The ride-hailing app Uber has been hit with a €290m (£246m; $324m) fine for transferring the personal data of European drivers to US servers in violation of EU rules, the Dutch data protection regulator said on Monday.
The Dutch Data Protection Authority (DPA) said the transfers were a “serious violation” of the EU’s General Data Protection Regulation (GDPR), as they failed to appropriately protect driver information.
According to the watchdog, information including ID documents, taxi licences and location data was transferred to the company’s headquarters in the US over a two-year period.
Uber said it would appeal the fine, which it called “unjustified”.
“Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US,” an Uber spokesperson said.
“This flawed decision and extraordinary fine are completely unjustified,” the statement added.
While data transfers to the US are allowed under EU law, there is significant uncertainty around when the can occur without the need for further authorisation.
DPA chairman Aleid Wolfsen said the company failed to meet GDPR requirements to “ensure the level of protection to the data with regard to transfers to the US.”
“That is very serious,” he added, noting that Uber also failed to appropriately safeguard the data.
The DPA said Uber collected sensitive information of European drivers, including taxi licences, location data, photos, payment details, identity documents, “and in some cases even criminal and medical data of drivers”.
It said it started the investigation after more than 170 French drivers complained to a French human rights group, which then filed a complaint to France’s data protection watchdog.
Under GDPR rules, a business that processes data in several EU countries must deal with the data protection authority where its main office is located.
Uber’s European headquarters are in the Netherlands.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Mr Wolfsen said.
“Think of governments that can tap data on a large scale,” he said, explaining, “businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”
It is the DPA’s third fine against Uber following fines of €600,000 (£508,000) in 2018 and €10m (£8.5m) last year.
The EU has rolled out a series of rules for big tech firms and imposed huge fines for breaches in recent years.
Last year, Irish regulators fined TikTok €345m (£296m) for violating children’s privacy under GDPR rules.
