Page Contents
Key Contacts
Related Services
On 26 August 2024, the Dutch Data Protection Authority (“DPA”), known as the Autoriteit Persoonsgegevens (“AP”), imposed a fine of €290m on Uber BV and Uber Technologies Inc. (“Uber”). The AP found that Uber failed in its obligations to adequately safeguard the transfer of sensitive personal data of European Uber drivers from its online servers in the EEA to the United States. This failure was deemed by the AP to be a serious violation of Article 44 of the EU General Data Protection Regulation (“EU GDPR”). Since then, Uber has rejected the decision and indicated that it intends to appeal it. This article considers the issues investigated by the AP.
The Investigation
The complaints against Uber were originally filed with the French DPA in June 2020 and September 2021 by a human rights organisation, Ligue des droits de l’Homme (“LDH”), on behalf of 172 Uber drivers. The drivers alleged that Uber had mishandled their personal data, and the various complaints were collated by the LDH and sent to the French DPA. The case was then referred by the French DPA to the AP, as Uber’s EU headquarters is based in Amsterdam. In April 2021, the AP launched an investigation into the complaints lodged against Uber.
During the investigation, the AP discovered that between August 2021 and November 2023 Uber had mishandled sensitive information of the drivers, including account details, taxi licences, location data, photos, payment details, identity documents, and in some instances, criminal and medical data. It found that Uber had transferred the personal data from its EU entity, Uber BV, to its US entity, Uber Technologies Inc., under a joint controller agreement. These transfers were deemed to be in violation of Article 44 of the EU GDPR, as the safeguards needed to ensure the adequate protection of the personal data were not present in the exchanges.
Safeguards for international transfers of personal data
Under Article 45 of Regulation (EU) 2016/679, the European Commission can determine which jurisdictions outside of the EEA offer an adequate level of data protection when compared to the level of protection offered by the EU GDPR. Once a jurisdiction is considered “adequate”, personal data may be transferred freely from the EEA to such adequate jurisdiction without any requirement for additional safeguards. Alternatively, in the absence of an adequacy decision, a personal data transfer can be considered adequate if it is subject to certain “appropriate safeguards”, which include enforceable rights and legal redress for individuals in the event of a breach or mishandling of personal data. These safeguards are known as “transfer tools”. However, during the Uber investigation, the safeguards which applied to transfers to the US were changed on several occasions.
Safeguards relied on by Uber
In relation to the data transfers investigated in this case, Uber had initially relied on the 2016 EU-US Privacy Shield Framework to ensure that any personal data transfers between its EU and US entities were subject to the appropriate safeguards. However, in the 2020 European Court of Justice (“ECJ”) case of Schrems II, the ECJ held that the EU-US Privacy Shield Framework was invalid due to concerns about adequate protections to EU citizens from government surveillance. As a result, Uber could no longer rely on the EU-US Privacy Shield Framework to ensure that the exchange of personal data between its EU and US entities were adequately protected.
Following the invalidation of the EU-US Privacy Shield in Schrems II, companies with an EU-US presence could rely on the transfer tools listed in Article 46 of the EU GDPR to provide the appropriate safeguards when transferring personal data between their EU and US entities. The primary transfer tools used under Article 46 are the Standard Contractual Clauses (“SCCs”). These are a set of standardised contract clauses which were published by the European Commission in June 2021 to provide adequate safeguards for the exchange of personal data from an EU entity to an entity established in a third country, provided that the scope of protection outlined in the SCCs could be guaranteed in practice. However, from August 2021 until November 2023 Uber did not use the SCCs (or any other appropriate safeguard). This meant that there was a gap of over two years during which Uber did not rely on any appropriate safeguards when transferring personal data between its EU and US entities.
Uber’s Arguments
During the proceedings, Uber tried to argue that the legal position during the two-year period when it did not rely on any appropriate safeguards in respect of the transfers was uncertain due to the numerous changes to the safeguards for transfers of personal data between the EU and the US. Uber’s spokesperson, Caspar Nixon, stated that the period between the 2020 invalidation of the EU-US Privacy Shield and the implementation of the new 2023 EU-US Data Privacy Framework was a “…3-year period of immense uncertainty between the EU and US.”
This sentiment echoed throughout the investigation: Uber argued that its departure from the SCCs in August 2021 followed the publication of recital 7 of the SCCs, which stated that the SCCs did not have to be relied upon when transferring personal data of EU data subjects provided the processing by the data controller (in this case, Uber’s US entity) was already governed by the EU GDPR in connection with its presence as a service provider in the EU, subject to Article 3(2) of the EU GDPR.
Article 3(2) provides that the EU GDPR is applicable to a data controller that is not established in the EU, if the processing activities are related to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.” With this reasoning, Uber had argued that the EU GDPR applied directly to their US entity under the joint controller agreement, and the entities did not need to rely on the SCCs in respect of the data transfers to the US entity.
Uber further argued that they were exempted from having an adequacy decision or having to use the appropriate safeguards under Article 49(1)(b) and (c) of the EU GDPR, as the data transfers were necessary for the performance and conclusion of a contract between the data subjects and the controller. This, Uber maintained, was due to the centralised IT infrastructure of the company.
The AP’s Judgment
In their ruling, the AP agreed that the EU GDPR extended to the processing operations that took place, however, it stated that the extension of the regulation outside of the EU could not award the same level of protection for data subjects. Therefore, the AP ruled that Uber should have adhered to Article 44 and used the appropriate transfer tools to provide adequate safeguards as a countermeasure to the potential difficulties of enforcing the EU GDPR against an entity in a third country.
In relation to Uber’s argument under Article 49(1)(b) and (c), the AP held that Article 49 is only applicable when used occasionally and on a strictly necessary basis, such as whenever a data transfer to an entity in a third country is being performed in the public interest. In the AP’s ruling, Uber was found to have transferred the data systematically and without necessity and it could therefore not rely on Article 49(1)(b) and (c) as a defence.
The Consequences
The AP imposed a fine of €290m on Uber as a result of the breach of Article 44 of the EU GDPR. This is a substantial figure; however, the fine was calculated on the lower end of the scale for an Article 44 violation, which is deemed to be a serious breach. Under the regulation, the AP could have potentially levied a fine of up to 4% of Uber’s global annual revenue from its previous fiscal year, which would have amounted to a fine of over €1bn had the maximum tariff of 4% been applied. This fine demonstrates the considerable recourse that DPAs have at their disposal for non-compliance with the regulation.
What can international businesses with an EU presence learn from this?
We have set out below some key takeaways from this judgment:
One final note of caution relates to the use by EU data controllers of the EU-US Data Privacy Framework. EU data controllers which want to transfer personal data to the US need to ensure that the data processors or controllers based in the US are participants in the EU-US Data Privacy Framework before engaging with them in data transfers. Participating organisations are recorded in the Data Privacy Framework List, which can be found on the US Department of Commerce’s Data Privacy Framework website: Data Privacy Framework List.
For more information in relation to any of the issues raised in this article, please contact Mark Thompson, Partner, Caroline McNally, Of Counsel, Keith Dunn, Senior Associate, Patrick Murray, Trainee Solicitor or a member of our Commercial & Technology team.
Date published: 5 December 2024
