The Dutch data protection authority has fined Uber €290mn for transferring personal European driver data to the US.
As per DPA, the transfers constituted a violation of the EU’s GDPR, as they failed to provide the required safeguards for data storage outside the control zone
After an in-depth investigation, the DPA found that, between August 2021 and November 2023, Uber was transferring and storing sensitive data to US servers without the additional protection tools required by the GDPR.
The data included taxi licenses, account and payment details, IDs, photos, and even criminal or medical records
The investigation was prompted by a complaint from over 170 French drivers to local human rights organisation Ligue des droits de l’Homme (LDH) and filed a complaint to France’s data protection watchdog CNIL.
According to the GDPR, companies processing data across the EU must answer to a single privacy authority, located in the country where a business has its European headquarters. As Uber’s base is in the Netherlands, the DPA led the probe.
The DPA said that Uber has now stopped the datatransactions. It’s also going to appeal the decision.
This is the third fine the Dutch watchdog imposes on Uber.
- In 2018, the DPA hit the company with €600,000 for failing to notify the agency on time over a data breach in 2016.
- In January this year, Uber is also facing a €10mn fine for violating privacy rules and appealing for it
