Netherlands fines Uber €290m for driver data breach

The Dutch data protection authority announced on Monday that it had imposed a fine of €290 million on Uber, the leading taxi service company, for transferring insufficiently protected data about its European drivers to the United States.

According to Sky News, the Dutch regulatory authority found Uber, whose European headquarters are in the Netherlands, guilty of “seriously violating the European Union’s General Data Protection Regulation” (GDPR).

The head of the Dutch regulatory authority, Aled Wolfsen, said in a statement that “Uber did not guarantee its drivers the level of protection provided for by the General Data Protection Regulation in terms of data transfer to the United States.”

The Dutch authority noted that Uber collected sensitive information about European drivers, including taxi licenses, geolocation data, photos, payment details, identity documents, and “in some cases even criminal and medical data of drivers.”

The authority said that “the company transferred this data to Uber’s headquarters in the United States for more than two years, without using a secure transfer tool.”

It pointed out that “as a result, the protection of personal data was not sufficient.”

Uber intends to appeal the fine. “This biased decision and this completely extraordinary fine are completely unjustified,” a spokeswoman for the company said in a statement.

“Uber’s cross-border transfer of private data was compliant with the General Data Protection Regulation during the three-year period marked by enormous uncertainty between the European Union and the United States,” the spokeswoman added.

“We will appeal the decision and remain confident that common sense will prevail,” she added.

The European Union has set a series of rules for big tech companies, and has imposed large fines on them in recent years.

The Dutch regulator opened an investigation into Uber after a complaint in France from more than 170 drivers. The investigation was conducted in cooperation with the National Commission for Information Technologies and Liberties (CNIL).

Under the General Data Protection Regulation, a company’s actions that process data in several EU countries are subject to the data protection authority where its head office is located.

“In Europe, the General Data Protection Regulation protects people’s fundamental rights by requiring companies and governments to handle personal data with care,” said Aled Wolfsen.

“Unfortunately, this is not a given outside Europe. It is important to note that governments can exploit data on a large scale,” he added.

“That is why companies are generally required to take additional measures when storing Europeans’ personal data outside the EU.”

Uber has stopped this violation, according to the Dutch regulator.

This is the third fine the Dutch regulator has imposed on Uber. In 2018, it fined Uber €600,000, and in 2023 it imposed a €10 million fine. Uber has appealed this latest fine.