The Dutch Data Protection Authority (DPA) has imposed a significant fine on Uber for what it described as a “serious violation” of the European Union’s General Data Protection Regulation (GDPR).
The penalty stems from Uber’s failure to adequately protect the personal data of European drivers when transferring it to the company’s headquarters in the United States.
According to the DPA, Uber collected sensitive information from European drivers, including taxi licenses, location data, photos, payment details, identity documents, and, in some cases, even criminal and medical data.
Over two years, this data was transferred to Uber’s US headquarters without utilizing the necessary transfer tools that comply with GDPR requirements.
“Uber did not meet the requirements of the GDPR to ensure the level of data protection regarding transfers to the US. That is very serious,” said Aleid Wolfsen, chairman of the DPA, in a statement. The regulator emphasized that personal data protection was “not sufficient,” although Uber has since “ended the violation.”
Uber, however, has contested the fine, arguing that the decision is flawed and the penalty unjustified. An Uber spokesperson stated, “Uber’s cross-border data transfer process was compliant with GDPR during 3 years of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
The company indicated that the appeal process could take up to four years, during which the penalty will be suspended.