Uber's €290 Million Fine for EU Data Transfer Breach: Lessons Learned

The Binding Corporate Rules (BCRs) are policies that organizations operating across jurisdictions can rely on to ensure all data transferred within their group comply with the relevant GDPR requirements. All BCRs must be appropriately approved by the relevant data protection authority (DPA). BCRs ensure legal compliance related to international data transfers while also helping organizations maintain a relationship of trust with both the customers and regulators.

Standard Contractual Clauses (SCCs) are preapproved legal agreements that are one of the few instruments organizations can rely on to transfer data from the EU to countries outside the European Economic Area (EEA). These instruments ensure that the data recipient in the third country has appropriate data protection mechanisms by placing several obligations on both the data exporter and importer.

The EU-US Privacy Shield was invalidated in 2020 by the Court of Justice of the European Union (CJEU). Per the ruling, the EU-US Privacy Shield did not appropriately protect EU citizens’ data from US agencies’ surveillance practices. Consequently, organizations that now wish to transfer data from the EU to the US face a far stricter and more scrutinized process to do so, making transatlantic data flows increasingly complex.

Once businesses become aware of data transfer violations, they must act swiftly to mitigate potential harm while ensuring accountability. Per the GDPR, such organizations are required to inform the relevant data protection authorities and the affected individuals while taking other steps, such as conducting a thorough assessment to assess the nature, scale, and duration of the violation. Following such an assessment, appropriate corrective measures must be implemented with an internal review aimed at ensuring such a violation does not repeat itself.