The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of drivers’ personal data to the US. Uber has announced that it will appeal the fine.
In 2024, with the EU-US Data Privacy Framework (DPF) in place, regulatory focus appears to have shifted from international transfers to other topics, such as artificial intelligence and the right to access. This enforcement casts an unexpected spotlight on the risks that remain around international transfers to the US. It also highlights the compliance gap around transfers to recipients in third countries caught by Article 3(2) General Data Protection Regulation (GDPR). This article looks at lessons controllers can take from the decision.
Background
To provide rides through Uber, drivers must create an account in the driver app. Data entered is processed on centralised IT infrastructure on UTI’s platform and servers located in the US. This data includes account data, location data, photos, payment receipts and ratings, and can include ID, criminal conviction data as well as health data depending on the jurisdiction.
French non-governmental organisation Ligue des Droits de l’Homme et du Citoyen (LDHC) submitted a complaint in 2020 to the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) on behalf of a group of drivers that grew to 172 by September 2020. The CNIL forwarded the complaint to the AP, as Uber’s lead supervisory authority under the GDPR’s one-stop-shop mechanism, in January 2021.
The alleged breach related to a period between 6 August 2021 and 27 November 2023. On 27 November 2023, Uber Technologies Inc. signed up to the DPF.
Did transfers of personal data to the US take place?
Drivers in the EEA must sign a contract with UBV to become Uber drivers. However, driver personal data is stored by UTI. Uber had taken the view that no transfer of personal data between the EEA and US took place, as there were generally no data flows at all between UBV and UTI.
Driver personal data collected through the driver app in the EEA goes directly to UTI’s servers. When a driver makes a request to access their data, the driver will also generally send the request through the app directly to UTI and receive their data directly from UTI. In rare cases, a driver might choose to exercise their rights through a local Uber employee, in which case their request would be passed from UBV to UTI (which arguably implied that in these exceptional cases limited transfers of personal data occurred between UBV and UTI ), but the data Uber provided in response would still go directly from UTI to the data subject.
The European Data Protection Board (EDPB)’s guidelines on the interplay between the application of Article 3 and Chapter V GDPR (Guidelines on Article 3 / Chapter V) clarify that, in the EDPB’s view, no transfer takes place when an organisation in a third country collects personal data directly from a data subject in the EU. This is the case even where the third country targets the EEA market and so is brought into the scope of the GDPR’s extraterritorial application under Article 3(2) (see p.9).
However, in the AP’s view, transfers took place between UBV and UTI. The AP cited various activities where a UBV employee would assist a driver with tasks involving personal data to be sent to UTI, such as taking a profile picture (though the data flow would still be directly from the driver’s device to UTI). The AP also emphasised that UBV exerted significant influence over the drivers operating the app. In the AP’s view, this influence meant that UBV determined the context in which the transfer came about, even if drivers were using their own devices. As such, the AP concluded that UBV de facto qualified as the data exporter.
Did the international transfer provisions under Chapter V GDPR apply for transfers to a recipient bound by Article 3(2) GDPR?
The AP considered whether the international transfer provisions in Chapter V GDPR apply where Article 3(2) GDPR applies, or whether Chapter V is subordinate to Article 3 GDPR. It concluded, consistent with the EDPB’s Guidelines on Article 3 / Chapter V, that Chapter V GDPR can apply where Article 3(2) GDPR also applies. Chapter V is not subordinate to Article 3. This is because Chapter V is in place to protect data subject rights in any scenario where their data passes into a jurisdiction where the legal regime might not have the same level of protection for fundamental rights.
Uber had Standard Contractual Clauses (SCCs) in place for its intragroup data flows until August 2021. When completing its review of the EU Commission’s 2021 SCCs, it concluded that it would not be possible to use them, as the Commission’s recitals highlighted that they could not be used for recipients subject to Article 3(2) GDPR. This view was set out more fully in the Commission’s May 2022 Q&A, in which it states that the 2021 SCCs “do not work for importers whose processing operations are subject to the GDPR pursuant to Article 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR. The European Commission is in the process of developing an additional set of SCCs for this scenario”.
Uber took the view that it should not implement the 2021 SCCs for this reason, and removed the previous SCCs on 6 August 2021. Its intragroup agreement set out the responsibilities of UBV and UTI as joint controllers, but did not include an “appropriate safeguard” for the purposes of Article 46 GDPR.
The AP concluded that Uber should not have inferred that the Commission’s comments meant that SCCs or another appropriate safeguard need not be used and Uber was in breach of Article 44 GDPR. It did not opine explicitly on what safeguard would have been appropriate. It did say it had not received any applications from Uber for any other appropriate transfer mechanism. For example, this could have been a reference to Binding Corporate Rules, which can be used for transfers to group members subject to Article 3 GDPR.
Was it possible to rely on a derogation?
Uber also sought to rely on the derogations for international transfers under 49(1)(b) (necessity for the performance of a contract between the data subject and the controller) for use of the driver app and 49(1)(c) (necessity for the conclusion or performance of a contract concluded in the interest of the data subject) for responding to data subject requests of drivers to the extent that transfers took place.
In the AP’s view, it was not possible to rely on these derogations as the transfers were not occasional (as Recital 111 suggests they should be) and were not necessary.
Our take
A very large fine was imposed in spite of the fact that the breach was not continuing. By the time the AP reached its decision in July 2023, the DPF had gone live and UTI had signed up.
In order to substantiate the significant amount of the fine, the AP refers in particular to (i) the hierarchy between Uber and its drivers, (ii) the fact that the personal data relates to drivers across the EU, (iii) the extensive period of the infringement (i.e. 2 years and three months), and (iv) the sensitivity of the data. However, it is unclear whether any of these circumstances have result in actual harm for the data subjects concerned. This is in contrast to the EUR 30,5 million fine recently imposed on Clearview AI by the AP for more severe infringements, that likely did result in actual harm for data subjects involved..
The Uber fine was also imposed in relation to an extremely complex area with no obvious compliance solutions at the time of the breach, on a controller who appears to have made a good faith attempt to comply. Uber is appealing the fine and it remains to be seen if the fine will survive the appeal.
The case does, however, provide clarity on several key points on international transfers:
- A data protection authority may find that a transfer takes place even where an entity in a third country collects personal data directly from data subjects in the EEA. Where an EEA entity is determining the purpose and means of the collection by the third country entity, this may still be considered a transfer from the EEA entity to the third country entity even where no physical or contractual data flow occurs.
- An appropriate safeguard is still required for transfers to importers subject to Article 3(2) GDPR where no adequacy decision is in place. The Commission’s comments in the recitals and their Q&A on the need for a new set of SCCs cannot be read as t suggesting that no appropriate safeguard was required in the meantime.
- Derogations can only be relied upon in very narrow circumstances (so the EDPB guidance on thresholds for repetitiveness and necessity are going to be enforced).
Where there is any doubt, it may be prudent to assume that a transfer takes place. Where the recipient is subject to Article 3 GDPR, the complexities around choosing an appropriate safeguard must then be tackled. The DPF may be available, but for recipients who are not eligible to join or have chosen not to sign up, another appropriate safeguard will still be required. Binding Corporate Rules remain a possible option, but will not be the most practical option for many controllers. The 2021 SCCs are, strictly speaking, not suitable for these transfers. However, the AP did not rule out relying on them for now. While we await the additional SCCs from the Commission, the 2021 SCCs are likely to be the best compliance solution available.