Info@MetaverseLaw.com

Uber Fined $324 Million for Data Transfer Violations

What Happened?

On Monday, the Dutch Data Protection Authority (DPA) found that Uber will be fined over $324 million for violating a European Union data privacy law.[1] The Dutch DPA stated that Uber transferred personal data about its drivers to the United States without appropriate safeguards, violating the GDPR.[2] According to the decision, transfer tools to protect this data were not used during the two years that Uber sent personal data from the EU to its US headquarters.[3]

 

Uber is expected to appeal the ruling, and Michael Valvo, an Uber spokesperson, stated that the “flawed decision and extraordinary fine are completely unjustified.”[4] In 2018, the Dutch DPA fined Uber $1.2 million for failing to report a data breach in a timely manner.[5] Earlier this year, the Dutch DPA fined Uber $11 million for infringement of privacy regulations, also concerning the personal data of drivers working for Uber.[6]

 

What Can We Learn?

Uber’s fine is among one of the largest penalties issued under the GDPR, highlighting the strict enforcement and requirements of data protection law within the EU.[7] The chairman of the Dutch DPA, Aleid Wolfsen, stated that, “the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care” and that Uber’s violations were “very serious.”[8]

 

Enacted in 2016, the GDPR sets forth rigorous standards for transferring and managing personal data. Significant financial penalties have been issued to multiple technology companies, including Meta’s $1.3 billion fine in 2023 for similar violations.[9]

 

The Dutch DPA alleges that Uber failed to implement adequate protections as they were not part of the Data Privacy Framework.[10] Additionally, the Dutch DPA alleged that in August of 2021, the company stopped their use of Standard Contractual Clauses (SCCs).[11] Either of these methods may have resulted in Uber avoiding regulatory scrutiny.

 

Understanding the Data Privacy Framework

There are specific rules that apply to data transfers from the EU to the US.[12] Some businesses in the US are members of the Data Privacy Framework, a set of agreements about safe personal data transfers to the US.[13] If the organization belongs to the Data Privacy Framework, they are treated as having an equivalent level of data protection to the EU.[14] This means that those businesses can transfer EU personal data to businesses consistent with EU law and without additional transfer tools.[15] However, if the business is not part of the Data Privacy Framework, the company will have to take additional protective steps when transferring data.[16]

 

Understanding Standard Contractual Clauses

If the US-based business or entity does not participate in the Data Privacy Framework and does not fall within Article 49 derogations or another exception to data transfer requirements, then two additional requirements should be met to transfer personal data outside of the EU: 1) a transfer tool, and 2) additional measures to protect data must be taken as needed. Article 46 of the GDPR provides a list of transferring tools which provide “appropriate safeguards,” including Standard Contractual Clauses (SCCs).[17]

 

SCCs are model contracts approved by the European Commission which allow controllers and processors to comply with requirements of EU data protection law.[18] SCCs have highly specific data protection safeguards, so when they are used between companies, there is a contractual obligation that personal data will be treated with a high level of protection when transferred outside the EU.[19] Because these contracts are standardized, SCC’s are a “ready-made” tool, which are relatively easy to implement.[20]

 

The investigation into Uber arose after the Schrems II ruling, which invalidated the EU-US Privacy Shield due to insufficient data protection standards in the US.[21]  Despite this ruling, Uber continued transferring personal data of their drivers from the EU to the US without implementing SCCs or other safeguards, based on the argument that Chapter V of the GDPR, which covers transfers of personal data to other countries, did not apply.[22] Uber stated that their actions were exempted under Article 3(2), which defines the territorial scope of processing activities.[23] While Uber maintains that its data protecting policies and processes, found in its privacy notice, are sufficient, this investigation and initial ruling demonstrate the heightened scrutiny that US companies face when operating in the EU.

 

 

[1] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[2] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[3] https://www.jurist.org/news/2024/08/netherlands-data-protection-authority-fines-uber-e290m-for-violating-eu-data-regulation/

[4] https://www.nytimes.com/2024/08/26/business/uber-netherlands-fine-driver-data.html

[5] https://www.ciodive.com/news/uber-hit-with-12m-in-fines-for-2016-data-breach/543017/

[6] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[7] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[8] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[9] https://www.metaverse.law/2023/05/22/meta-fined-for-data-transfer-violations/

[10] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[11] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[12] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[13] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[14] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

[15] https://www.dataprivacyframework.gov/Program-Overview

[16] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[17] https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

[18] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[19] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[20] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[21] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/

[22] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

[23] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop