The Dutch Data Protection Authority (DPA) has imposed a record €290 million ($324 million) fine on Uber for allegedly failing to adhere to European Union (E.U.) data protection regulations when transferring sensitive driver data to the United States.
“The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (U.S.) and failed to appropriately safeguard the data with regard to these transfers,” the agency stated.
This breach is considered a “serious” violation of the General Data Protection Regulation (GDPR). In response, Uber has discontinued the practice.
Uber reportedly collected and stored sensitive driver information, including account details, taxi licenses, location data, photos, payment information, and identity documents, on U.S.-based servers for over two years. In some cases, this data also included criminal and medical records. The DPA accused Uber of conducting these data transfers without utilizing appropriate mechanisms, particularly after the E.U. invalidated the E.U.-U.S. Privacy Shield in 2020. A replacement framework, the E.U.-U.S. Data Privacy Framework, was introduced in July 2023.
“Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the E.U. were insufficiently protected, according to the Dutch DPA,” the agency noted. “Since the end of last year, Uber uses the successor to the Privacy Shield.”
In a statement to Bloomberg, Uber described the fine as “completely unjustified” and expressed its intention to challenge the decision. The company maintained that its cross-border data transfer processes complied with GDPR.
Earlier this year, the DPA also fined Uber €10 million for not fully disclosing the details of its data retention policies regarding European drivers and the non-European countries with which it shared data.
“Uber had made it unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data,” the DPA stated in January 2024. “Additionally, they did not specify in their privacy terms how long Uber retains drivers’ personal data or the specific security measures used when transferring this information to entities outside the [European Economic Area].”
This incident is not isolated, as U.S. companies have previously faced scrutiny from E.U. data protection authorities due to inadequate privacy protections for E.U. data transferred to the U.S., sparking concerns about potential exposure to U.S. surveillance programs.
In 2022, Austrian and French regulators ruled that the transatlantic transfer of Google Analytics data violated GDPR laws.
“Think of governments that can tap data on a large scale,” said DPA chairman Aleid Wolfsen. “That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
 has imposed a record €290 million ($324 million) fine on Uber for allegedly failing to adhere to European Union (E.U.) data protection regulations when transferring sensitive driver data...){kind=link}