A regulator in the Netherlands has slapped ride-hailing app Uber with a €290 million finer for transferring European drivers’ data to the US. The firm described the decision as “extraordinary.”
The Dutch data protection watchdog on Monday fined ride-hailing app Uber for a “serious violation” of the rules by transferring data about its drivers to servers in the United States.
What the regulator said
The regulator hit Uber with a €290 million (roughly $324 million) penalty for a breach of the European Union’s General Data Protection Regulation (GDPR).
The Dutch Data Protection Authority (DPA) said Uber collected European drivers’ sensitive information. This included taxi licenses, photos, payment details, location information, identity documents, “and in some cases even criminal and medical data of drivers.”
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” DPA chairman Aleid Wolfsen said.
Over two years, the DPA said, the information was transferred to Uber’s US headquarters without using transfer tools that filter information.
“Because of this, the protection of personal data was not sufficient,” the DPA said.
What was the response from Uber?
Uber said it would appeal the fine.
“This flawed decision and extraordinary fine are completely unjustified,” a spokesperson said.
“Uber’s cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”
The EU has brought in rules for big tech firms and imposed hefty fines for breaches.
The DPA launched an investigation after more than 170 French drivers complained to a French human rights interest group that complained to the French data protection watchdog.
Why was the Dutch regulator involved?
Businesses that process data in several EU countries must deal with the data protection authority where its main office is located. Uber’s European headquarters are in the Netherlands.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” the DPA’s Wolfsen said. “But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
It’s the third fine that the DPA in the Netherlands has leveled against Uber, after penalties of €600,000 in 2018 and €10 million last year.