Dutch watchdog orders Uber to pay record $324 million fine

The Dutch Data Protection Authority has ordered Uber to pay a record 290 million euro ($324 million) fine for transferring data of its European drivers to the United States without adequate protection, the agency announced on Monday.

The investigation began after more than 170 French drivers complained to a French human rights group. The case was eventually turned over to the Netherlands, where Uber’s European headquarters is located.

The Dutch DPA found that Uber did not use adequate protection for more than 2 years to transfer sensitive data about its European drivers – including location data, photos, IDs and even criminal and medical data – to servers in the U.S.

The failure to use transfer tools is considered a serious violation of the General Data Protection Regulation (GDPR).

“In Europe, the GDPR protects the fundamental rights of people, by requiring businesses and governments to handle personal data with due care. But sadly, this is not self-evident outside Europe,” DPA Chairman Aleid Wolfsen said in a statement.

Wolfsen added: “Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store personal data of Europeans outside the European Union.”

DPAs have the authority to issue fines of up to 4% of a company’s worldwide annual turnover, though the 290 million euro ($324 million) fine issued on Monday amounts to roughly 0.8% in Uber’s case. It’s the largest fine ever issued by the Dutch DPA.

Uber said it will appeal the fine, emphasizing that its data transfer process was compliant with GDPR. “This flawed decision and extraordinary fine are completely unjustified,” the company said in a statement.