Uber Hit with €290M Fine for Sensitive Driver Data Transfer Violating GDPR
Uber's €290M Fine Explained
In a significant move, the Dutch data protection authority (DPA) has imposed a staggering €290M fine on Uber for unlawfully transferring personal data of European drivers to the United States. The DPA identified this action as a serious violation of the EU's General Data Protection Regulation (GDPR), which mandates stringent safeguards for data stored outside the EU.
Investigation Findings
According to the DPA's investigation, from August 2021 to November 2023, Uber stored sensitive information, including taxi licenses, payment details, and medical records, on US servers without adequate protection measures. This lack of compliance with GDPR not only jeopardized driver privacy but also reflects a broader issue of data handling practices.
Underlying Complaints and Actions
The investigation was sparked by complaints from over 170 French drivers, leading local human rights organization Ligue des droits de l'Homme (LDH) to bring the case before CNIL, France's data protection authority. Consequently, since Uber's European headquarters is located in the Netherlands, the DPA led the formal investigation.
Ongoing Challenges for Uber
This latest fine marks Uber's third penalty from the Dutch authority, signifying ongoing challenges in maintaining GDPR compliance. In 2018, the company was fined €600,000 for failing to report a data breach, and is currently appealing another fine of €10M for earlier privacy violations.
This article was prepared using information from open sources in accordance with the principles of Ethical Policy. The editorial team is not responsible for absolute accuracy, as it relies on data from the sources referenced.