Dutch watchdog fines Uber €290m over driver data protection

The Dutch Data Protection Authority (DPA) imposed a fine of 290 million euros on Monday on ride-hailing service provider Uber for transferring personal data of European drivers to the United States, reported Xinhua.

The DPA determined that Uber failed to adequately protect this data, constituting a severe violation of the General Data Protection Regulation (GDPR) adopted by the European Union in 2016.

"GDPR safeguards the fundamental rights of individuals in Europe by requiring companies and governments to handle personal data with care," said DPA Chairman Aleid Wolfsen in a press release.

Companies are generally required to take extra measures when storing European personal data outside the EU, he said. "Uber failed to ensure the required level of protection for drivers' data during its transfer to the U.S., which is extremely serious."

The DPA launched an investigation into Uber following a complaint from over 170 French drivers. Uber's European headquarters is in the Netherlands.

The DPA said that Uber collected sensitive information from European drivers, including account details, taxi licenses, location data, photos, payment information, identity documents, and, in some cases, even criminal records and medical data.

This information was transferred to Uber's headquarters in the U.S. for over two years without using an appropriate transfer mechanism, leaving the data inadequately protected, it said.

Across Europe, privacy regulators calculate fines for companies in the same way, with penalties reaching up to 4 percent of a company's global annual revenue. Uber has announced its intention to appeal the fine.

This marks the third fine the DPA has imposed on Uber. In 2018, it fined Uber 600,000 euros, and in 2023, a 10-million-euro fine was issued, which Uber has also contested.