Car sharing service Uber has been fined €290 million by the Dutch privacy watchdog AP for sharing drivers’ details with its US headquarters in violation of EU data protection rules.

The case was brought by French human rights group LDH on behalf of a group of 170 drivers under the EU’s general data protection regulation (GDPR). It was heard in the Netherlands because Uber’s European headquarters are in Amsterdam.

It is the biggest fine ever imposed by the AP, which can penalise companies up to 4% of their annual turnover. Uber, which has said it will appeal, posted worldwide turnover of €34.5 billion last year.

The AP said Uber had committed a “serious breach” of the EU’s data protection rules by passing on sensitive information including photographs, banking details, criminal records and in some cases drivers’ medical history.

“In Europe the GDPR protects people’s basic rights by demanding that companies and governments handle their personal details diligently,” AP chairman Aleid Wolfsen said. “But outside Europe that is sadly not always the case. Governments are able to intercept data on a large scale.”

The information was shared under the EU-US privacy shield framework, but this was declared invalid by the European Court of Justice in 2020 because it did not adequately protect EU citizens from government surveillance.

Uber was fined €600,000 by the AP in 2018 and €10 million in Janurary for other privacy breaches. In the second ruling, which Uber has also appealed against, the regulator said it had made it unnecessarily difficult for drivers to see what information the company held on them.