Skip to main content
Subscribe
08.11.2024

How to not be fined €290m: lessons on compliant international data transfers

At the end of August 2024 Uber was fined €290m by the Dutch Data Protection Authority (Dutch DPA) for transferring the personal data of its EU based drivers to servers in the US contrary to EU GDPR. We consider the fine and how UK based organisations can compliantly transfer personal data outside of the UK.

The legal background

Under EU GDPR organisations may only transfer personal data outside of the European Economic Area if one of the following apply: (i) the European Commission has deemed that the country has adequate protections for personal data (known as an 'adequacy decision'), (ii) the transfer is done using one of the transfer tools (known as 'appropriate safeguards') set out in EU GDPR, or (iii) certain limited derogations apply. One of the most commonly used appropriate safeguards under EU GDPR are the Standard Contractual Clauses  which the EU Commission has drafted to ensure suitable protections are provided for personal data which is being transferred to a country without an adequacy decision in place.

In July 2023, the EU Commission granted an adequacy decision to the US but only for those US organisations certified under the EU-US Data Privacy Framework. By certifying under the Data Privacy Framework, these organisations are deemed to provide adequate protections for personal data, enabling personal data to flow to these organisations in the US from the European Economic Area. Before July 2023, there had not been an adequacy decision in place for the US since 2020 so the only way to transfer personal data from the European Economic Area was by using one of the appropriate safeguards set out in EU GDPR.

The factual background

According to the Dutch DPA, Uber collected personal data (including sensitive personal data) from its European drivers and retained it on servers belonging to an Uber group entity in the US. The personal data held on the US servers included account details, copies of taxi licences, location data, photographs, payment information, identity documents, and in some cases criminal and medical records.

The Dutch DPA allege that Uber failed to comply with EU GDPR and failed to provide sufficient protection for its drivers' personal data between February 2021 and the end of 2023. This is because  Uber stopped using the Standard Contractual Clauses in February 2021 and only became certified under the EU-US Data Privacy Framework at the end of 2023. 

The Dutch DPA began its investigation into Uber after more than 170 Uber drivers based in France raised complaints to a French human rights interest group, which in turn submitted a complaint to the French data protection authority. The French data protection authority passed the complaint to the Dutch DPA as Uber's European headquarters are located in the Netherlands. 

Interestingly, this is not the first fine that Uber has received from the Dutch DPA. It has previously issued two fines of €600,000 and €10m in 2018 and 2023 respectively.

How is this relevant to UK organisations?

Although the Uber fine was brought under EU GDPR, organisations in the UK are subject to almost identical rules when transferring personal data outside of the UK under UK GDPR. This is because currently, the UK data protection regime, mirrors the data protection regime in the EU following Brexit. Both the previous and current governments in the UK have talked about reforming the UK data protection regime but no changes have been made to date. 

What lessons can UK organisations take from this?

  • Consider whether you need to transfer personal data 

Organisations should always consider this when sharing personal data, regardless of whether it is being transferred internationally. Where possible, organisations should strip out any personal data or anonymise it so that it is no longer personal data and does not fall within the scope of UK GDPR. Considering whether data needs to be transferred will also help you meet your data minimisation obligations under UK GDPR. 

  • Intra-group international data transfers are not exempt

In this case, Uber was transferring personal data from a European group entity to a US group entity. This should be a reminder to organisations that the rules in UK GDPR relating to international data transfers still apply to intra-group international transfers of personal data. 

Whilst organisations transferring personal data within the UK between UK based entities do not need to comply with the international data transfer provisions set out in UK GDPR, they should remember that they still need to comply with the rest of the data sharing provisions in UK GDPR.

  • Non-compliance is costly

The Dutch DPA took the view that Uber's breach of EU GDPR was a serious breach, possibly because of the period of non-compliance and volume of sensitive personal data involved. However, the fine shows that data protection authorities are keeping an eye out for non-compliant international data transfers and are willing to take robust enforcement action. Although this was a decision made under EU GDPR, the UK data protection authority (the ICO) may well follow this example in the case of serious breaches. 

The value of the fine is also a good reminder that the cost of failing to comply with data protection law is high. In the UK, our data protection authority (the ICO) can issue fines of up to £17.5m or 4% of an organisation's worldwide turnover (whichever is higher) for serious breaches of data protection law. 

Beyond monetary cost, data protection authorities have no qualms about naming and shaming organisations who fail to comply with data protection law, as has been reflected in the widespread media coverage about Uber's fine.

It would also be possible to speculate that Uber's history of non-compliance (which has resulted in two substantial fines previously) has placed it firmly on the Dutch DPA's radar. Organisations should bear in mind that once data protection authorities identify non-compliance, they might find themselves under increased scrutiny. 

  • Remember that not all adequacy decisions are created equal

Where an adequacy decision is in place, this is usually the easiest international data transfer mechanism to rely on. However, not all adequacy decisions are the same. For example, the UK adequacy decision for the European Economic Area is straightforward and enables the free flow of personal data to countries in the European Economic Area. In contrast, the adequacy decision for the US only covers personal data which is transferred under the UK Extension to the EU - US Data Privacy Framework. There are restrictions on the personal data that can be transferred, and it can only be sent to organisations certified under the EU-US Data Privacy Framework and who have opted in to the UK Extension. 

Organisations should check if there are any conditions to the adequacy decision relating to the country they are seeking to transfer personal data to before relying on this. 

  • Keep up to date in a shifting landscape

Organisations need to keep up with the changes in the data protection world. If relying on an adequacy decision to transfer personal data internationally then organisations need to remember that these are reviewed every four years and may change. Adequacy decisions can also be invalidated by court proceedings.

The standard data protection clauses (such as the European Standard Contractual Clauses and the UK International Data Transfer Agreement) may be updated from time to time too.

Organisations should consider including a back-up transfer mechanism in their data sharing agreements, should anything change, as changes in this area can happen quickly.

What happens next? 

Uber has announced that it will contest the decision and fine of the Dutch DPA. A spokesperson for Uber said “this flawed decision and extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail.”

Whilst an appeal may mean that the amount of the fine is reduced or the decision changes, it could be argued that the damage has already been done and rather than remember the outcome of the appeal, individuals will instead remember the initial headline and the €290m price tag for the alleged non-compliance.

dynamic digital world map emphasize Western Europe continental for AI powered global network and connectivity big data transfer and cyber technology network information exchange and telecommunication concept with 3D software and Based on imagery from NASA. https://www.nasa.gov/specials/blackmarble/2016/globalmaps/BlackMarb

Key Contact

Hannah Moran
Hannah Moran

Contributors

Rebecca Stratford

Tags

data protection international data transfers data export fines gdpr data protection law commercial

Related Articles