The Personal Data Authority (AP) has fined Uber €290 million for violating rules set by the General Data Protection Regulation (GDPR) on international transfers of personal data. The fine decision was published on Aug. 26, 2024. It is by far the AP's highest fine to date, and one of the highest European privacy fines.
Uber transfers personal data of European cab drivers to the United States (US) without using a transfer tool between 2021 and 2023, according to the AP. The investigation is prompted by a complaint filed with France's CNIL. The AP is the lead regulator because Uber's European headquarters is located in the Netherlands.
The AVG requires the use of a so-called transfer instrument when transferring personal data to a country outside the EU. There are several instruments, such as an adequacy decision by the European Commission, standard contractual clauses (SCCs), binding corporate rules (BCR) and exceptions under Art. 49 AVG.
Adequacy decisions are a widely used solution for transfers to the U.S., but two of them have already been declared invalid by the European Court of Justice (particularly because of access by U.S. intelligence agencies to European data, see the 2015 and 2020 Schrems rulings). Since last year there has been a third adequacy decision, namely for the Data Privacy Framework (DPF) under which Uber is certified, but between 2020 and 2023 there was thus no adequacy decision for the US. SCCs were the most common alternative during this period. According to the European Commission however, the existing SCCs cannot be used for transfers to a party outside the EU that falls under the scope of the AVG, as the SCCs would then create duplications and deviations from obligations under the AVG (see question 24).
The relevant Uber entities in this case - Uber B.V. (in the NL) and Uber Technologies Inc. (in the US) - qualify as joint controllers and both fall within the scope of the AVG. Uber removed the SCCs from the Data Sharing Agreement between these two entities in 2021. For the period between 2021 and 2023, Uber took the position that transfers were necessary to execute contracts with the drivers, but the AP ruled that this exception of Article 49 AVG could not be applied because the conditions that the transfers were "incidental" and "necessary" were not met.
International transfers remain a legal minefield. It is only a matter of time until the European Court of Justice will also rule on the third adequacy decision for the US. Last year, the Irish DPC imposed the highest ever AVG fine (€1.2 billion) on Meta for transfers to the U.S. based on SCCs. In this record fine by the AP, the accusation against Uber seems to be, at its core, correct that SCCs were missing. In short, although the AVG is over 6 years old, the regime for international transfers remains in constant flux. The use of an adequacy decision or SCCs may be a fine solution one moment, but later, due to external developments, may result in a violation of the AVG. In projects involving transfers, it is therefore not only important to apply the right instruments, but also to ensure that the method of working is future-proofed as much as possible. This requires, among other things, a careful assessment of contracts, both with third parties such as customers / suppliers / partners and intra-group contracts between different entities within a group of companies.
What to do pending the additional set of SCCs for transfers to parties falling under the scope of the AVG. While the European Commission stressed that the existing SCCs cannot be used for onward transfers to parties outside the EU falling within the scope of the AVG, the message was that an additional set of SCCs is being worked on specifically for this scenario (see question 24). However, this additional set of SCCs has not yet appeared and until then, organizations would be wise to take measures so that they cannot be blamed in the same way as Uber. For transfers to the US, the DPF may offer a solution, provided the recipient in the US is certified under it. However, it is not inconceivable that the third adequacy decision for the US will be invalidated again. Moreover, for many other countries, there is no adequacy decision at all no adequacy decision. As an alternative to an adequacy decision, given this fine from the AP, use of the existing SCCs (at least pending the additional set of SCCs) seems a safer solution than use of the exceptions of Art. 49 AVG. Possibly this would have even allowed Uber - although against the instructions of the European Commission - to escape the AP's fine.
No "onward transfer" if data is collected directly from the data subject. The term "transfer" is not defined in the AVG. The EDPB has given interpretation to this concept and takes the position that there is no "transfer" when a party outside the EU collects data directly from a person in the EU. Uber follows this line of reasoning and puts forward the defense that drivers make their data directly available to Uber Technologies Inc. The AP rejects this defense and, in short, takes the view that Uber B.V. shares responsibility and control over the transfer to the U.S. In other words: Uber B.V. is considered the exporter of the data. The fining decision provides little clarity as to under what circumstances direct collection in the EU can occur. Uber has announced that it will appeal and a further clarification of this doctrine would be helpful.
Article 49 AVG exceptions can only be applied to a limited extent. The EDPB was already on the same page and the AP's fine underlines once again that the exceptions of art. 49 AVG can only be applied in limited cases. Although the exceptions can potentially offer a welcome alternative (or even last resort), they seem unusable for now in practice unless small-scale transfers are involved. This is mainly due to the criterion that the pass-through must be "incidental" or "non-repetitive." It is unclear where the line lies, and here too concrete interpretation would be helpful.
BCR are the most stable solution for intra-group transfers. Amid these stormy developments, organizations using BCR are in considerably calmer waters. BCR are therefore an interesting solution for intra-group transfers within organizations with an international presence. Also given the recent guidance from the EDPB on BCRs, this is a good time to seek approval for new BCR. We assist several clients with the approval and update of BCR.
