Netherlands’ data protection regulator, DPA, has slapped a €290 million fine on popular ride-hailing service, Uber, for violating European Union (EU) guidelines by transferring European taxi drivers’ personal information to America. Uber has since discontinued this practice, as per DPA’s confirmation.
Uber’s spokesperson, Caspar Nixon, conveyed the company’s dissatisfaction with what he termed as an “unjustifiable” ruling and “excessive” penalty in an email to Reuters. He maintained that during a time of significant ambiguity between the EU and the US, Uber’s process of data transfer across borders conformed with the General Data Protection Regulation (GDPR). Nixon revealed that the company plans to contest the decision, expecting “common sense to triumph” eventually.
On the other hand, the DPA stated that Uber didn’t sufficiently secure the data while sending it to the US, constituting a “grave non-compliance of the GDPR.” Uber retains the right to challenge the decision before the DPA, and if unsuccessful, the case can be escalated to the Dutch courts. DPA estimates that the appeal process could take roughly four years, within which period any fines will be halted until all possible legal avenues are pursued.
The inquiry was initiated following a group complaint by over 170 French taxi drivers, lodged through a French human rights organisation to their country’s data protection authority. Owing to Uber’s European base in the Netherlands, the complaint was redirected to the DPA. French data protection watchdog CNIL concurrently announced its collaboration with the DPA on the issue.
Earlier this year, the DPA levied a fine of 10 million euros ($11 million) against Uber over a separate violation of privacy norms related to its drivers’ personal data. © Copyright Thomson Reuters 2024