Uber has been fined €290 million ($324 million) in the Netherlands for improperly sending driver data from Europe to the U.S. in violation of EU rules, the Dutch Data Protection Authority (DPA) said Monday.
Uber failed to “appropriately safeguard” its data on drivers, which the DPA said was a “serious violation” of Europe’s General Data Protection Regulation (GDPR).
The Dutch data watchdog said that Uber collected sensitive information from drivers, including taxi licenses, identity documents, and medical data, and retained it on servers in the United States for more than two years.
Uber transferred that data to Uber’s San Francisco headquarters without using the proper transfer tools, the agency said.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care,” Dutch DPA chairman Aleid Wolfsen said in a statement.
Euopre has strict data protection laws, which include requirements that businesses transferring and storing data outside of Europe must take additional security measures. The fine is one of the largest levied against a tech company since the GDPR was implemented in 2018.
Uber has stopped the practice, the DPA said. The company can appeal the ruling, and the DPA said in its release that Uber has indeed indicated its intent to object to the fine.
“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US,” an Uber spokesperson tells Fast Company. “We will appeal and remain confident that common sense will prevail.”
The DPA started investigating Uber’s data transfers after more than 170 French drivers complained to a French human rights interest group, which submitted a complaint to the French GPA. Because Uber’s European headquarters are based in the Netherlands, the Dutch DPA had to lead the investigation.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US,” Wolfsen said. “That is very serious.”