Dutch Regulator Fines Uber for Violating Data Privacy

American ride-hailing platform Uber has been slapped with a $324 million fine in the Netherlands. Uber got fined after the Dutch Data Protection Authority (DPA) found that the company was violating the EU’s data protection laws by sending sensitive personal data to the US.

Bloomberg reported that the $324 million fine is the highest that the Dutch DPA has issued. It’s also the largest fine that Uber has received globally.

Serious Violation

Uber is said to have transferred cab drivers’ data to the US without proper safeguards over a two year period. The Dutch DPA said its investigations showed that Uber driver data sent to the US included taxi licenses, photos, location data, IDs, and in some instances, medical and criminal records.

“This constitutes a serious violation of the General Data Protection Regulation (GDPR). In Europe, the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care. But outside Europe, this is unfortunately not the case. This is why companies are usually obliged to take extra measures if they store personal data of Europeans outside the European Union,” Dutch DPA Chair Aleid Wolfsen said.

However, the DPA said that Uber stopped doing so late last year and implemented proper safeguards.

Uber to Appeal

The Dutch DPA commenced investigations on the Uber Netherlands driver data case after a human rights organization from France raised complaints with authorities in the country. The rights organization was acting on behalf of 170 cab drivers.

The complaint was forwarded to the Netherlands where Uber’s European headquarters are located. Uber was quick to deny any wrongdoing, saying the fine was not justified. In a separate statement, the French data protection regulator said it cooperated with the DPA in the case.

“This flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US,” Uber spokesperson Caspar Nixon said in an email.

Uber’s spokesperson said the company will appeal the decision and is confident that common sense will prevail. Uber can file an appeal with the DPA. If unsuccessful, the company can move the case to Dutch courts.

Second Fine in a Year

This is the second time that the Dutch DPA has fined Uber. Earlier this year, the privacy regulator fined the ride-hailing company $11 million for infringing on data privacy regulations, including handling and retention of personal data belonging to cab drivers.

The authority found that Uber had not laid out the terms and conditions for retaining drivers’ personal data, including how long the company would hold such data. The DPA also said the process of facilitating drivers to request access to their personal data was unnecessarily complicated.

A Data Privacy Framework developed last year brought to an end three years of legal headaches for tech giants. CCIA’s Head of Policy Alexandre Roure, says the decision by the Dutch DPA ignores reality.

“The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows,” he said.

CCIA is a tech industry association of which Uber is a member. Companies that violate the EU’s GDPR law can be fined up to 4% of their annual global revenue.