The Dutch data protection regulator said on Monday that ride-hailing app Uber has been fined 290 million euros (246 million pounds, $324 million) for transferring personal data of European drivers to servers in the United States in breach of EU rules.
The Dutch Data Protection Authority (DPA) said the transfer was a “serious breach” of the EU's General Data Protection Regulation (GDPR) because it failed to adequately protect driver information.
The watchdog group said the information, including identity documents, taxi licences and location data, was transferred to the company's headquarters in the United States over a two-year period.
Uber said it would appeal the fine, calling it “unjust.”
“During three years of significant uncertainty between the EU and the US, Uber's cross-border data transfer processes have been GDPR compliant,” an Uber spokesperson said.
“This erroneous decision and extraordinary fine are completely unjustified,” the statement added.
Data transfers to the US are permitted under EU law, but there is significant uncertainty as to when transfers can occur without requiring further approval.
DPA chairman Aleid Wolfsen said the company had failed to meet GDPR requirements to “ensure a level of data protection for data transfers to the United States.”
“This is very serious,” he added, noting that Uber also failed to properly protect the data.
The DPA said Uber collected sensitive information about its European drivers, including taxi licences, location data, photographs, payment details and identity documents, “and in some cases even collected drivers' criminal records and medical data”.
The company said it launched the investigation after more than 170 French drivers complained to a French human rights group, which in turn filed a complaint with France's data protection watchdog.
The GDPR requires companies that process data in multiple EU countries to negotiate with the data protection authority in their home country. Uber's European headquarters is in the Netherlands.
“In Europe, GDPR protects people's fundamental rights by requiring companies and governments to handle personal data with care,” Wolfsen said.
“Think of governments that have access to data at scale,” he said, explaining that “companies are typically obliged to take additional measures if they store personal data of Europeans outside the European Union.”
This is the third fine imposed by the DPA against Uber, following fines of €600,000 (£508,000) in 2018 and €10 million (£8.5 million) last year.
The EU has introduced a series of rules for big tech companies in recent years, imposing huge fines for violations.
Last year, Irish regulators fined TikTok €345m (£296m) for violating children's privacy under GDPR rules.
