Dutch DPA slaps Uber with record €290 million fine for GDPR violations over data transfers 

The Dutch Data Protection Authority (DPA) has imposed a record fine of €290 million ($324 million) on ride-hailing giant Uber for breaching the General Data Protection Regulation (GDPR) by improperly transferring European taxi drivers’ data to the United States. The hefty penalty, announced on Monday, marks the largest fine ever levied by the Dutch regulator and the most substantial that Uber has faced to date. 

The DPA’s investigation revealed that Uber transferred sensitive information, including account details, taxi licenses, location data, payment information, and, in some instances, criminal and medical records of European drivers, to its US headquarters. This transfer occurred over more than two years, during which Uber failed to utilize appropriate data transfer tools to safeguard the information, resulting in a serious GDPR violation. 

Aleid Wolfsen, chairperson of the Dutch DPA, emphasized the gravity of the breach, noting that the GDPR protects the fundamental rights of individuals within the European Union by ensuring their data is handled with care. “Uber did not meet the requirements of the GDPR to ensure the level of data protection with regard to transfers to the US. That is very serious,” Wolfsen stated. 

The investigation into Uber’s data practices began after 170 French drivers lodged complaints with the human rights group Ligue des droits de l’Homme, which then referred the case to the French DPA. Since Uber’s European headquarters is in the Netherlands, the Dutch DPA took over the case, ultimately leading to a substantial fine. 

Uber has expressed its intent to appeal the decision, calling the fine “completely unjustified.” A spokesperson for the company argued that Uber’s cross-border data transfer practices were compliant with GDPR during a period of significant uncertainty surrounding EU-U.S. data transfers. The appeal process, which could take years, means that Uber will not be required to pay the fine immediately. 

This fine follows previous penalties imposed by the Dutch DPA on Uber, including a €600,000 fine in 2018 and a €10 million fine in January 2024 for related data protection issues. Despite these earlier fines, this latest penalty underscores the increasing scrutiny and enforcement actions that companies face under the GDPR. 

The fine also comes amid broader debates about EU tech regulations, with other major companies like Meta and Spotify recently voicing concerns about the impact of GDPR on their operations. As the tech industry grapples with stringent data protection laws, Uber’s case is a stark reminder of the consequences of failing to comply with these regulations.