Compliance
In a notable decision, the Dutch Data Protection Authority (DPA) has fined Uber B.V €290 million for breaches of the EU GDPR following the unlawful transfers of personal data from the European Economic Area (EEA) to the US. Uber has also been fined following various other breaches of the EU GDPR – collectively leading one of the largest EU GDPR fines ever.
Whilst it was a fine pursuant to a breach of the EU GDPR, the applicable law remains substantively the same in the UK. The fine is an important reminder of the risks of transferring personal data around the world – from the UK or the EU.
Legal background
Almost all organisations (and sole traders) will process personal data as part of their day to day operations.
Controllers (and processors) of personal data are prevented from making ‘restricted transfers.’ A restricted transfer is where an organisation exports personal data from the UK (or, under the EU GDPR, the EEA) to a third country that has not been deemed as providing adequate protection to UK/EU data subjects and there are no adequate safeguards in place to protect data subject rights.
Exportation not only includes sending data from one country to another (e.g. via email) but also making it available to another organisation based outside the UK/EEA.
Both the points around a third country’s adequacy and what appropriate safeguards are necessary is relevant to the DPA’s decision. There is a (short) list of third countries that are adequate from a data protection perspective (the EU and the UK currently have the same list).
Between 2016 and 2020, the US and the EU (at the time including the UK) entered into what was then known as the EU-US Privacy Shield. US based organisations that participated in the Privacy Shield were, in essence, deemed to provide adequate protections to data subjects rights and no further adequate safeguards were required when EU organisations exported data to the US.
One of the most frequently relied on adequate safeguards are ‘Standard Contractual Clauses’ (SCCs). These are standardised clauses that are to be included in any agreement between an EU/UK data exporter and an American data importer (or indeed in an agreement with any importer in a non-adequate jurisdiction). Those clauses permitted, in essence, affected data subjects to enforce their rights directly.
In 2020, the European Court of Justice in its Schrems II decision invalidated the EU-US Privacy Shield. Schrems II also set the stage for the EU (and in parallel the UK post-Brexit) to update the SCCs. The new SCCs came into force in the EU in 2021 and in the UK in March 2022. There is also a replacement to the EU-US Data Shield now in force – the Data Privacy Framework (which also incorporates the US-UK Data Bridge – an arm of the Data Privacy Framework replicating the EU’s adequacy findings across the UK).
More detail can be found here.
Uber’s fine by the DPA
What happened?
Back in 2021, a French human rights organisation submitted a complaint to France’s data protection regulator on behalf of 170 Uber drivers. In the EU, data protection regulators coordinate. The regulator (in this case the DPA) issues the judgment and the fine.
Part of that complaint was, in summary, that the drivers’ personal data was being sent by Uber B.V to Uber’s parent company (and headquarters) in the US. The UK/EU GDPR does not legislate for a difference between intra-group transfers and transfers to a third party.
This personal data included, per the DPA: ‘location data, photos, payment details, identity documents, and in some cases even criminal and medical data of drivers.’
What was the DPA’s decision?
A DPA press release, rather than a full text of the decision, covers the outcome.
On investigation, the DPA identified that after the invalidation of the EU-US Privacy Shield in 2020, Uber only put in place SCCs between Uber B.V and its American parent until August 2021. After that point, it appears from the press release that valid SCCs were not in place.
After August 2021, therefore, all the transfers by Uber B.V to its parent were in breach of the EU GDPR. It is not clear what in fact occurred in the intervening period, although Uber B.V has stated publicly that it believes it was compliant with the rules.
According to the DPA, Uber’s unlawful conduct only ended in 2023 when Uber’s parent company was approved as part of the new Data Privacy Framework which replaced the EU-US Privacy Shield.
In determining the fine, the usual penalty principles under the EU (and UK) GDPR apply – a data protection regulator has the power, in the case of serious breaches, to issue fines up to €20 million or 4% of worldwide annual revenue (whichever is greater). In the UK, the figure is £15.5 million (or 4% worldwide annual revenue).
The DPA’s fine of €290 million is a figure less than 4% of worldwide annual revenue, so the maximum penalty was not imposed (the figure is more like 1% of Uber’s €34.5 billion revenue in 2023).
Uber plans to appeal.
Commentary
Penalties resulting from breaches of international personal data transfer rules are more rare than other categories of fines. Although, it is clear that the EU takes international transfers seriously, Meta was hit with a €1.2 billion fine in 2021 over unlawful personal data transfers to the US.
With the new EU-US Data Privacy Framework (and UK-US Data Bridge) in place and a settling of the new SCCs (the old SCCs were phased out officially on 21 March 2024), we can expect to see more decisions (and fines!) over non-compliance with the new regime being handed down in the UK and the EU.
Of course, the rules around international transfers do not just apply to the US. Organisations in the UK or the EU that export personal data to non-adequate countries must comply with the rules pertaining to international transfers or risk enforcement action.
At EM Law, we are experts in data protection. Our team has extensive experience in assisting clients with their UK GDPR obligations when they make international personal data transfers. If you have any questions about international transfers, or if you think that your SCCs and data protection documents might need a refresh, please do not hesitate to contact Neil Williamson or Colin Lambertus.
Further Reading
Phase out of the old standard contractual clauses (SCCs) imminent
February 22, 2024
UK-US Data Bridge: Adequacy by Registration
September 26, 2023
New Data Privacy Framework For EU-US
March 28, 2022