On August 26, 2024, the Autoriteit Persoonsgegevens, also known as the Dutch Data Protection Agency (DPA), announced an unprecedented €290 million ($324 million) fine against the ride-hailing service Uber for transferring data containing personal information and other sensitive details of its EU-based drivers to its servers in the United States without adequate protection from August 6, 2021, to November 27, 2023.
The fine is among the highest ever levied by the Dutch DPA and the biggest issued against Uber globally.
The Dutch DPA chairman, Aleid Wolfsen, issued a statement, “...Think of governments that can tap data on a large scale. That is why businesses are usually obliged to take additional measures if they store the personal data of Europeans outside the European Union. Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US…”
Uber’s spokesperson has since called the decision flawed and unjustified and has expressed its intention to appeal.
While more details will surely follow, this particular episode contains several lessons that can prove critical for other businesses and organizations processing data of EU citizens. Proactively implementing these lessons within their operations can help such businesses avoid a similarly hefty financial penalty and avoid losing a much more valuable asset, their customers’ trust. Read on to learn more.
The Case Against Uber
Following the Schrems II ruling in July 2020, which invalidated the EU-US Privacy Shield, businesses were required to implement new safeguards for the transfer of personal data outside the EU. However, Uber continued to transfer the personal data of EU drivers to the US headquarters for two years without relying on any of the transfer tools permitted under GDPR for transfers of data to jurisdictions outside the EEA.
The Dutch DPA's investigation into Uber's alleged data protection violations began after more than 170 French drivers launched a joint complaint through the French human rights interest group the Ligue des droits de l'Homme (LDH) to the French DPA.
Per the GDPR's provisions, organizations that process data in multiple EU member states must deal with the DPA from the country where the organization has its main establishment. Since Uber's main European headquarters is based in the Netherlands, the French DPA forwarded the complaint and then closely collaborated with the Dutch DPA, which also involved consultations and communications with other European DPAs.
As part of its investigation, the Dutch DPA found that Uber had collected personal data, including sensitive information from its European drivers, and stored and maintained it on its US servers. The sensitive information in question included details such as drivers' geolocation, photos, transaction history, ID documents, and, in some instances, their criminal and medical histories.
Cross-Border Transfer Mechanisms
As per the GDPR, personal data transfers to a third country or international organization may take place only where an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU.
- An adequacy decision: A determination by the European Commission that a non-EU country ensures an essentially equivalent level of data protection, allowing safe data transfers from the EU to that country.
- Appropriate safeguards: In the absence of an adequacy decision, transfer can take place only if one of the following appropriate safeguards are in place:
- Binding Corporate Rules (BCRs);
- Standard Contractual Clauses (SCCs);
- Legally binding instrument between public authorities;
- Data protection clauses adopted by the supervisory authority and approved by the Commission;
- An approved code of conduct;
- An approved certification mechanism.
In cases where personal data is being transferred under SCCs, a Transfer Impact Assessment (TIA) needs to be carried out to evaluate the risks of transferring personal data outside the EEA. The TIA is a vital element of the SCC framework, intended to evaluate how well the chosen transfer mechanism protects the data. It assesses the legal framework of the third country to determine if it offers an essentially equivalent level of data protection, as mandated by the GDPR. In instances where SCCs do not provide sufficient safeguards, supplementary measures such as encryption, pseudonymization, or strict access controls need to be implemented to guarantee compliance with the GDPR.
- Derogations, which can only be used in the case of non-repetitive transfers, where it fits one of the following exceptions:
- The data subject has explicitly consented to the transfer after being informed of the risks involved;
- Transfer of data is necessary for the performance of a contract between the data subject and the controller or between the controller and a third party acting on behalf of the data subject;
- Transfer of data is necessary for reasons of public interest;
- Transfer of data is necessary for the establishment, exercise, or defense of legal claims;
- Transfer of data is necessary to protect the vital interests of the data subject or any other person where they are physically or legally incapable of giving consent;
- The transfer involves data that is sourced from a public register, provided that the transferee complies with the restrictions imposed on its access or use.
Even if the above-mentioned conditions are not met, a transfer is still possible if it is not repetitive, concerns a limited number of data subjects, is necessary for compelling legitimate interests, and the controller has assessed all the circumstances surrounding the data transfer and accordingly provided suitable safeguards for the protection of personal data. In such cases, a business must provide information to the data subjects as per Articles 13 and 14 of the GDPR. Moreover, it should document the assessment as well as the suitable safeguards provided in its records of processing activities.
Lessons For Corporations
There are, of course, some vital lessons for other organizations, and perhaps Uber itself can learn from this entire episode. These include the following:
Identify the Appropriate Transfer Mechanism
Organizations must assess the third country's adequacy decision. In the absence of an adequacy decision by the European Commission, organizations must rely on an appropriate data transfer tool under GDPR Article 46 and fulfill the associated requirements.
Document Cross-Border Transfers
According to Article 30 of the GDPR, businesses are required to document the transfer of personal data to a third country in their record of processing activities. Proper documentation is essential for justifying the transfer and demonstrating that safeguards are in place to ensure an adequate level of protection.
Such thorough documentation often proves invaluable during audits and compliance checks, providing indisputable evidence of an organization’s adoption and adherence to the required data protection standards. It enables swift response to inquiries or concerns from supervisory and enforcement agencies, significantly reducing the risk of penalties for non-compliance.
Moreover, it has a clear functional benefit, as effective documentation allows for effective data governance and management. This, in turn, enables better decision-making and operational efficiency, which can be particularly beneficial in the long run by leveraging data security.
Conduct Transfer Impact Assessment
When adopting Standard Contractual Clauses (SCCs) as a transfer mechanism, data exporters must conduct a Transfer Impact Assessment (TIA) to evaluate the risks of transferring personal data outside the EEA. The TIA is a crucial step within the SCC framework designed to assess the effectiveness of the chosen transfer mechanism. It evaluates the legal and regulatory environment of the destination country and determines whether that third country provides an essentially equivalent level of data protection as required by GDPR. Based on this assessment, businesses can determine whether the measures provided by the SCCs are adequate or if supplementary measures are necessary to ensure the data's security and compliance with GDPR.
Ensure Transparency via Privacy Notice
Maintaining transparency with users is one of the most effective ways to build and maintain user trust. Users must be kept informed and updated about how their data is collected, processed, stored, secured, and transferred. This can easily be achieved through accessible and easy-to-understand privacy notices. Any changes to data practices, particularly those involving the transfer of users’ data outside the EU jurisdiction, must be promptly reflected in the privacy policy and communicated to the users.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data+AI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Numerous reputable global enterprises rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
With Assessment Automation, organizations can automate records of processing (RoPA) reports, privacy impact assessments, and data protection impact assessments aligning with GDPR requirements. Similarly, Privacy Policy Management provides organizations access to several pre-built templates that can be thoroughly customized based on their business operations and rapidly published in several languages. The Data Mapping module allows monitoring of all cross-border traffic and key data patterns with dynamic data graphs that allow the automatic discovery of new data, trigger new assessments, and update the risk register.
Request a demo today to learn more about how Securiti can help you comply with any and all legal obligations your organization may be subject to under the GDPR and other major data privacy regulations worldwide.
