Dutch regulator fines app £246m for transferring driver data

The Dutch data protection regulator said on Monday that car rental app Uber has been fined 290 million euros ($324 million) for transferring the personal data of European drivers to US servers in violation of European Union rules.

The Dutch data protection authority said the transfers were a “serious breach” of the European Union’s General Data Protection Regulation (GDPR), as they failed to adequately protect driver information.

According to the watchdog, information, including identity documents, taxi licenses and location data, was transferred to the company’s US headquarters over a two-year period.

Uber said it would appeal the fine, which it called “unjustified.”

“Uber’s cross-border data transfers have been GDPR compliant during a three-year period of enormous uncertainty between the EU and the US,” an Uber spokesperson said.

“This flawed decision and the extraordinary fine are completely unjustified,” the statement added.

While data transfer to the US is permitted under EU law, there is significant uncertainty about when this can happen without the need for further authorization.

The head of the German Data Protection Agency, Aled Wolffsen, said the company had failed to meet the requirements of the General Data Protection Regulation “to ensure the level of data protection in relation to transfers to the United States.”

“This is very serious,” he added, noting that Uber also failed to adequately protect data.

The German data protection agency said Uber collected sensitive information about European drivers, including taxi licenses, location data, photos, payment details, identity documents, and “in some cases even criminal and medical data of drivers.”

The company said it began the investigation after more than 170 French drivers filed a complaint with a French human rights organization, which in turn filed a complaint with the French data protection authority.

Under the GDPR, companies that process data in many EU countries must deal with the data protection authority where their head office is located. Uber’s European headquarters are in the Netherlands.

“In Europe, the General Data Protection Regulation protects people’s fundamental rights, by requiring companies and governments to handle personal data with extreme care,” said Mr Wolfson.

“Think about governments that can exploit data on a massive scale,” he said, explaining that “companies are often obliged to take additional measures if they store Europeans’ personal data outside the EU.”

This is the third fine imposed on Uber by the German data protection agency, following fines of €600,000 (£508,000) in 2018 and €10m (£8.5m) last year.

The European Union has issued a series of rules for big tech companies and imposed huge fines for violations in recent years.

Last year, Irish regulators fined TikTok €345m (£296m) for violating children’s privacy under GDPR rules.