Uber Hit by $324M Data Privacy Breach Fine in Europe

Uber has been hit by a €290 million ($324 million) fine for sending European drivers’ personal data to its U.S. servers in breach of European Union data protection rules.

BBC News reports the Netherlands’ data regulator, the Dutch Data Protection Authority (DPA), says the transfers were a “serious violation” of the EU's General Data Protection Regulation (GDPR) by failing to protect driver information.

According to the DPA, information including identification documents, photos, payment details, taxi licenses, criminal and medical records and location data was transferred to Uber’s headquarters in the U.S. over a two-year period.

The watchdog’s investigation began after more than 170 French drivers complained to a French human rights group, which then filed a complaint to France's data protection watchdog.

Under GDPR rules, a business that processes data in several EU countries must deal with the data protection authority where its main office is located. Uber's European headquarters are in the Netherlands.

While data transfers to the U.S. are allowed under EU law, there is significant uncertainty surrounding when these can occur without the need for further authorization.

DPA chairman Aleid Wolfsen says Uber failed to meet GDPR requirements and also failed to appropriately safeguard the data to “ensure the level of protection to the data with regard to transfers to the U.S. That is very serious.”

He adds: “In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. Think of governments that can tap data on a large scale. Businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”

This is the DPA's third fine against Uber following fines of €600,000 ($670,380) in 2018 and €10 million ($11.17 million) last year.

In a statement an Uber spokesperson tells the BBC that the company would appeal the fine. The spokesperson adds: “Uber's cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S. This flawed decision and extraordinary fine are completely unjustified.”