AMSTERDAM, (Reuters) – Ride-hailing platform Uber has been fined 290 million euros ($324 million) in the Netherlands for sending the personal data of European taxi drivers to the United States in violation of EU rules, Dutch data protection watchdog DPA said on Monday.
Uber has stopped the practice, the DPA added.
“This flawed decision and extraordinary fine are completely unjustified,” Uber spokesperson Caspar Nixon told Reuters in an email.
“Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S.,” he added, saying the company would appeal and was confident that “common sense will prevail”.
The DPA said Uber transferred personal data to the United States and failed to appropriately safeguard the data.
“This constitutes a serious violation of the General Data Protection Regulation (GDPR),” it said.
Uber can appeal the decision with the DPA and if unsuccessful can then file a case with the Dutch courts. The appeals process is expected to take some four years and any fines are suspended until all legal recourses have been exhausted, according to the DPA.
The investigation was triggered after a French human rights organisation lodged a complaint on behalf of more than 170 taxi drivers in France with the country’s data protection authority. However, as Uber has its European headquarters in the Netherlands, it was forwarded to the DPA.
French national data protection regulator CNIL said in a separate statement that it had cooperated with the DPA.
In a related case, the DPA fined Uber 10 million euros ($11 million) in January for infringement of privacy regulations regarding its drivers’ personal data.
($1 = 0.8942 euros)
Reporting by Stephanie Van Den Berg, Tassilo Hummel; editing by Jason Neely, Kirsten Donovan