Uber slapped with £245 million fine by Dutch data regulator

The Dutch Data Protection Authority (DPA) has levied a substantial €290 million (£245 million) fine on Uber for violating European data protection laws. The regulator found that Uber had transferred personal data of European taxi drivers to the United States without sufficient safeguards, breaching the General Data Protection Regulation (GDPR).

The investigation revealed that Uber transferred sensitive driver information, including account details, taxi licences, location data, photos, payment information, identity documents, and, in some cases, even criminal and medical records, to its US headquarters. This data transfer occurred over a period of more than two years without the required protection mechanisms in place.

Uber have called the decision ‘flawed’ and will appeal. In a statement from the ridehail giants it says: “This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US.

“We will appeal and remain confident that common sense will prevail.”

Aleid Wolfsen, chairman of the Dutch DPA, however highlighted the importance of GDPR in safeguarding the fundamental rights of Europeans. He noted that businesses must take additional precautions when storing personal data outside the European Union, a responsibility that Uber neglected.

Wolfsen said: “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care.

"But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious."

The violation was seen to become particularly serious after the EU-US Privacy Shield was invalidated by the European Court of Justice in 2020. While Standard Contractual Clauses could still be used for data transfers to countries outside the EU, companies must ensure equivalent protection to the GDPR. The Dutch DPA found that Uber failed to meet these requirements, particularly after August 2021, when the company stopped using these clauses.

The fine follows a complaint lodged by more than 170 French drivers through the Ligue des droits de l’Homme (LDH) to the French DPA. Given Uber's European headquarters in the Netherlands, the Dutch DPA led the investigation, working closely with its French counterpart and coordinating with other European regulators.

This marks the third significant fine imposed on Uber by the Dutch DPA, following penalties of €600,000 in 2018 and €10 million earlier this year.