In a significant move that highlights growing scrutiny on data privacy breaches, the Data Protection Authority (DPA) in the Netherlands has last month imposed a €290 million fine on the private hire and food delivery giant Uber.
The US-based company was found to be transferring personal data to its headquarters in the US with no appropriate data safeguarding measures in place.
This decision marks one of the highest penalties in the ongoing effort to enforce data protection laws and marks the third fine that Uber has received from the Dutch data protection authority for its breaches of European Union General Data Protection Regulation (EU GDPR).
The complaint
The initial complaint received by the Dutch DPA was made on behalf of 172 French Uber drivers by a French human rights organisation. At their core, these complaints related to the difficulties around enforcing the rights of data subjects and, specifically, to the transfer of personal data to third-party countries.
The personal data transferred included sensitive information relating to Uber drivers’ identity documents, location information, and, in some cases, medical and criminal data.
EU GDPR and appropriate safeguards
The investigations centred around transfers of personal data between the Netherlands-based Uber BV, and Uber’s headquarters in the US, Uber Technologies Inc.
In accordance with Article 44 of EU GDPR, data controllers and processors must comply with the data transfer provisions laid out in Chapter V of EU GDPR when transferring personal data to a third-party based outside of the EEA.
These conditions include those in Article 46, which require data controllers and processors to implement appropriate safeguards where transfers are to a country that has not been given an adequacy ruling by the EU.
The EU-US Privacy Shield had provided a limited form of adequacy for transfers to the US, however, it was invalidated by the Court of Justice in 2020. Uber had subsequently relied on the Standard Contractual Clauses (SCC) for these protections but ceased use of these in August 2021 on the basis that they believed Uber BV and Uber’s US headquarters were joint controllers of the data, and therefore no transfer was taking place.
As such, Uber believed that no separate transfer mechanism was required. As joint controllers, both Uber BV and its US Headquarters were subject to EU GDPR, forming the basis for its appropriate safeguards.
The DPA, however, determined that even if both organisations were joint controllers and subject to EU GDPR, a transfer mechanism was still required for lawful transfers to the US, i.e. the concept of transfer was to be interpreted broadly.
As a result, between August 2021 and December 2023 (when a replacement EU-US privacy framework was introduced) the DPA determined that Uber had no appropriate safeguards in place to protect the transfers of personal data to the US. This put Uber in breach of the EU GDPR, and the resultant fine imposed reflected the severity, duration, and significant volume of data processing that was involved.
The DPA’s fine
An organisation can face a fine of up to 4% of its global turnover for a breach of Chapter V of EU GDPR. In Uber’s case, this meant it could have faced a fine in excess €1.3 billion for its breach.
Comparatively, the resultant fine at €290 million was at the lower end of this scale. All the same, the DPA’s penalty serves as a critical reminder to all organisations, in particular those who frequently transfer data to third-party countries, that there is a healthy appetite to use the powers within the EU GDPR framework to sanction parties in breach.
Uber have confirmed that they intend to appeal the DPA’s decision.
EU Representative Service
If you are based outside of the European Economic Area (EEA) but you offer goods or services to, or monitor the behaviours of, individuals in the EEA, you must comply with EU GDPR in relation to this processing. As seen with Uber, being headquartered outside of the EEA does not mean evasion of sanctions under EU GDPR where EEA individuals’ data is involved.
Having an EU Representative is mandatory for many organisations under the United Kingdom General Data Protection Regulation (UK GDPR) and is key to ensuring the lawful processing of the personal data of those within the EEA.
Those that require an EU Representative are organisations that do not have an office, branch, or other establishment in the EEA, and provide goods or services, or monitor the behaviour of individuals, in the EEA. If you have a branch, office, or other establishment in the EEA, or are a public authority/ body, you are exempt from the requirement to have an EU Representative.
At Shepherd and Wedderburn, we offer an EU Representative Service through our Irish subsidiary, Saltire Data Protection Services Limited, based in Dublin. If you believe you require an EU Representative but do not have one in place or wish to find out more about our EU Representative Service, please get in touch with one of our team who will be happy to help.
This article was co-authored by Trainee Madeleine Gill.