Uber hit with $324 million EU fine for improper data transfer

/

The ridehail company failed to “appropriately safeguard” driver data, EU regulators contend.

Share this story

Uber company name written on a multicolored background.

Illustration by Alex Castro / The Verge

Uber is facing a fine of 290 million euros ($347 million) after improperly transferring driver data from the EU to the US, in one of the largest penalties levied under the European Union’s General Data Protection Regulation (GDPR) since its inception.

The fine was imposed by the Dutch Data Protection Authority (DPA), which accused Uber of failing to “properly safeguard” European drivers’ personal data while transferring it to the United States. Uber has since ceased the practice, DPA added.

“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US,” the regulator said in a statement. “That is very serious.”

The DPA started investigating the data transfer after 170 French Uber drivers complained to a human rights organization, which passed it along to the French DPA. Uber’s European headquarters is in the Netherlands, which allowed that country’s DPA to lead the investigation.

Uber was found to have retained “sensitive data” from drivers on US-based servers in violation of the GDPR. The data included account details and taxi licenses, as well as location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers, the DPA said. Uber moved the data without the use of transfer tools, without which the protection of the data was insufficient, the group added.

The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. Since then, EU regulators have used the regulation to send a message to giant tech companies: data privacy is sacrosanct, and failure to abide by the rules will result in record-breaking fines.

The largest fine of $1.3 billion fine (€1.2 billion) was handed to Meta in 2023 for a similar violation. The Facebook parent company was accused of transferring data on EU citizens to the US without sufficient protections. Other companies facing large fines include TikTok, WhatsApp (which is owned by Meta), and Clearview AI.

A spokesperson for Uber did not immediately respond to a request for comment, but in a statement to Reuters, the company said it planned to appeal the decision.

Go to Source