Uber fined €290 million for transferring European data to US servers


Dutch and French privacy regulators have slapped a €290 million ($324 million) fine on Uber for infringing on EU data protection law.

The massive sanction was imposed for “transferring personal data outside the EU without sufficient guarantees.”

The Dutch Data Protection Authority (DPA) issued the fine in cooperation with the French data protection agency CNIL. Two companies, Uber and Uber Technologies, were found to be jointly responsible.

The sum amounts to “a maximum of 4% of the worldwide annual turnover of a business.”

According to DPA, Uber had a worldwide turnover of around €34.5 billion in 2023.

“Uber has indicated its intent to object to the fine,” a press release reads.

The DPA found that Uber transferred European taxi drivers’ data to the US without sufficient protection, which is “a serious violation of the General Data Protection Regulation (GDPR).”

The French watchdog previously received a collective complaint regarding the use of data from the association La Ligue des droits de l'Homme, representing more than 170 Uber drivers.

Authorities have found that for over two years, Uber collected sensitive information from Europe, transferred the data without using proper transfer tools, and retained it on servers in the US.

The data included drivers’ account details, licenses, location data, photos, payment details, identity documents, and in some cases, even criminal and medical data of drivers. Companies in Europe are required to provide a valid basis for transferring the data and are only allowed to do so if an equivalent level of protection can be guaranteed.

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen says. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale.”

According to Bloomberg, the $324 million fine is the largest ever issued by the DPA.

This is Uber's second fine issued due to drivers’ complaints. On 11th December 2023, the DPA authority imposed a first fine of €10 million for failing to provide accessible information to Uber drivers and other breaches. Those included inadequate online forms, incomplete privacy statements, incomplete information in Uber’s privacy statement about data transfers outside the EU, and the right to data portability.

Uber was also fined €600,000 in 2018 for failing to protect customers' and drivers' personal data from unauthorized access. The cybersecurity incident affected 57 million Uber users worldwide.