The Dutch data protection authority (DPA) has fined the ride-hailing app, Uber, 290 million euros, approximately $324 million for transferring the personal data of European drivers to U.S. servers.
According to the DPA, the transfers were a “serious violation” of the European Union’s General Data Protection Regulation as they failed to appropriately protect driver information.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data concerning transfers to the US. That is very serious,” Dutch Data Protection Authority chairman, Aleid Wolfsen, said in a statement.
The DPA said Uber collected sensitive information of European drivers, including taxi licences, location data, photos, payment details, identity documents, “and in some cases even criminal and medical data of drivers”.
Over two years, the DPA said, the information was transferred to Uber’s US headquarters without using transfer tools.
“Because of this, the protection of personal data was not sufficient,” the DPA said.
Uber said it would appeal the fine.
“This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson said in a statement
“Uber’s cross-border data transfer process was compliant with GDPR during 3 years of immense uncertainty between the EU and the US. We will appeal and remain confident that common sense will prevail,” the statement said.
Following an investigation, the DPA found that, between August 2021 and November 2023, Uber was transferring and storing sensitive data to US servers without the additional protection tools required by the GDPR.
The data included taxi licences, account and payment details, IDs, photos, and even criminal or medical records.
However, Uber failed to ensure this level of protection, he added.
The investigation was prompted by a complaint from over 170 French drivers to local human rights organisation Ligue des droits de l’Homme (LDH). LDH then filed a complaint to France’s data protection watchdog CNIL.
According to the GDPR, companies processing data across the EU must answer to a single privacy authority, located in the country where a business has its European headquarters. As Uber’s base is in the Netherlands, the DPA led the probe.
The DPA said that Uber has now stopped the practice. It’s also going to appeal the decision.
This is the third fine the Dutch watchdog imposes on Uber. In 2018, the DPA hit the company with €600,000 for failing to notify the agency on time over a data breach in 2016. And as of January this year, Uber is also facing a €10mn fine (again) for violating privacy rules, which it has appealed.
