The Dutch Data Protection Authority (DPA) has fined Uber 290 million euros—around $324 million—for allegedly transferring the personal data of European taxi drivers to the United States (U.S.) and failing to safeguard the data regarding these transfers appropriately.
The Dutch data watchdog said Uber collected sensitive information about drivers from Europe, including account details and taxi licenses, location data, photos, payment details, identity documents, and, in some cases, even criminal and medical data.
Further, the taxi-riding company transferred those data to Uber’s headquarters in the U.S. for over two years without using transfer tools because the protection of the data was insufficient.
The DPA initiated the investigation into Uber after more than 170 French drivers complained to the French human rights interest group Ligue des droits de l’Homme (LDH), which then submitted the complaint to the French DPA. Since Uber’s European headquarters is in the Netherlands, the Dutch DPA had to lead the investigation.
To calculate the fines for businesses in Europe, the DPAs charge a maximum of 4% of the business’s worldwide annual turnover. In 2023, Uber had a worldwide turnover of around 34.5 billion euros.
Uber said it planned to appeal the ruling and object to the fine.
This is the third penalty the Dutch DPA has imposed on Uber. In 2018, it fined Uber 600,000 euros for not reporting the data breach to the Dutch DPA and the data subjects in time. Further, in 2023, it was fined €10 million for failing to disclose the complete details of its retention periods for data concerning European drivers or to which countries outside Europe this data was forwarded.
