Dutch authorities have fined ride-hailing giant Uber the sum of €290 million for illegally transferring the personal data of European drivers to the United States, violating EU data protection laws.
The Dutch Data Protection Authority (DPA), which issued the fine, revealed that Uber had been transferring this data without implementing necessary safeguards, thereby breaching the General Data Protection Regulation (GDPR).
Uber’s data transfer methods were brought under investigation following a complaint from French taxi drivers. The French data protection regulator, CNIL, cooperated closely with the Dutch DPA during the investigation, which ultimately revealed significant lapses in Uber’s handling of sensitive information.
The DPA noted that Uber had not only transferred the data but failed to protect it adequately, a serious infringement of GDPR standards.
Although Uber has since ceased the cross-border data transfers in question, the company has asserted strong disagreement with the decision. Uber spokesperson Caspar Nixon described the fine as “extraordinary and unjustified,” stating that Uber’s practices were aligned with GDPR during what he described as a “period of immense uncertainty” between the EU and the U.S. regarding data protection agreements.
Uber intends to challenge the ruling, confident that its appeal will succeed in overturning the fine.
The EU and U.S. are currently having issues over data protection standards, particularly concerning the transfer of personal data across borders. The EU’s GDPR, one of the world’s toughest data protection frameworks, requires companies to ensure that data transferred outside the EU is adequately protected, a standard the DPA concluded Uber had not met.