Uber has received its largest fine to date, with the Dutch Data Protection Authority (DPA) issuing a €290 million ($324 million) penalty to the rideshare company. The regulatory body announced it had issued the fine in response to Uber transferring the personal data of European taxi drivers into the United States without properly safeguarding the information. The complaint came from France, but the case was moved to Holland, where Uber’s EU headquarters are located.
The Dutch DPA found that Uber took account details, taxi licenses, location data, photos, payment details, identity documents and more from European drivers and transferred them to servers at their US headquarters for over two years. During this period, Uber didn’t use any transfer tools, a decision the Dutch DPA has deemed caused insufficient protection. “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said in a statement. “Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The Dutch DPA has fined Uber twice before, first imposing a €600,000 ($670,000) fine in 2018 after the company failed to report a data breach that occurred two years earlier within a 72-hour timeframe. In 2023, the Dutch DPA fined Uber €10 million ($11.2 million) for not fully detailing its data retention periods (regarding information about European drivers) or the non-European countries where it shares data. Uber objected to the latter fine and has made its intentions clear to fight the €290 million.