Last Monday, the Personal Data Authority (AP) handed out the largest AVG fine in Dutch history. This was prompted by a large number of complaints from French Uber drivers to the Human Rights Court in France. Uber B.V. was alleged to have insufficiently protected the data of European citizens in its data exchange with the company's U.S. arm. In this article, we discuss the substance and success rate of the objection to the fine with tech lawyer Menno Weij of BDO Legal.
European data processed abroad must be as well protected under the AVG as it is in the EU. For this reason, companies such as Uber must use a pass-through mechanism to ensure data security.
Uber did not use such a pass-through mechanism, according to the AP, even though it is required to do so, given that Uber also processes the data (directly) at Uber's U.S. facility.
However, experts believe the issue has little to do with a material violation of the AVG, but rather an interpretation of a European Commission statement on Standard Contractual Clauses (SCCs). According to Menno Weij, the issue is one of principle, of form, rather than a substantive violation that Uber allegedly failed to take sufficient measures and/or safeguards to protect the data of French drivers in America.
The issue is whether Uber had to use a pass-through mechanism in the period from Aug. 9, 2021 to the present. Indeed, Uber argues that it was entitled to assume, based on a statement from the EC, that the Standard Contractual Clauses (SCC) were not necessary in the event that the responsible party, in this case Uber's U.S. branch, is directly bound by the AVG under Article 3 AVG. Indeed, Article 3 AVG provides that Uber's U.S. branch is directly bound by the AVG because the company processes European personal data. Added to this is the EC's statement that SCCs cannot apply to importers, in this case Uber's U.S. branch, which fall within the scope of Article 3 AVG. Indeed, SCCs in this case would repeat or deviate from many of the rules arising from the AVG. Incidentally, the Commission also mentions in the same paragraph that it is working on a SCC "light" that addresses the circumstance that the importer is also bound under Article 3 AVG.
Despite this statement by the EC, Uber could not assume, according to the AP, that it did not have to use any transfer mechanism. After all, Chapter 5 of the AVG requires companies to use a pass-through mechanism when processing European personal data abroad. Uber has indicated it will appeal the fine. Weij suspects that Uber is seeking clarity from the court on this point.
Weij expects the judge to rule that Uber should have done something with the pass-through mechanism (and not "nothing"), but also that the 290 million fine will be considered too high.
