The Dutch Data Protection Authority (DPA) has imposed a hefty fine of 290 million euros ($324 million) on ride-hailing giant Uber for transferring the personal data of European drivers to the United States.
The regulator deemed the transfers a "serious violation" of the European Union's General Data Protection Regulation (GDPR), as Uber failed to adequately safeguard driver information during the process.
DPA Chairman Aleid Wolfsen emphasized the severity of the violation, stating, "Uber did not meet the GDPR requirements to ensure an appropriate level of protection for the data during transfers to the US. This is a very serious matter."
According to the DPA, Uber collected a range of sensitive information from European drivers, including taxi licenses, location data, photos, payment details, identity documents, and, in some cases, even criminal and medical records. Over a two-year period, this data was transferred to Uber's US headquarters without the use of required transfer tools, resulting in insufficient protection of personal data, the watchdog explained.
In response, Uber announced its intention to appeal the fine, calling the decision "flawed" and the penalty "completely unjustified."
A spokesperson for the company stated, "Uber's cross-border data transfer process was compliant with GDPR during a period of significant uncertainty between the EU and the US. We will appeal and remain confident that common sense will prevail."