Uber hit with $324 million EU fine for improper data transfer

Uber is facing a fine of 290 million euros ($347 million USD) after improperly transferring driver data from the EU to the US in one of the largest penalties levied under the European Union’s General Data Protection Regulation (GDPR) since its inception.

The fine was imposed by the Dutch Data Protection Authority (DPA), which accused Uber of failing to “properly safeguard” European drivers’ personal data while transferring it to the United States. Uber has since ceased the practice, DPA added.

“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US,” the regulator said in a statement. “That is very serious.”

The DPA started investigating the data transfer after 170 French Uber drivers complained to a human rights organization, which passed it along to the French DPA. Uber’s European headquarters is in the Netherlands, which allowed that country’s DPA to lead the investigation.

Uber was found to have retained “sensitive data” from drivers on US-based servers in violation of the GDPR. The data included account details and taxi licenses, as well as location data, photos, payment details, identity documents, and in some cases, even criminal and medical data of drivers, the DPA said. Uber moved the data without the use of transfer tools, without which the protection of the data was insufficient, the group added.

The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. Since then, EU regulators have used the regulation to send a message to giant tech companies: data privacy is sacrosanct, and failure to abide by the rules will result in record-breaking fines.

The largest fine of $1.3 billion (€1.2 billion) was handed to Meta in 2023 for a similar violation. The Facebook parent company was accused of transferring data on EU citizens to the US without sufficient protections. Other companies facing large fines include TikTok, WhatsApp (which is owned by Meta), and Clearview AI.

Uber said it planned to appeal the ruling.

“This flawed decision and extraordinary fine are completely unjustified,” Caspar Nixon, a spokesperson for the company, said in an email. “Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”

Update August 26th: Updated to include a statement from Uber.