber's improper transfer of sensitive personal data belonging to its European drivers to servers in the United States without ensuring the required level of protection.
The DPA found that Uber failed to employ adequate tools and measures while transferring data, including drivers' location data, identity documents, payment details, and, in some cases, criminal and medical records. This breach of GDPR occurred over a period of more than two years, during which Uber transferred this data from Europe to its U.S.-based headquarters.
The investigation was prompted by a complaint from more than 170 French Uber drivers, leading to the involvement of France's data protection watchdog and subsequent action by the Dutch authority, as Uber’s European headquarters are based in the Netherlands.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the seriousness of the breach, noting that GDPR mandates stringent protections for the personal data of EU citizens, especially when such data is transferred outside the EU. Wolfsen highlighted that Uber’s failure to meet these standards posed significant risks, particularly given the potential for large-scale government access to data stored in the U.S.
Uber, however, disputes the DPA’s findings, arguing that its data transfer practices were compliant with GDPR during a period of legal uncertainty between the EU and the U.S. The company labeled the fine as "flawed" and "unjustified," and has announced its intention to appeal the decision.
This $324 million fine marks the third and largest penalty issued by the Dutch DPA against Uber, following previous fines of $670,485 in 2018 and $11.17 million in 2023. The case underscores the EU’s ongoing commitment to enforcing GDPR regulations and holding major tech companies accountable for data protection violations.
The DPA found that Uber failed to employ adequate tools and measures while transferring data, including drivers' location data, identity documents, payment details, and, in some cases, criminal and medical records. This breach of GDPR occurred over a period of more than two years, during which Uber transferred this data from Europe to its U.S.-based headquarters.
The investigation was prompted by a complaint from more than 170 French Uber drivers, leading to the involvement of France's data protection watchdog and subsequent action by the Dutch authority, as Uber’s European headquarters are based in the Netherlands.
Aleid Wolfsen, chairman of the Dutch DPA, emphasized the seriousness of the breach, noting that GDPR mandates stringent protections for the personal data of EU citizens, especially when such data is transferred outside the EU. Wolfsen highlighted that Uber’s failure to meet these standards posed significant risks, particularly given the potential for large-scale government access to data stored in the U.S.
Uber, however, disputes the DPA’s findings, arguing that its data transfer practices were compliant with GDPR during a period of legal uncertainty between the EU and the U.S. The company labeled the fine as "flawed" and "unjustified," and has announced its intention to appeal the decision.
This $324 million fine marks the third and largest penalty issued by the Dutch DPA against Uber, following previous fines of $670,485 in 2018 and $11.17 million in 2023. The case underscores the EU’s ongoing commitment to enforcing GDPR regulations and holding major tech companies accountable for data protection violations.