Dutch data privacy regulator fines Uber $324 million for failing to adhere to GDPR

The Dutch Data Protection Authority (DPA) announced Monday that it has fined Uber €290 million ($324 million) for gathering sensitive data from European drivers and then transferring it to the U.S. without appropriate safeguards. 

The data taken from Uber drivers and stockpiled at Uber’s U.S. headquarters over the course of more than two years includes location data, photos, payment details and identity documents, according to the DPA. The ride-sharing company also took criminal and medical data from drivers in some cases, the DPA said.

The regulator added that Uber failed to use “transfer tools” when it moved the data, leading to inadequate protections.

Uber has stopped gathering and transferring the data, according to the DPA. 

Known as Autoriteit Persoonsgegevens, the Dutch DPA regulates privacy in the Netherlands and enforces the European Union’s General Data Protection Regulation (GDPR). 

An Uber spokesperson said in a statement that the “flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US.”

Uber will appeal the fine, the spokesperson said.

The Dutch regulator’s chairman said Uber’s conduct constitutes a serious violation of the GDPR.

"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care," Dutch DPA chairman Aleid Wolfsen said in a statement. "But sadly, this is not self-evident outside Europe.”

Wolfesen added that Uber did not adhere to GDPR rules when it failed to protect the data being transferred.

“That is very serious,” he said.

The Dutch DPA’s investigation and fine was spurred by complaints from more than 170 French drivers, who sought help from the French human rights interest group the Ligue des droits de l’Homme (LDH). That organization then sent a complaint to the French DPA, which worked closely with the Dutch on the probe.

Since Uber’s foreign headquarters are based in the Netherlands, the Dutch DPA levied the fine under GDPR rules. 

The Dutch DPA has twice previously fined Uber. In 2018, the company was fined €600,000 ($670,000) and in 2023 €10 million ($11.2 million). Uber disputes the latter fine, according to the DPA.