Uber is staring down a 290 million euro fine (about $320 million USD) for violating data protection laws in the EU.
That’s the basic story, but to understand the details behind it, you first need to know what the GDPR is. This is the General Data Protection Regulation, a policy implemented in the EU in May 2018. While we’re used to playing fast and loose with consumer privacy in the U.S., the EU has a different approach — and one that, so far, has worked well.
The GDPR outlines specific provisions that companies must follow regarding user data, as well as what rights individual people have to their data on the internet.
The Dutch Data Protection Authority (DPA) alleges that Uber collected sensitive information — including location data, photos, payment details, and even criminal and medical data — of its drivers and stored it on U.S. servers.
The GDPR mandates a series of rules that companies must follow when transferring data outside the European Economic Area, and the DPA says Uber failed to follow these standards over two years. Because of this oversight, the DPA claims that personal data protection was insufficient.
The trouble started when more than 170 French Uber drivers complained to a human rights interest group called Ligue des droits de l’Homme, which then took the complaints to the French DPA. As Uber’s European headquarters is based in the Netherlands, the Dutch DPA took over the case.
It’s also worth noting that this is the third time the Dutch DPA has leveled fines against Uber. The first time was a fine of 600,000 Euro in 2018, followed by another 10 million Euro fine in 2023.
Data transfers must be met with an appropriate level of data protection. The European Commission can make an adequacy decision based on an entire country, appropriate safeguards, and/or specific exceptions. In the case of Uber, the Dutch DPA says these safeguards were not met, and the drivers’ personal information was too vulnerable to bad actors.
The fine isn’t an arbitrary number. All data protection agencies in Europe calculate the amount of a fine in the same way, asking for up to a maximum of 4% of a business’s global annual turnover.
Uber has since ceased transferring data in this way and has changed its methods to become compliant with GDPR rules. The company has stated it intends to appeal the fine, calling it “completely unjustified” in a statement an Uber spokesperson gave to The Verge.
So, what does this mean for Uber? The company will have to argue its case, but regardless of the outcome, Uber isn’t going anywhere. It’s still the main rideshare service in the world with 25% of the market, but perhaps this case will lead to better data protection practices in the U.S.
