Privacy authorities in the Netherlands have fined ride-sharing giant Uber 290 million euros ($324 million) for sending driver data to servers in the United States — "a serious violation" of the EU's General Data Protection Regulation (GDPR).
Navigating data protection fines – a closer look at Uber's GDPR case
According to the Dutch data protection authority (DPA), Uber spent years sending sensitive driver information from Europe to the United States. Among the data transferred were taxi licences, location data, payment details, identity documents and medical and criminal records. The data was sent overseas without the use of "transfer tools", which the DPA said meant the data was not sufficiently protected.
"Companies are usually required to take additional measures if they store personal data of Europeans outside the EU," Dutch DPA chairman Aleid Wolfsen said of the decision. "Uber did not meet the requirements of the GDPR to ensure the level of protection of the data with respect to transfers to the United States. This is very serious."
The Dutch data protection authority said the investigation that led to the fine began after complaints from a group of more than 170 French Uber drivers who alleged their data was sent to the United States without adequate protection. As Uber's European operations are based in the Netherlands, enforcement of GDPR violations fell to the Dutch data protection authority.
