Uber has been fined €290m by the Dutch Data Protection Authority (DPA) because it “transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers,” as required by the General Data Protection Regulation (GDPR), says a from the DPA issued on 26 August 2024. The breaches--which occurred between August 2021 and November 2023--constitute a “serious violation of the GDPR” but have now ended, added the Dutch authority.

These practices do not concern Luxembourg driver data, as , well after the period of infringement in question.

The investigation was triggered by a collective complaint from more than 170 French drivers, lodged by the association La Ligue des droits de l’Homme (LDH) with the French privacy regulator. The drivers criticised Uber for the lack of information on the transfer of their data outside the European Union. The Dutch DPA took up the case because Uber has established its European headquarters in the Netherlands, which makes this authority competent to investigate data protection cases under the GDPR rules. The French National Commission on Informatics and Liberty (CNIL) worked closely with the Dutch authority to analyse the evidence and consider the final decision.

Between August 2021 and November 2023, Uber carried out these data transfers without ensuring the protections required by the GDPR. According to the Dutch DPA’s statement, data transferred included sensitive information such as “account details and taxi licences, but also location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.”

This article was originally published in .