Ride-Hailing Giant Uber Faces €290 Million Fine over GDPR Violations

• Uber was issued a massive €290 million for moving sensitive driver details from Europe to the U.S.
• The ride-sharing giant allegedly failed to offer a similar level of protection as the GDPR framework while exporting data.
• Collaborators’ information included IDs, payment details, criminal records, and more.

The Dutch Data Protection Authority (DPA) has fined ride-hailing company Uber €290 million for failing to adhere to the EU’s General Data Protection Regulation (GDPR) data transfer requirements while moving sensitive driver information from Europe to the U.S. Uber has indicated its intent to object to the fine, and the case is awaiting further development.

According to the Dutch DPA, Uber collected and stored various sensitive details from its European drivers, ranging from account details to more personal data like identity documents, location data, photos, payment details, and even criminal records. 

For over two years, this information was transferred to Uber's headquarters in the U.S. without the necessary protective measures to ensure an equivalent level of protection as required under the GDPR framework.

The DPA's findings revealed that from August 2021 onwards, Uber ceased using Standard Contractual Clauses, a key tool to ensure data protection, leading to "insufficient protection" of driver data.

This latest fine marks Uber's third penalty from the Dutch DPA. The company's history with the authority includes a €600,000 fine in 2018 and a substantial €10 million fine in 2023. Both instances involved questionable data management practices, which Uber contested.

The current violation was brought to light following complaints from over 170 French drivers, coordinated by the French human rights interest group Ligue des Droits de l’Homme (LDH) and brought to the attention of the French DPA. This collaboration with its Dutch counterpart led to a sizeable penalty against Uber.

In related news, European privacy advocate NOYB  filed nine complaints for GDPR breaches against social media giant X (formerly Twitter) for unlawfully leveraging over 60 million users’ data in the EU/EEA without notice or asking for their consent to train its AI technologies.
Giant tech company Meta decided to offer an ad-free subscription in the E.U. using a “pay or consent” advertising model that the European Commission said violates the Digital Markets Act (DMA) due to forcing users to choose between having their personal data used to deliver ads or paying for an ad-free experience that uses less user information.