The recent decision of the Dutch Supervisory Authority, the Autoriteit Persoonsgegevens (AP), to fine Uber €290 million for failing to appropriately safeguard its drivers' personal data transferred to the U.S., highlights the continuing uncertainty around international data transfers.
The decision is also a reminder of the careful consideration required by organisations in the European Economic Area (EEA) transferring personal data to the United States.
The New SCCs
Following the Schrems II1 decision, the European Commission released new Standard Contractual Clauses in 2021 for the transfer of personal data outside the EEA (New SCCs). The European Commission supported the New SCCs with an FAQ (FAQ) aimed at assisting stakeholders with their compliance efforts.
Notably, the European Commission stated in the FAQ that the New SCCs should not be used for transfers to entities outside the EEA that are already subject to the GDPR by virtue of Article 3's extra territorial effect.
"They do not work for importers whose processing operations are subject to the GDPR pursuant to Article 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR. The European Commission is in the process of developing an additional set of SCCs for this scenario."
Uber Drivers' Complaint
In registering to be an Uber driver, individuals in the EEA must create an account in the Uber Driver App and input personal data, including location, identification and criminal conviction data, which is processed on centralised IT infrastructure by Uber Technologies Inc., located in the US (Uber U.S.).
This transfer of data was the subject of a complaint by 172 French drivers to the French supervisory authority, the CNIL in 2020, which forwarded the complaint to the AP, Uber's lead supervisory authority. Uber's European headquarters (Uber Netherlands) is in the Netherlands.
Relying on the European Commission's FAQ, Uber had removed SCCs from its data sharing agreements between Uber U.S. and Uber Netherlands. Consequentially, Uber did not have a mechanism in place for data transfers to the U.S. in the period between the Court of Justice of the European Union's invalidation of the EU-U.S. Privacy Shield in the Schrems II decision and Uber's self-certification under the EU-U.S. Data Privacy Framework.
Lack of a Transfer Mechanism
Uber argued that both Uber U.S. and Uber Netherlands were subject to the GDPR under Article 3 GDPR as joint controllers of driver personal data. It submitted that further compliance with the requirements of Chapter V of the GDPR (relating to international transfers) was not required, noting that Chapter V is subordinate to Article 3 and cannot be applied simultaneously. It argued that Chapter V is intended to catch cases that fall outside the scope of Article 3, which was not the case here.
The AP concluded that Chapter V is not subordinate to Article 3 and can apply where Article 3(2) also applies.
In respect of the European Commission's statement in the FAQ, the AP found that Uber "could in no way" have inferred that this statement meant that SCCs or another appropriate safeguard need not be used if the processing falls under Article 3 GDPR.
As a result, the AP outlined that Uber's failure to use a transfer mechanism in accordance with Chapter V GDPR constituted a serious violation of Article 44 GDPR.
Reliance on Article 49 GDPR
Uber argued that if international transfers of personal data did occur, the transfers were lawful in accordance with the following derogations;
- Article 49(1)(b) (necessity for the performance of a contract between the data subject and the controller), for use of the driver app; and
- Article 49(1)(c) (necessity for the conclusion or performance of a contract concluded in the interest of the data subject), for responding to data subject requests of drivers to the extent that transfers of personal data took place.
The AP rejected Uber's attempt to rely on Article 49 GDPR derogations as the transfers were neither "incidental" nor "necessary". Recital 111 GDPR suggests such transfers should be incidental, but the AP determined that the transfers between Uber U.S. and Uber Netherlands were systematic, repetitive, and ongoing. Further, the AP found that the existence of a contract does not in itself constitute 'necessity', and it suggested that Uber operated its data processing in the U.S. for efficiency reasons rather than necessity.
Application of EDPB Fining Guidelines
The AP applied the methodology set out in the European Data Protection Board's (EDPB) Fining Guidelines2. In determining the gravity of Uber's infringement of Article 44 GDPR as 'high', the AP set the starting amount of the fine at between 20% and 100% of the fine maximum of 4% of Uber's annual global turnover, i.e. between €270 million and €1.369 billion. In its assessment, it considered the potential access by U.S. intelligence agencies to personal data, the hierarchical working relationship involved between Uber and Uber drivers, the processing being core to the Uber business, that the infringement lasted for a period of two years and three months and the classification of some of the data as special category personal data.
As the AP did not consider all the circumstances to be so serious or adverse, (i.e., due to the fact that the breach had ended), it set the starting amount of the fine at €290 million. Further, the AP confirmed it did not consider consequences for Uber's share price as reason to consider the fine disproportionate.
What Next?
Article 3 SCCs
The European Commission had stated in the FAQ that it was developing an additional set of SCCs for transferring personal data to an importer outside the EEA and already subject to the GDPR (Article 3 SCCs). On 12 September 2024, the European Commission announced that it will launch a public consultation on the Article 3 SCCs. The public consultation is planned for the last quarter of 2024, with European Commission adoption of the Article 3 SCCS currently planned for the second quarter of 2025.
Practical Guidance
Whilst the Article 3 SCCs are awaited, organisations in the EEA that transfer personal data outside the EEA should take note of this decision and consider what transfer mechanisms they are relying on for transfers to organisations outside the EEA that are already subject to the GDPR. It is advisable that such organisations have an adequate transfer mechanism in place for international data transfers, despite the organisation already being subject to the GDPR.
The authors would like to thank Cathal Kelleher for his contribution to this briefing.
Footnotes
1. C-311/18, Schrems II, ECLI:EU:C:2020:559
2. Guidelines 04/2022 on the calculation of administrative fines under the GDPR
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.