Uber has been fined $325 million for violating GDPR rules related to the transfer of personal data of drivers from Europe to the United States.
The Dutch data protection authority (AP) imposed a fine of $325 million on Uber Technologies Inc. and Uber B.V. for violation of the General Data Protection Regulation (GDPR). The fine was imposed for transferring personal data from the European Economic Area (EEA) to servers in the US without proper safeguards. This is the third time the AP has fined Uber, with the first €600,000 fine imposed in 2018 and the second €10 million fine in January 2024.
The problem arose after the decision of the Court of Justice of the European Union, which invalidated the “Privacy Shield” between the EU and the US due to insufficient data protection standards in the US. Despite this decision, Uber continued to transfer data to the US without proper contractual terms, in violation of Article 44 of the GDPR, which requires an equivalent level of data protection.
Uber’s situation has been exacerbated by the Schrems II ruling, which repealed the EU-US Privacy Shield, leaving companies in legal limbo over data transfers. Other companies, such as Meta, have also been fined significant amounts for similar violations.
Uber plans to appeal the decision, saying it is unfair. The appeal process can take up to 4 years, during which the fine will be frozen. The company claims that its data transfer practices comply with GDPR requirements and that cross-border data sharing is an important component of its services.