Uber has been hit with a hefty fine of €290 million ($324 million) by Dutch regulators for breaching EU data protection laws. The fine, announced on Monday, stems from Uber’s transfer of the personal data of European taxi drivers to the United States, a practice deemed illegal under the General Data Protection Regulation (GDPR).
The Dutch Data Protection Authority (DPA) reported that Uber transferred personal data without adequately protecting it, constituting a serious GDPR violation. “This constitutes a serious violation of the General Data Protection Regulation (GDPR),” the DPA stated in its decision.
Uber has ceased the data transfer practice, but the company strongly disputes the fine. Caspar Nixon, an Uber spokesperson, described the decision as “completely unjustified.” He emphasized that during the three years of regulatory uncertainty between the EU and the U.S., Uber’s data handling procedures were in line with GDPR requirements. “We will appeal and are confident that common sense will prevail,” Nixon added.
The fine follows an investigation initiated by a French human rights organization, which filed a complaint on behalf of over 170 French taxi drivers. Although the complaint was lodged in France, Uber’s European headquarters in the Netherlands meant the DPA was responsible for the case.
In addition to the latest fine, Uber faced a €10 million ($11 million) penalty in January for similar privacy breaches related to driver data. The company has the option to appeal the latest decision to the DPA and, if necessary, take the case to Dutch courts. The appeal process could extend over four years, with any fines suspended until all legal avenues are exhausted.
French data protection authority CNIL has also collaborated with the DPA on the case, reflecting broader European concerns over data privacy practices.
Read more on Uber, Bolt drivers in South Africa plan four-month strike for better safety measures
