Uber fined $325 million for moving driver data from Europe to US

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has imposed a fine of  €290,000,000 ($325 million) on Uber Technologies Inc. and Uber B.V. over GDPR violations.

The authority accuses Uber of transferring personal data from the European Economic Area (EEA) to servers in the United States without adequate safeguards, as defined by Chapter V of the General Data Protection Regulation.

This is the third time the Dutch Data Protection Authority has imposed an administrative fine on Uber.

The first was a €600,000 fine for poor data access controls in November 2018. The second was a €10,000,000 fine imposed in January 2024 for Uber's obscure data management practices about the handling of data from EU subjects.

AP's investigation into Uber's data practices was triggered by complaints from French drivers and escalated to the AP by the French data protection authority (CNIL).

The issue arose after the Schrems II ruling by the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield due to insufficient data protection standards in the US.

Despite the ruling, Uber allegedly continued to transfer personal data to the US without implementing Standard Contractual Clauses (SCCs), or other safeguards, thus violating GDPR Article 44, which mandates that data transfers to third countries must ensure an equivalent level of protection as within the EU.

This is the same violation for which the Irish Data Protection Commission (DPC) imposed a massive $1.3 billion fine on Meta (Facebook). More recently, four firms were fined $1.1 million by the Swedish Authority for Privacy Protection (IMY) for similar violations caused by the use of Google Analytics.

Uber's response

Uber argued that Chapter V of the GDPR did not apply because Article 3 of the GDPR already extended the regulation's protection to their processing activities in the US.

Additionally, the tech firm contends that no data transfer occurs, as defined under GDPR, since drivers provide their data directly to Uber's US-based servers through the app.

The AP rejected those arguments and proceeded to impose the massive. More details about AP's investigation and final decision can be found in the supporting document.

Responding to our request for a comment, an Uber spokesperson told BleepingComputer that they find the ruling unjustified and plan to appeal the decision.

"This flawed decision and extraordinary fine are completely unjustified. Uber's cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail." - Uber spokesperson

Uber maintains that its data handling practices, as those are laid out in its privacy notice, adhere to GDPR. In addition, it sees data flows between users as well as users and Uber as a fundamental and inherent component of its services.

The appeal process can take up to 4 years, during which the fine will be suspended.