Uber Fined 290 Million Euros by Dutch DPA for Data Protection Violations

The Dutch Data Protection Authority (DPA) has dealt a heavy blow to ride-hailing giant Uber, imposing a staggering fine of 290 million euros for its failure to adequately protect the personal data of European taxi drivers. This marks the third time the Dutch DPA has taken action against Uber, with previous fines of 10 million euros in 2023 and 600,000 euros in 2018.

The DPA found that Uber had collected and transferred sensitive information of European drivers to its headquarters in the United States without using the necessary data transfer tools to ensure compliance with the EU’s General Data Protection Regulation (GDPR). This included account details, taxi licenses, location data, photos, payment details, identity documents, and even criminal and medical records.

Dutch DPA chairman Aleid Wolfsen emphasized the importance of protecting personal data, stating, “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care.” He highlighted the seriousness of Uber’s failure to meet GDPR requirements for data protection during transfers to the US.

The investigation into Uber’s data practices was initiated following complaints from over 170 French drivers, leading to a coordinated effort between the French and Dutch DPAs. The fine, amounting to 4% of Uber’s worldwide annual turnover in 2023, is the largest penalty imposed by the Dutch DPA on the company.

Uber has expressed its intention to challenge the fine, continuing a pattern of contesting previous penalties. The case is now awaiting further developments as Uber faces the consequences of its data protection violations.