Dutch watchdog slaps Uber with $324 million fine over driver data
A photo Illustration shows the Uber application on a mobile phone in central Paris, France, March 5, 2020. (Reuters Photo)


Ride-hailing service Uber has been fined 290 million euros ($324 million) in the Netherlands for allegedly transferring personal details of European drivers to the United States without adequate protection, the Dutch data protection watchdog announced on Monday.

Uber called the decision flawed and unjustified and said it would appeal.

The Dutch Data Protection Authority (DPA) said the data transfers spanning more than two years amounted to a "serious" breach of the European Union's General Data Protection Regulation (GDPR), which requires technical and organizational measures aimed at protecting user data.

"In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care," Dutch DPA Chairperson Aleid Wolfsen said in a statement.

"But sadly, this is not self-evident outside Europe. Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union," Wolfsen noted.

"Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the U.S. That is very serious."

The DPA said Uber collected sensitive information of European drivers, including taxi licenses, location data, photos, payment details, identity documents, "and in some cases even criminal and medical data of drivers."

Over a two-year period, it said, the information was transferred to Uber's U.S. headquarters without using transfer tools.

"Because of this, the protection of personal data was not sufficient," the DPA noted.

The EU has rolled out a series of rules for Big Tech firms and imposed huge fines for breaches in recent years.

The DPA said it started the investigation after more than 170 French drivers complained to a human rights interest group, which then filed a complaint to France's data protection watchdog.

Under the GDPR, a business that processes data in several EU countries must deal with the data protection authority where its main office is located. Uber's European headquarters are in the Netherlands.

It is the DPA's third fine against Uber, following fines of 600,000 euros in 2018 and 10 million euros last year.

Uber insisted it did nothing wrong.

"This flawed decision and extraordinary fine are completely unjustified," the company said in a statement.

"Uber's cross-border data transfer process was compliant with GDPR during a three-year period of immense uncertainty between the EU and the U.S. We will appeal and remain confident that common sense will prevail," it added.

The alleged breach came after the EU's top court ruled in 2020 that an agreement known as Privacy Shield that allowed thousands of companies – from tech giants to small financial firms – to transfer data to the United States was invalid because the American government could snoop on people's data.

The Dutch data protection agency said that following the EU court ruling, standard clauses in contracts could provide a basis for transferring data outside the EU, "but only if an equivalent level of protection can be guaranteed in practice."

"Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected," the watchdog said. It added that Uber has been using the successor to Privacy Shield since the end of last year, ending the alleged breach.