The authorities in the Netherlands said the ride-hailing company had violated European data protection laws when it sent sensitive information to the United States.
Uber faces a fine of 290 million euros, or more than $324 million, over a violation of European Union rules that protect data privacy, a Dutch agency said Monday.
The agency, the Dutch Data Protection Authority, found that Uber, which has its European headquarters in Amsterdam, transferred sensitive information about its drivers in Europe to the United States without using tools to protect it. Among the personal data was account details, taxi licenses, photos, identification documents and in some cases, criminal and medical data.
Uber rejected the ruling and said it planned to appeal. “This flawed decision and extraordinary fine are completely unjustified,” said Michael Valvo, an Uber spokesman.
In Europe, a law known as the General Data Protection Regulation, which took effect in 2018, allows people to request their online data and restricts how businesses obtain and handle the information. It requires businesses transferring and storing personal data outside Europe to take additional security measures to ensure its protection.
“Uber did not meet the requirements of the G.D.P.R. to ensure the level of protection to the data with regard to transfers to the U.S.,” Aleid Wolfsen, head of the Dutch agency, said in a statement. “That is very serious.”
Uber insists that its cross-border data transfer process has always been compliant with European regulations and that it applies the rules of the G.D.P.R. to the data of all its drivers and customers who live in Europe, regardless of where in the world they are using the company’s app.
The Dutch authority began its investigation at the request of a French group, the Human Rights League, which represented 170 Uber drivers who said Uber had violated their data privacy rights.
Uber will not have to pay the fine until after a ruling on its appeal, which could take up to four years, the company said.