Ride-hailing app Uber says it will appeal against what it called an “unjustified” fine by data protection authorities in the Netherlands, the third such punishment since 2018, over the transfer of driver data from European servers to the United States.
On Monday, the Dutch Data Protection Authority, or DPA, called the transfer of information including identity documents, license and location information, and even criminal and medical records over a two-year period a “serious violation” of the EU’s General Data Protection Regulation, also known as GDPR.
The company was fined 290 million euros ($323 million), which comes on the heels of previous data-related fines of 600,000 euros in 2018, and 10 million euros last year.
The investigation began after a complaint by French drivers, and under EU rules, any such investigation of a company operating in multiple EU countries must be conducted in the country where its main office is situated, which in the case of Uber in Europe, is the Netherlands.
“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care”, said Aleid Wolfsen, chairman of the DPA.
“But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the EU.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious.”
The DPA also found that the company’s process to allow drivers to access personal data was “unnecessarily complicated.”
Uber spokesperson Caspar Nixon told Reuters that the decision was “flawed” and the financial penalty was “extraordinary”.
“Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US,” he added, saying that the company was confident “common sense will prevail” in its appeal against the punishment.
Uber has been involved in several high-profile data breaches over the years, and in May 2023 the company’s former chief security officer was sentenced to three years’ probation for attempting to covering up a breach involving millions of customer records that occurred in 2014.
In 2016, hackers again breached the company’s system, and in September 2022 there was what the company called “a cybersecurity incident”.