Uber was fined a record 290 million euros (about $324 million) for failing to protect European driver data.
The fine from the Dutch Data Protection Authority (DPA) stems from an investigation that found that the ride-hailing/delivery giant transferred personal data of its drivers to the United States while failing to protect that data, according to a Monday (Aug. 26) press release.
This violates Europe’s General Data Protection Regulation (GDPR), and Uber has since ended the violation, the release said.
“In Europe, the GDPR protects the fundamental rights of people by requiring businesses and governments to handle personal data with due care,” Dutch DPA Chairman Aleid Wolfsen said in the release. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
The fine is the steepest penalty ever issued by the DPA and the largest Uber has received, Bloomberg reported Monday.
“This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson told PYMNTS. “Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and U.S. We will appeal and remain confident that common sense will prevail.”
The company also argued the decision relates to a complaint from 2021, a time that Uber said was marked by uncertainty about EU-U.S. data transfers. Uber also noted that it will not have to pay a fine while appealing the case, a process that could take years.
According to the DPA release, the regulator’s investigation found that Uber collected “sensitive information” about drivers from Europe and held it on servers in the U.S. The information included account details, location data, photos, payment details, and in some cases, drivers’ medical and criminal history.
For more than two years, Uber transferred this data to its American headquarters without employing transfer tools, meaning the data was not sufficiently protected, the release said.
The investigation began when more than 170 French drivers issued a complaint to the country’s human rights interest group, Ligue des droits de l’Homme, which subsequently forwarded a complaint to the French DPA. Because Uber’s European headquarters is in the Netherlands, the case was turned over to the Dutch DPA, per the release.
The fine comes days after the CEOs of Meta and Spotify issued a joint statement criticizing EU tech regulations in the wake of an application of the GDPR that required Meta to delay training its artificial intelligence models on content shared publicly by adults on its social media platforms, Facebook and Meta.