Uber Technologies has been fined a record €290 million by the Dutch Data Protection Authority (DPA) for failing to comply with European data protection standards.
The fine is the largest ever imposed by the Dutch watchdog and represents the most significant penalty Uber has faced globally.
The DPA found that Uber had been transferring sensitive driver data, including taxi licenses, location information, and, in some cases, criminal and medical records, from Europe to its US headquarters without adequate privacy safeguards.
The data was retained on US servers for over two years. Uber did not utilize proper data transfer tools designed to protect privacy, leaving the information “insufficiently protected,” the watchdog said on Monday. Uber ceased this practice last year.
Caspar Nixon, an Uber spokesman, called the fine “completely unjustified” and asserted that Uber’s data transfer practices were compliant with European laws. He stated that the company plans to appeal the decision.
Aleid Wolfsen, chairman of the Dutch Data Protection Authority, emphasized the seriousness of the violation.
“Uber did not meet the requirements of European laws to ensure adequate protection for data transfers to the US,” Wolfsen said in a statement.
The investigation was initiated following complaints from over 170 French drivers filed with a French human rights group.
Uber’s European headquarters is in the Netherlands, so the Dutch DPA handled the probe.
This fine marks the third penalty Uber has received from the Dutch privacy watchdog.
Previous fines included penalties for insufficient transparency regarding data retention and failing to report a data breach promptly in 2018.
Under European privacy regulations, fines can reach up to 4% of a company’s global annual revenue.