The Dutch Data Protection Authority has imposed a €290 million fine on Uber for allegedly violating data protection regulations. The U.S.-based ride-hailing company is accused of transferring the personal data of its European drivers to the United States without adequate safeguards. Uber has called the decision flawed and unjustified, stating that it plans to appeal.
According to the data protection authority, Uber collected sensitive information about its drivers in Europe, including location data, photos, payroll records, identification documents, and, in some cases, details about criminal offenses or health conditions. This data was transferred to the U.S. without sufficient protection for two years. Uber has since rectified the violation.
Uber Disputes the Decision
The investigation by the Dutch Data Protection Authority was prompted by complaints from more than 170 Uber drivers in France. The complaints focused on data transfers conducted by Uber between August 2021 and November 2023. This period coincides with the suspension of the data protection agreement between the EU and the U.S. following European court rulings. Uber argued that the decision was therefore incorrect.
Aleid Wolfsen, the head of the Dutch Data Protection Authority, emphasized that the GDPR requires companies and governments in Europe to handle personal data with care. “Unfortunately,” he said, “this is not taken for granted outside Europe. Think of governments that can tap into data on a large scale. That’s why companies are required to take additional measures when storing Europeans’ data outside of Europe.”