“Uber’s cross-border data transfers have been GDPR compliant throughout a three-year period of enormous uncertainty between the EU and the US,” an Uber spokesperson said.
“This flawed decision and the extraordinary fine are completely unjustified,” the statement added.
While data transfers to the US are permitted under EU law, there is a great deal of uncertainty as to when this can take place without the need for further authorization.
DPA chief Aled Wolfson said the company had failed to meet GDPR requirements “to ensure a level of data protection in relation to transfers to the United States.”
“This is very serious,” he added, noting that Uber also failed to adequately protect data.
The data protection authority said Uber collected sensitive information about European drivers, including taxi licenses, location data, photos, payment details, identity documents and “in some cases even drivers’ criminal and medical data”.
It said it launched the investigation after more than 170 French drivers complained to a French human rights group, which then filed a complaint with France’s data protection watchdog.
Under the rules of the General Data Protection Regulation, a company that processes data in several EU countries must deal with the data protection authority where its head office is located. Uber’s European headquarters are in the Netherlands.
“In Europe, the General Data Protection Regulation protects people’s fundamental rights, by requiring companies and governments to handle personal data with due care,” said Mr. Wolfson.
“Think about governments that can leverage data on a massive scale,” he said, explaining that “companies are often required to take additional measures if they store Europeans’ personal data outside the EU.”
This is the third fine imposed by the data protection authority against Uber, following fines of €600,000 (£508,000) in 2018 and €10m (£8.5m) last year.
The European Union has rolled out a series of rules for big tech companies and imposed huge fines for violations in recent years.
Last year, Irish regulators fined TikTok €345m (£296m) for violating children’s privacy under GDPR rules.
“Explorer. Unapologetic entrepreneur. Alcohol fanatic. Certified writer. Wannabe tv evangelist. Twitter fanatic. Student. Web scholar. Travel buff.”
