The US ride-hailing service Uber is to pay a fine of 290 million euros in the Netherlands because sensitive data from its drivers in Europe was transmitted to the company’s management in the USA without adequate protection. This is a serious violation of the EU General Data Protection Regulation, the Dutch Data Protection Authority announced on Monday; it is responsible for Uber in the EU. The US company announced it would appeal.
According to the data protection authority, Uber collected “sensitive information” about its drivers in Europe: location data, photos, payroll documents, identity documents and in some cases even information about crimes committed or health. For two years, this data was transferred to the USA without adequate protection. The starting point of the investigation by the Dutch data protection authority were complaints from more than 170 Uber drivers in France.
Uber said the DPA’s “erroneous” decision and the “extraordinary penalty” were “totally unjustified.” The cross-border data transfer process took place “during a three-year period of great uncertainty between the EU and the US” in accordance with the General Data Protection Regulation (GDPR). According to the Dutch DPA, Uber has since ended its breach of the GDPR.
The head of the Dutch data protection authority, Aleid Wolfsen, explained that in Europe, the GDPR requires companies and governments to “treat personal data with caution”. “Sadly” this is not a given outside Europe. “Think of governments that can tap into data on a large scale. That is why companies are obliged to take extra measures when storing the data of Europeans outside Europe.”
