Uber, the world-famous ride-hailing service, has found itself in a sticky situation. On Monday, the company was slapped with a massive €290 million fine for transferring personal data of European drivers to its headquarters in the United States. The Dutch Data Protection Authority (DPA) revealed that this move was in direct violation of the European Union’s strict privacy laws, specifically the General Data Protection Regulation (GDPR).

The DPA didn’t hold back in its criticism. It stated that Uber had transferred sensitive driver information, including ID documents, taxi licenses, and location data, without taking the necessary steps to protect this data according to GDPR standards. This unauthorized data transfer spanned two years, leaving many European drivers vulnerable to potential misuse of their personal information.

Uber, however, isn’t taking this fine lightly. The company has voiced its disagreement with the DPA’s decision, labeling the fine as “unjustified.” A spokesperson for Uber stated, “Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. This flawed decision and extraordinary fine are completely unjustified.”

But why is this such a big deal? Under GDPR, businesses operating in Europe are required to handle personal data with extreme care, ensuring that it is protected and not misused. When data is transferred outside the EU, especially to countries like the US, there are additional rules and protections that must be followed. The DPA’s chairman, Aleid Wolfsen, emphasized this point, saying that Uber failed to meet these requirements, making their actions “very serious.”

The watchdog detailed that Uber collected a wide range of sensitive information from its European drivers. This included not just basic details like taxi licenses and location data, but also more sensitive information like payment details, identity documents, and in some cases, even criminal and medical records of drivers. This extensive data collection and the subsequent transfer to US servers raised significant concerns about how well the information was being protected.

The issue first came to light after more than 170 French drivers lodged complaints with a French human rights group. These complaints were then passed on to France’s data protection watchdog, prompting the DPA to launch a thorough investigation. The findings of this investigation ultimately led to the hefty €290 million fine.

This isn’t the first time Uber has found itself in trouble with European regulators. In fact, this is the third fine that the DPA has issued against the company. Back in 2018, Uber was fined €600,000 for a separate data breach, and just last year, they were hit with a €10 million fine for another violation of GDPR rules.

The EU has been cracking down on big tech companies in recent years, introducing a series of regulations designed to protect the privacy of its citizens. These rules, like the GDPR, are some of the strictest in the world, and violations can lead to substantial penalties. For example, last year, Irish regulators fined the popular social media platform TikTok €345 million for violating children’s privacy under GDPR.

Despite these challenges, Uber is determined to fight back. The company has already announced plans to appeal the fine, arguing that its data transfer practices were in line with the GDPR during a period of uncertainty between the EU and the US regarding data transfers.

However, the DPA remains firm in its stance. Chairman Wolfsen made it clear that businesses must take additional measures if they store personal data of Europeans outside the EU. He pointed out that while data transfers to the US are allowed under EU law, they come with strict conditions to ensure the data is protected. In Uber’s case, the DPA concluded that the company failed to meet these conditions, resulting in the substantial fine.

In Europe, GDPR is seen as a fundamental protection of people’s rights, ensuring that businesses and governments handle personal data with the utmost care. The DPA’s actions against Uber highlight the serious consequences that can arise when these rules are not followed.