A modern Uber car with the Uber logo on the windshield, parked on a city street. A man in a suit walks towards the car, suggesting a ride. The scene is set in an urban environment, potentially related to the Uber fine and GDPR violation issues.
The DPA accused Uber of conducting data transfers without employing appropriate mechanisms, especially considering the E.U.'s invalidation of the E.U.-U.S. Privacy Shield in 2020. A replacement, known as the E.U.-U.S. Data Privacy Framework, was introduced in July 2023.
International NewsNewsTech News

Uber Fined €290 Million by Dutch Regulator for GDPR Violations in Data Transfers to U.S.

Photo of The AEGIS Alliance U.K. The AEGIS Alliance U.K.August 26, 2024Last Updated: June 14, 2026
0 5 minutes read

Uber was hit with a record €290 million (about $324 million) fine by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) for transferring the private data of European drivers to the United States in violation of EU data protection law. It is the largest penalty the Dutch regulator has ever issued.

According to the DPA, Uber failed to adequately protect the personal information of European taxi drivers when it moved that data to the United States, an action the watchdog called a “serious” violation of the General Data Protection Regulation (GDPR). The company has since ended the practice.

The regulator found that Uber gathered and stored sensitive driver information on servers in the United States for more than two years. That data included account details, taxi licenses, location data, photos, payment details, and identity documents — and, in some cases, even the drivers’ criminal and medical records.

At the heart of the case is the way Uber moved that data across the Atlantic. After the Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020, companies could still rely on Standard Contractual Clauses (SCCs) to transfer data abroad, but only where an equivalent level of protection could be guaranteed in practice. The DPA determined that Uber stopped using SCCs from August 2021, leaving EU drivers’ data insufficiently protected. The regulator pinpointed the unlawful transfers to a roughly 27-month window between August 6, 2021, and late November 2023, the point at which Uber joined the list under the EU-US Data Privacy Framework, the successor arrangement that took effect in July 2023.

Uber called the fine “completely unjustified” and said it would challenge the ruling, telling Bloomberg that its cross-border data transfer process complied with the GDPR. The company has since lodged a formal objection, and the matter remains contested.

An Uber car with a lit "Uber" sign on top, featuring a female passenger and a male driver. The car is driving in a city at dusk. The image relates to the Uber fine and GDPR violation.
In 2022, Austrian and French regulators ruled that the transatlantic movement of Google Analytics data violated GDPR laws. (Grok2 AI)

The investigation did not begin in the Netherlands. It was triggered by a collective complaint from the French human rights group Ligue des droits de l’Homme (LDH), filed on behalf of more than 170 French Uber drivers, which the French regulator CNIL forwarded to its Dutch counterpart. Because Uber’s European headquarters sits in the Netherlands, the Dutch DPA acted as lead supervisory authority and coordinated the decision with other European regulators. The case treated Uber B.V. in Amsterdam and Uber Technologies Inc. in San Francisco as joint controllers of the drivers’ data.

This was not Uber’s first run-in with the Dutch regulator. The €290 million penalty was the third the DPA has imposed on the company, following a €600,000 fine in 2018 and a €10 million fine in December 2023. In announcing that earlier penalty, the DPA said Uber had made it unnecessarily difficult for drivers to exercise their right to view or obtain copies of their personal data, and had failed to clearly disclose in its privacy terms how long it retained driver data or what safeguards it applied when sending information outside the European Economic Area. Uber objected to that fine as well.

Under the GDPR, penalties can reach up to 4% of a company’s worldwide annual turnover, and regulators across the EU calculate them using a shared method. With Uber’s 2023 global turnover at roughly €34.5 billion, the €290 million figure sat well within that ceiling, and the DPA rejected Uber’s challenge to how the amount was calculated. Even so, the fine is dwarfed by the €1.2 billion penalty Ireland’s regulator imposed on Meta in 2023, still the largest GDPR fine to date.

U.S. companies have long drawn scrutiny from European data protection authorities over transatlantic transfers, amid concerns that American surveillance programs could reach the personal data of EU residents. In 2022, regulators in France and Austria concluded that the transatlantic transfer of Google Analytics data ran afoul of the GDPR. The Uber decision, however, has proved contentious among legal observers, who note that it appears to depart from European Data Protection Board guidance on whether a foreign firm collecting data directly from EU residents must also apply the GDPR’s transfer safeguards — a tension that may ultimately require the Court of Justice of the EU to settle.

“Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union,” said Aleid Wolfsen, chairman of the DPA, underscoring why the regulator treats overseas storage of Europeans’ personal data as a matter demanding extra safeguards.

Tags
Photo of The AEGIS Alliance U.K. The AEGIS Alliance U.K.August 26, 2024Last Updated: June 14, 2026
0 5 minutes read
Photo of The AEGIS Alliance U.K.
The AEGIS Alliance U.K.
Bringing you news from the United Kingdom and greater Europe! Journalist, editor, activist, social media management, content creator. Based in the U.K.

Related Articles

A man stands in front of a Bank of America branch holding a sign that reads "$72.5 Million," referencing the Epstein victims lawsuit settlement. The bank's logo is visible above the entrance. This Epstein bank settlement aims to resolve suspicious activity claims.

Bank of America’s $72.5 Million Epstein Settlement Wins Preliminary Approval — Final Hearing Set for August 2026

March 27, 2026
Mark Zuckerberg is seen in profile amidst a social media lawsuit. People hold up phones, capturing the Meta CEO. This image relates to the Meta negligence verdict and platform design liability.

Jury Holds Meta and Google Liable for Negligence in Historic Social Media Addiction Verdict

March 25, 2026
Two men analyze a screen displaying the Microsoft logo, "RMM," and a phishing hook, suggesting a focus on RMM malware and IRS phishing scams. One man points at the screen while the other checks his phone, with code visible on a laptop.

IRS Impostors Phishing Scam Surge: Microsoft Warns 29,000 Users Targeted with RMM Malware

March 23, 2026
A ghostly figure reaches toward server racks in a data center, representing the GhostStory hack of the Guangzhou supercomputer. The image evokes the 10 petabytes leak and potential PLA data breach.

Hackers Claim a Breach of China’s Tianjin Supercomputing Center and 10 Petabytes of Stolen Data

March 18, 2026
A split image showing Jeffrey Epstein's mugshot and the Bank of America logo. The Bank of America settlement with Epstein abuse survivors is a step toward justice for victims.

Bank of America Settles With Jeffrey Epstein Survivors — Deal Revealed at $72.5 Million and Preliminarily Approved

March 18, 2026
A network of phones connected by red lines across a world map, symbolizing the IPIDEA residential proxy network. Hooded figures at computers suggest malicious SDKs and device proxy abuse. A cracked shield logo highlights security risks.

Google Dismantles IPIDEA, the Shadow Proxy Network That Secretly Used Your Phone’s Internet

January 31, 2026
Composite image relating to China alleging the U.S. hacked and seized $15 billion in Bitcoin from Chen Zhi. Features Chen Zhi, a bitcoin graphic, and the flags of China and the United States, referencing the U.S.-China cyber relations.

China Alleges the U.S. Hacked $15 Billion in Bitcoin From Chen Zhi as the Accused Scam Kingpin Fights the Record Seizure in Court

January 11, 2026
Benjamin Netanyahu scowls amidst a "Cyber Attack by Iranian Hackers Handala" graphic, highlighting the Handala Braverman phone breach. Hooded figures type at computers, emphasizing the threat. "You've Been Pwned" adds to the tension.

Iranian hacker group claims they breached Israeli PM Netanyahu’s chief of staff’s phone

December 28, 2025
Benjamin Netanyahu, with a concerned expression, stands before a backdrop showing a plane with an Iranian flag visible through the window. The plane is overlaid with digital effects suggesting a cyber threat, referencing the Handala cyber threats against Netanyahu's flight.

Iranian hacker group issues cyber threats against Netanyahu’s flight

December 27, 2025
Split screen: Left shows dog poop on a Miami high-rise apartment balcony. Text: "DOG DOOKIE," "THIS TIKTOK." Right shows Isaiah, the homeless influencer, smiling widely. Text: "HOMELESS.

Influencer Evicted And Homeless After Throwing Dog Poop From Miami High-Rise Apartment

December 22, 2025
Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Signup for our news and memes newsletters! 

Newsletter Form

Lists
close-link