Dutch regulator fines Uber US$324 million over transfer of sensitive driver data to US
- Uber, whose European headquarters are in the Netherlands, says it will appeal the fine
The regulator said the transfers were a “serious violation” of the European Union’s General Data Protection Regulation (GDPR), as they failed to appropriately protect driver information.
“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US. That is very serious,” Dutch Data Protection Authority (DPA) chairman Aleid Wolfsen said in a statement.
The DPA said Uber collected sensitive information of European drivers, including taxi licences, location data, photos, payment details, identity documents “and in some cases, even criminal and medical data of drivers”.
Over a two-year period, the DPA said, the information was transferred to Uber’s US headquarters without using transfer tools.
“Because of this, the protection of personal data was not sufficient,” the DPA said, noting that Uber has “ended the violation”.