Uber Fined €290 Million for Data Breach in the Netherlands

AMSTERDAM (Reuters) – Ride-hailing platform Uber (NYSE:UBER) has been fined 290 million euros ($324 million) in the Netherlands for sending the personal data of European taxi drivers to the United States in violation of EU rules, Dutch data protection watchdog DPA announced on Monday.

Uber has halted this practice, according to the DPA.

“This flawed decision and extraordinary fine are completely unjustified,” stated Uber spokesperson Caspar Nixon in an email to Reuters.

Nixon added, “Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S.,” and mentioned that the company would appeal, expressing confidence that “common sense will prevail.”

The DPA highlighted that Uber transferred personal data to the United States and failed to adequately safeguard it, constituting a serious violation of the General Data Protection Regulation (GDPR).

Uber can appeal this decision with the DPA, and if that is unsuccessful, it can then take the case to Dutch courts. The appeals process is expected to last about four years, and any fines will be suspended until all legal avenues are exhausted, according to the DPA.

The investigation was initiated after a French human rights organization filed a complaint on behalf of more than 170 taxi drivers in France with the country’s data protection authority. Since Uber’s European headquarters is in the Netherlands, the case was forwarded to the DPA.

French national data protection regulator CNIL stated that it had cooperated with the DPA in this matter.

In a related case, the DPA fined Uber 10 million euros ($11 million) in January for breaches of privacy regulations concerning drivers’ personal data.

Note: ($1 = 0.8942 euros)