Ride-hailing company Uber has been fined 290 million euros ($324 million) in the Netherlands for sending personal data of European taxi drivers to the United States in violation of European Union rules, the Dutch data protection agency said on Monday.
The German News Agency added that Uber has stopped this practice.
“This flawed decision and extraordinary fine are completely unjustified,” Uber spokesman Casper Nixon told Reuters in an email.
“Uber’s cross-border data transfers were GDPR-compliant during three years of enormous uncertainty between the EU and the US,” he added, saying the company would appeal the ruling and expressing confidence that “common sense will prevail.”
The German data protection agency said Uber transferred personal data to the United States and failed to protect the data adequately.
“This constitutes a serious violation of the General Data Protection Regulation (GDPR),” the company said.
Uber can appeal the decision to the Dutch Data Protection Authority, and if it is unsuccessful, it can take legal action in Dutch courts. The appeal process is expected to take about four years, and any fines will be suspended until all legal avenues have been exhausted, according to the Dutch Data Protection Authority.
The investigation was launched after a French human rights organization filed a complaint on behalf of more than 170 taxi drivers in France with the country’s data protection authority. But since Uber’s European headquarters are in the Netherlands, it was referred to the German data protection authority.
The French National Data Protection Authority (CNIL) said in a separate statement that it had cooperated with the German data protection agency.
In a related case, Germany’s data protection agency fined Uber 10 million euros ($11 million) in January for violating privacy rules regarding its drivers’ personal data.
(1 dollar = 0.8942 euro)