Uber fined €290 million for 'very serious' GDPR violation

European watchdog finds Uber transferred drivers' data to US without proper protection

Uber fined €290 million for 'very serious' GDPR violation

"Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious," said Dutch DPA chairman Aleid Wolfsen in a statement.

Sensitive data collected

Among the data collected by Uber is driver information, such as account details and taxi licences, location data, photos, payment details, identity documents, and criminal and medical data of drivers.

"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care," Wolfsen said.

"But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union."

Uber called the ruling "flawed" and said it would appeal the fine, BBC News reported.

"Uber's cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US," an Uber spokesperson said as quoted by the news outlet. "This flawed decision and extraordinary fine are completely unjustified."

This is third time that the Dutch DPA fined Uber. The transport company was also fined €600,000 ($670,166) in 2018 and another €10 million ($11.1 million) in 2023.