By D. W. G. Kalani Tharanga, JadeTimes News

Uber has been hit with a substantial €290 million (£246 million; $324 million) fine by the Dutch Data Protection Authority (DPA) for violating the European Union's General Data Protection Regulation (GDPR). The penalty comes after the ride hailing giant unlawfully transferred the personal data of European drivers to its US servers, failing to meet the stringent data protection standards required under EU law.

A Serious Breach of GDPR, Uber's Data Transfer Controversy

The DPA's investigation revealed that over a two year period, Uber transferred sensitive driver information, including identity documents, taxi licenses, location data, and, in some cases, even criminal and medical records, to its headquarters in the United States. This transfer, according to the DPA, was a "serious violation" of GDPR, as Uber did not implement the necessary safeguards to protect the data adequately.

Aleid Wolfsen, the DPA chairman, emphasized the gravity of the breach, stating that Uber failed to ensure the appropriate level of data protection required when transferring information outside the EU. This failure is particularly concerning given the ongoing uncertainty surrounding the legality of such data transfers between the EU and US without additional authorization.

Uber’s Response and the Broader Implications for Data Privacy

Uber has responded to the fine by announcing its intention to appeal, describing the decision as "unjustified." A spokesperson for the company argued that Uber's cross border data transfer processes were compliant with GDPR during a period marked by significant legal uncertainty between the EU and US. Despite this defense, the DPA's ruling highlights the EU's growing enforcement of data privacy laws, particularly against major tech companies.

This fine marks the third time Uber has been penalized by the DPA, following fines of €600,000 (£508,000) in 2018 and €10 million (£8.5 million) last year. The case underscores the EU's commitment to protecting personal data under GDPR, as seen with similar actions taken against other tech giants, such as the €345 million (£296 million) fine imposed on TikTok by Irish regulators last year for violations related to children's privacy.

As the EU continues to tighten its grip on data privacy enforcement, businesses handling personal data within the region must ensure strict compliance with GDPR to avoid hefty penalties and protect the fundamental rights of individuals