Uber Hit with £246 Million Fine for Mishandling European Driver Data

Uber has been fined €290 million (£246 million; $324 million) for improperly transferring the personal data of European drivers to its US servers, a violation of EU regulations, the Dutch Data Protection Authority (DPA) announced on Monday.

The DPA described the data transfers as a “serious violation” of the EU’s General Data Protection Regulation (GDPR). The transfers, which occurred over a two-year period, involved sensitive information such as ID documents, taxi licenses, and location data being sent to Uber’s headquarters in the United States.

In response, Uber has stated its intention to appeal the fine, labeling it as “unjustified.” An Uber spokesperson argued, “Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US.” The company also criticized the decision as flawed and claimed the fine was excessive.

Although the GDPR permits data transfers to the US under certain conditions, there is ongoing ambiguity regarding when these transfers can occur without requiring additional authorization. According to Aleid Wolfsen, chairman of the DPA, Uber failed to meet the GDPR’s standards for ensuring adequate protection of data when transferring it to the US.

“This is very serious,” Wolfsen remarked, emphasizing that Uber did not implement the necessary safeguards for the data it collected. The DPA’s investigation began after over 170 French drivers lodged complaints with a French human rights organization, which subsequently reported the issue to France’s data protection authority.

The GDPR mandates that businesses processing data across multiple EU countries must engage with the data protection authority located in the country where their main office is based. For Uber, this authority is the Dutch Data Protection Authority, due to its European headquarters being located in the Netherlands.

Wolfsen underscored the importance of GDPR in protecting the fundamental rights of individuals. He noted that while governments can access data on a large scale, businesses are required to take extra measures when storing personal data of EU citizens outside the EU.

This fine is the third imposed on Uber by the DPA, following previous penalties of €600,000 (£508,000) in 2018 and €10 million (£8.5 million) last year. The EU has recently ramped up regulatory measures against major tech companies, with substantial fines for data protection breaches becoming increasingly common. Last year, for example, Irish regulators imposed a €345 million (£296 million) fine on TikTok for violations related to children’s privacy under GDPR rules.

Uber’s significant fine highlights the stringent enforcement of GDPR regulations and the importance of ensuring robust data protection measures, especially for companies handling sensitive personal information across international borders.