On 26 August 2024 the Dutch Data Protection Authority (DPA) announced that it had imposed a €290 million fine on Uber Technologies Inc. and its Dutch subsidiary, Uber B.V., for violating Article 44 of the General Data Protection Regulation (GDPR). The penalty was a result of Uber’s failure to ensure appropriate data transfer mechanisms for EU-to-U.S. transfers between August 2021 and November 2023.
Background
Uber’s data transfer practices came under scrutiny after a complaint was lodged with the French data protection authority (CNIL) in June 2020, alleging that Uber’s transfers violated the Schrems II ruling. The case was escalated to the Dutch DPA in January 2021 under the GDPR’s One-Stop-Shop mechanism, and the investigation formally commenced in April 2021.
Findings of the Dutch DPA
Uber had originally used the EU SCCs for data transfers between its Dutch entity (Uber B.V.) and U.S. entity (Uber Technologies Inc.). However, following EU Commission Q&As on the SCCs, Uber removed the SCCs since they cannot be used with data importers already subject to the GDPR under Article 3. The Dutch DPA held that Uber, after removing Standard Contractual Clauses (SCCs) from its Data Sharing Agreement in August 2021, did not have a valid alternative in place for transferring data to its parent company, Uber Technologies Inc. in the United States. Uber had relied on Article 49(1)(b) and (c) of the GDPR, which permits transfers based on “contractual necessity,” but the DPA rejected this approach, finding that these derogations are intended for occasional and limited transfers, not for sustained data flows integral to Uber’s global operations. In November 2023 Uber certified under the EU-U.S. Data Privacy Framework, which is when the breach stopped.
European Commission and the Delayed SCCs
In November 2022, the European Commission announced plans to issue new SCCs specifically for cases where the data importer is already subject to the GDPR under its extraterritorial scope. However, the release of these SCCs has not occured to date and it was only last week, in September 2024 and after the Uber sanction, that the Commission initiated a public consultation on these new clauses, with a final version expected in Q2 2025.
Fine Calculation
The Dutch DPA adhered to EDPB guidelines on calculating fines, considering the scale of the violations and the potential impact on data subjects. The lack of adequate safeguards for such a long period, combined with the size of Uber’s operations, resulted in a fine of €290 million.
Appeal
Uber has already stated it will appeal the fine.
Broader Impact
The Dutch DPA’s decision reflects the never-ending complexity of managing cross-border data flows under GDPR. Here are some key issues that caught my eye:
-
- Extraterritorial Scope of the GDPR: An important issue is the relationship between the GDPR’s extraterritorial scope (Article 3) and its international data transfer rules (Chapter V). Uber argued that because its processing by the U.S. entity was already subject to the GDPR, additional transfer mechanisms were unnecessary. The Dutch DPA disagreed and I think they’re right. However, I do think that a transfer mechanism was not necessary but due to point 2 below.
-
- Consequences of joint controllership: I haven’t seen this addressed yet, but my personal take (as I wrote here) is that if two entities are joint controllers for the collection of the data (let’s not forget the Fashion ID case explaining JC can be for different phases), this should mean both of them must be considered to collect the data themselves. Direct collection of personal data from outside of the EU is not a transfer, and thus I don’t see why a transfer instrument between this type of joint controllers is necessary, much less a contractual instrument which is meant to bring the importer under the rules of GDPR and the control of the exporter.
-
- Article 49 derogations, which allow data transfers under specific conditions: are they limited to one-off situations or can they be applied more broadly? While the CJEU pointed out in para 202 of the Schrems II judgment that “in any event, in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR”, the EDPB’s FAQs on this judgement state that “With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional” and the Dutch DPA followed this approach.
In conclusion, this case, though specific to Uber, is a warning for any company transferring personal data from the EU to other countries. It signals that despite ongoing attempts to settle data transfer mechanisms, such issues are far from resolved and will likely resurface as key regulatory challenges. The inclusion of personal data in AI development is only going to increase the problem.
You can find the press release and the decision in Dutch here, and you can grab a translation into English on my blog here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
