Ride-hailing giant Uber has been slapped with a hefty €290 million fine by the Dutch Data Protection Authority (DPA) for improperly transferring the personal data of European drivers to its U.S. headquarters. The DPA announced today that Uber’s actions violated European Union data protection regulations. While Uber has since ceased the practice, the company disagrees with the fine and intends to appeal.
The DPA’s decision was based on Uber’s unauthorized transfer of drivers’ data to the United States without ensuring adequate security measures. “This is a severe violation of the General Data Protection Regulation (GDPR),” the authority stated. GDPR, a key EU regulation, governs the protection and privacy of personal data within the European Union.
Uber spokesperson Caspar Nixon criticized the ruling, calling the fine “completely unjustified.” He argued that Uber’s data transfer processes were in compliance with GDPR during a period of significant uncertainty between the EU and the U.S. over data transfers. “We will appeal and are confident that common sense will prevail,” Nixon added.
The controversy stems from the period before 2020, when there was no clear agreement between the EU and the U.S. on how to handle personal data transfers. In July 2020, the EU Court of Justice invalidated a European Commission decision that had previously allowed such transfers, citing a complaint from Austrian activist Max Schrems against Facebook for failing to protect user data.
“In Europe, GDPR safeguards people’s fundamental rights by ensuring that personal data is handled with care,” said Aleid Wolfsen, chairman of the Dutch DPA. “Unfortunately, outside Europe, this standard is not always upheld,” he added.
Uber has the option to appeal the fine directly with the Dutch DPA, and if unsuccessful, it can pursue legal action through the Dutch courts. The appeal process could take up to four years, during which any fines would be suspended until all legal avenues are exhausted, according to the DPA.
The investigation into Uber’s data practices began following a complaint from a French organization representing over 170 taxi drivers. As Uber’s European headquarters are based in the Netherlands, the case was transferred to the Dutch DPA, with cooperation from the French data protection authority, CNIL.
This is not the first time Uber has faced penalties in the Netherlands. In January, the DPA fined the company €10 million for similar violations concerning drivers’ personal data.
Large U.S. tech companies have frequently faced significant fines in the EU, often for GDPR violations or abuses of market dominance. Companies like Amazon, Apple, and Meta (formerly Facebook) have all been penalized by the European Commission for various infractions.
Despite the legal challenges, Uber reported a gross profit of $14.8 billion last year, an increase from $12.2 billion the previous year. Revenue also grew by nearly 17%, reaching $37.3 billion.
Source: CTK
