Dutch watchdog fines Uber €290m for data protection violations

The Dutch Data Protection Authority (DPA) has imposed a €290 million ($324 million) fine on Uber for serious violations of the General Data Protection Regulation (GDPR).

The DPA found that Uber had transferred sensitive personal data of European taxi drivers to the United States without adequate protection. This included account details, taxi licenses, location data, and, in some cases, criminal and medical information.

Uber’s failure to use proper transfer tools and its cessation of Standard Contractual Clauses in August 2021 led to insufficient protection of this data.

The EU Court of Justice invalidated the EU-US Privacy Shield in 2020, but Uber did not meet GDPR requirements for data transfers.

The investigation was prompted by complaints from over 170 French drivers, coordinated with other European DPA authorities.

Uber, which had a global turnover of approximately €34.5 billion in 2023, has announced its intention to challenge the fine.

This marks the third fine imposed on Uber by the Dutch DPA, following previous fines of €600,000 in 2018 and €10 million in 2023.