The Dutch data protection authority (DPA) has hit Uber with a €290mn fine for transferring personal European driver data to the US.
According to the DPA, the transfers constituted a “serious violation” of the EU's GDPR, as they failed to provide the necessary safeguards for data storage outside the block.
Following an investigation, the DPA found that, between August 2021 and November 2023, Uber was transferring and storing sensitive data to US servers without the additional protection tools required by the GDPR.
The data included taxi licences, account and payment details, IDs, photos, and even criminal or medical records.
“In Europe, the GDPR protects people's fundamental rights by requiring companies and governments to handle personal data with care,” said DPA chairman Aleid Wolfsen.
However, Uber failed to ensure this level of protection, he added.
The investigation was prompted by a complaint from over 170 French drivers to local human rights organisation Ligue des droits de l'Homme (LDH). LDH then filed a complaint to France's data protection watchdog CNIL.
According to the GDPR, companies processing data across the EU must answer to a single privacy authority, located in the country where a business has its European headquarters. As Uber's base is in the Netherlands, the DPA led the probe.
The DPA said that Uber has now stopped the practice. It's also going to appeal the decision.
This is the third fine the Dutch watchdog imposes on Uber. In 2018, the DPA hit the company with €600,000 for failing to notify the agency on time over a data breach in 2016. And as of January this year, Uber is also facing a €10mn fine (again) for violating privacy rules, which it has appealed.