Uber fined 290 million euro for transferring European customer data to the US

Uber transferred data to US databases without protecting it

It has emerged that Uber has to pay €290 million to the Dutch Data Protection Agency for transferring European taxi drivers' data to servers in the United States. The Dutch Data Protection Agency (DPA) found that Uber collected "sensitive information" about its European drivers, such as taxi licences, location data and medical data, and stored it on US servers. 

The DPA added that Uber had transferred the data to its US databases without properly securing them. This is, therefore, a serious breach of the European General Data Protection Regulation (GDPR). Data laws require "companies and governments to handle personal data with care", says DPA chairman Aleid Wolsen^[1].

This is not taken for granted outside Europe, it is feared. Therefore, an Uber spokesperson assures that "this flawed decision and the fine are completely unjustified". Moreover, during the three years of great uncertainty between the US and the EU as to how the rules would be applied, they have complied with the GDPR. According to Uber, the problem dates back to 2020, when the EU Court of Justice found that the current EU-US data transfer system was no longer GDPR compliant, allegedly leaving European and American companies "without clear guidelines for transatlantic data flows for almost three years". 

The fines imposed retroactively will cover the period 2020-2023, from video conferencing to online payments

"Any retroactive fines imposed by data protection authorities are particularly worrying given that it is these privacy regulators who have failed to provide useful guidance at a time of great legal uncertainty, with no clear legal basis," said Alexandre Roure, head of the Computer and Communications Industry Association (CCIA). 

According to the CCIA, the retroactive fines mean that the legal uncertainty will apply to everything that happened online between 2020 and 2023, from video conferencing to online payment processing. 

"Uber, for its part, said it will appeal the fine; the appeal means that the fine is suspended pending a final decision.

This is the third fine for Uber in five years

The DPA investigation was launched earlier this year after 170 French drivers complained to the French NGO Ligue des droits de l'Homme (Human Rights League) in 2021^[2]. 

"Uber was fined €10 million in December last year and €600,000 in 2018. According to the French data protection authority, which cooperated with the Dutch in the case, Uber's statement also included "incomplete" information about how the company transfers data to the US. According to Jerome Giusti, a lawyer at the French League of Human Rights, the December complaint was the first large-scale workers' lawsuit in Europe based on GDPR. As a result, some drivers are considering initiating a class action to obtain compensation.

"Uber reportedly does not guarantee the level of protection required by the General Data Protection Regulation when transferring drivers' data to the US, which includes detailed account information and taxi licenses, as well as location data, photographs, payment information, identity documents and, in some cases, criminal and medical data on drivers.

All European privacy regulators calculate fines for companies similarly: the benefits are capped at 4% of a company's global annual turnover; in 2023, Uber's global turnover was around €34.5 billion.

Former Uber chief security officer sentenced to three years probation for concealing a data breach

Joseph Sullivan was sentenced in 2023 to three years' probation and a fine of USD 50,000.

Sullivan, 54, from Palo Alto in Santa Clara County, previously served as Uber's chief security officer. However, the Federal Trade Commission (FTC) was investigating Uber for a data breach in 2014. The man was hired shortly after the FTC investigation began^[3].

In 2016, it was discovered that Uber had been hacked again. However, unlike in 2014, the data stolen in 2016 was on a large scale and included records relating to around 57 million Uber users and drivers. Sullivan did everything possible to prevent any knowledge of the breach from reaching the FTC. The man even offered to pay the hackers in exchange for not disclosing this fact to anyone.

Finally, Uber entered into a tentative settlement with the FTC in the summer of 2016 without disclosing the 2016 data breach to the FTC. In autumn 2017, Uber's new management started to investigate the facts surrounding the 2016 data breach. When asked by Uber's new CEO what happened, Sullivan lied about the circumstances of the breach, saying that the hackers did not steal any data. The new Uber management unearthed the truth about the breach in November 2017.

Uber pays $272 million in compensation to Australian taxi drivers

Lawyers argued back in spring that the ride-hailing company would pay taxi and rental car drivers the compensation they deserve. "Uber paid nearly USD 272 million in compensation that year, after the ride-hailing company aggressively entered the Australian market. It was the fifth largest class action settlement in Australian history, reached after five years of legal battles on behalf of more than 8,000 taxi and hire car owners and drivers.

The claim is that Uber's aggressive entry into the market caused drivers and car owners to lose income and the value of their licenses and that the company tried at every turn to deny them compensation^[4].

The lawyers argued that Uber X started operating in Australia to harm local taxi and for-hire car drivers. In addition, the company used unlicensed cars with unaccredited drivers in a "conspiracy by unlawful means".

Uber, as always, had its own arguments; it claimed that taxi and hire car drivers' complaints were a "legacy problem" because when the company started more than a decade ago, there were no rules on ridesharing anywhere in the world. However, this time, there was no escape from responsibility.