Uber has been fined €290 million (£246 million; $324 million) by the Dutch Data Protection Authority (DPA) for unlawfully transferring European drivers’ personal data to US servers, in violation of the EU’s General Data Protection Regulation (GDPR).
News About Nigeria reports that the DPA described these transfers as a “serious violation” of GDPR, noting that Uber failed to adequately protect sensitive driver information, including ID documents, taxi licences, and location data, over a two-year period.
The DPA’s investigation, which was prompted by complaints from over 170 French drivers through a French human rights group, revealed that Uber had collected and transferred a range of sensitive data to its US headquarters.
This included not only identification and location details but also, in some cases, criminal and medical records of drivers.
According to Aleid Wolfsen, chairman of the DPA, Uber did not meet GDPR’s stringent requirements for protecting personal data when transferring it outside the EU, describing the breach as “very serious.”
In response, Uber announced its intention to appeal the fine, arguing that the decision was flawed and the penalty unjustified.
A spokesperson for the company stated that Uber’s data transfer processes were compliant with GDPR during a period of significant legal uncertainty between the EU and the US.
The spokesperson labelled the DPA’s decision as “completely unjustified.”
Under GDPR, businesses operating in multiple EU countries must adhere to data protection regulations where their main office is located, in this case, the
Netherlands, where Uber’s European headquarters are situated.
The fine is the third penalty imposed on Uber by the DPA, following previous fines of €600,000 in 2018 and €10 million last year.
