Uber has received its largest fine to date, with the The Dutch Data Protection Authority (DPA) issues a €290 million ($324 million) order Fine for ride-sharing company. The regulator announced that it had imposed the fine in response to Uber transferring the personal data of European taxi drivers to the United States without adequately safeguarding the information. The complaint came from France, but the case was transferred to the Netherlands, where Uber's EU headquarters are located.
The Dutch data protection authority (DPA) has found that Uber has collected account data, taxi licences, location data, photos, payment data, ID documents and other data from European drivers and transferred them to servers at its US headquarters for more than two years. During this period, Uber has not used any transfer tools, a decision that the Dutch DPA has found to have caused insufficient protection. “In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with due care,” Dutch DPA President Aleid Wolfsen said in a statement. “Uber has not met the GDPR requirements to ensure the level of data protection when it comes to transfers to the US. That is very serious.”
The Dutch DPA has fined Uber twice before, first imposing a fine of 600,000 euros ($670,000). good in 2018 after the company failed to report a data breach that occurred two years earlier within 72 hours. In 2023, the Dutch news agency DPA fines Uber 10 million euros ($11.2 million) for failing to fully detail its data retention periods (regarding information on European drivers) or the non-European countries in which it shares data. Uber has contested this latest fine and has made clear its intention to fight the €290 million fine.