The Netherlands' privacy regulator has fined Uber €290 million for breaking the EU's General Data Protection Regulation (GDPR). The penalty, which totals around $324 million, derives from the improper transfer of drivers' personal data from the EU to the United States, where Uber's primary operations are located.
The Autoriteit Persoonsgegevens (AP), the Dutch data protection body, headed the inquiry because Uber's main EU office is in the Netherlands. The investigation was launched in response to complaints from over 170 Uber drivers in France in 2021, which were routed through the Ligue des droits de l'Homme (LDH) to the French privacy authorities, who then submitted the case to the AP.
Uber's revenue in 2023 was around €34.5 billion, so the fine was hefty but significantly less than the GDPR's maximum penalty of 4% of global turnover for egregious breaches. This makes the penalties one of the highest imposed on a technology business since the GDPR went into effect in 2018.
The AP discovered that Uber had failed to preserve sensitive data, such as driver account information, taxi licenses, location information, pictures, payment data, identity documents, and even certain criminal and medical histories. Uber transported this data to its headquarters in the United States without leveraging GDPR-compliant methods for more than two years, leaving it open to unlawful access.
The timing of these transfers took place during a period of legal uncertainty between the EU and the US. After the EU's top court invalidated the Privacy Shield framework in July 2020, on which many companies, including Uber, had relied for data transfers, there was no clear legal mechanism for cross-border data flows until July 2023, when a new deal was established.
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail,” said Uber spokesman Caspar Nixon to TechCrunch.
The Associated Press confirmed that Uber had brought its practices into compliance by the end of last year when it implemented the new data transfer structure. However, the regulator emphasized that enterprises remained responsible for maintaining compliance during the period when no formal agreement was in place.
Uber has joined the list of tech giants, including Meta and Twilio, that have faced data breaches in recent months, underscoring the heightened scrutiny of data protection practices in the digital era.