The Dutch Data Protection Authority (AP) fined Uber Technologies Inc. a record 290 million euros ($324 million) for transferring the personal data of European taxi drivers to US data centers.
AP said the transfer of European taxi drivers' personal data to the US is a "serious violation" of the General Data Protection Regulation (GDPR).
The sensitive information collected from drivers included account details and taxi licenses, location data, photos, payment details, IDs, and even criminal data and medical records.
"In Europe, the GDPR protects people's fundamental rights by requiring companies and governments to handle personal data with care," AP President Aleid Wolfsen wrote in a statement, adding, "But unfortunately, this is not self-evident outside Europe. Think of governments that can tap data on a large scale."
Wolfsen continued, "That is why companies are usually required to take additional measures when storing personal data of Europeans outside the European Union. Uber has not ensured the level of protection for drivers required by the GDPR for data transfers to the US. This is very serious."
AP said the ride-hailing service sent the personal data over to US servers for more than two years without using data transfer tools that protect privacy.
The Dutch watchdog noted, "The investigation into Uber began after more than 170 French drivers filed a complaint with the Ligue des droits de l'Homme (LDH), a French human rights advocacy group. LDH then filed a complaint with the French privacy regulator."
A spokesperson for the watchdog group told Bloomberg that this is the largest penalty AP has ever issued against any company.
This is also the largest fine Uber has received anywhere in the world.
Caspar Nixon, a spokesperson for Uber, called the fine "completely unjustified" and said the ride-hailing company will appeal against the decision.
In markets, Uber shares in New York in premarket trading ignored the news out of Europe about a record fine.