Uber Slapped with £246m Fine for Driver Data Transfer Breach
Ride-hailing giant Uber has been fined a hefty â¬290 million (£246 million; $324 million) by the Dutch data protection regulator for transferring the personal data of European drivers to US servers in violation of EU rules.
The Dutch Data Protection Authority (DPA) declared the data transfers a "serious violation" of the EU's General Data Protection Regulation (GDPR). The watchdog concluded that Uber failed to adequately protect driver information during the transfer process, citing a breach of GDPR requirements.
The DPA investigation revealed that sensitive data, including identity documents, taxi licences, location data, and payment details, was transferred to Uber's US headquarters over a two-year period. In some instances, this even included criminal and medical data.
The DPA launched its investigation after over 170 French drivers lodged complaints with a French human rights group, which subsequently filed a complaint with France's data protection authority. Under GDPR regulations, companies that process data across multiple EU countries are mandated to address data protection matters through the authority where their main office is located. Uber's European headquarters are based in the Netherlands.
Uber has announced its intention to appeal the fine, deeming it "unjustified". A spokesperson for the company stated that Uber's cross-border data transfer process was compliant with GDPR during a period marked by "immense uncertainty" between the EU and US.
However, the DPA Chairman, Aleid Wolfsen, asserted that Uber failed to meet GDPR requirements for safeguarding data transferred to the US, stating that this constitutes a "very serious" matter. He further highlighted that the company's failure to adequately protect the data was an additional concern.
Wolfsen underscored the importance of the GDPR in safeguarding the fundamental rights of individuals by compelling businesses and governments to handle personal data with due care. He emphasized the crucial role of data protection, particularly when handling personal data of Europeans stored outside the European Union.
This is the third fine levied against Uber by the DPA, following previous penalties of â¬600,000 (£508,000) in 2018 and â¬10m (£8.5m) last year.
This incident underscores the growing trend of EU regulators imposing hefty fines on tech giants for breaches of data protection regulations. In a similar case last year, Irish regulators fined TikTok â¬345m (£296m) for violating children's privacy under GDPR rules.
