The Data Protection Agency (DPA) of the Netherlands has levied a fine of €290 million against Uber for breaching the EU’s General Data Protection Regulation (GDPR). The investigation, which concluded on Monday, determined that Uber had been transferring personal data of its European taxi drivers to servers in the United States without employing necessary data protection measures. Specifically, Uber did not make use of secure transfer tools such as encryption and pseudonymisation, which are required under GDPR when sending EU data outside of the European Economic Area (EEA).
This significant penalty underscores the importance of complying with GDPR guidelines, even for data transfers to the United States, where special conditions apply. According to the DPA, businesses can transfer data outside of the EU using a Standard Contractual Clause (SCC), but additional measures such as transfer tools must be implemented to maintain EU data protection standards. The DPA’s ruling found that Uber failed to meet these requirements during a span of two years.
The investigation by Dutch authorities came after a complaint from 170 taxi drivers in France, putting the responsibility on the Dutch DPA due to Uber’s European headquarters being located in the Netherlands. The compromised data included sensitive information such as location data, photos, payment details, identity documents, and even criminal and medical data of drivers.
Given the GDPR’s mandate, the protection of personal data is established as a fundamental right in the EU. Businesses operating within this jurisdiction are therefore obligated to adhere strictly to data protection regulations or face substantial financial repercussions.
In its defense, Uber has indicated its intention to appeal the fine, current information available on the DPA’s announcement reveals.