Rethinking Data Transfers: Why Uber’s fine signals the need for practical safeguards over formal compliance
In a decision dated 22 July 2024, the Dutch Data Protection Authority (DPA) imposed an administrative fine of €290 million on Uber for transferring personal data from European Union (EU) drivers to its headquarters in the United States without using appropriate data transfer tools, such as Standard Contractual Clauses (SCCs).
This decision was made following an investigation that revealed Uber had transferred sensitive information of its EU drivers, including criminal and medical data, to servers in the US without ensuring sufficient protection after the invalidation of the EU-US Privacy Shield in 2020.
While the Dutch DPA’s decision highlights important aspects of cross-border data transfers, this article argues that the ruling should be reconsidered in light of a more purposive interpretation of the use of transfer tools like SCCs. Specifically, a closer assessment is needed of whether the practical mechanisms Uber employed offered actual protection for personal data, rather than focusing solely on the absence of a formal tool like SCCs.
The Legal Framework: Articles 44, 46, and 49 of the GDPR
The General Data Protection Regulation (GDPR) sets out specific conditions for international transfers of personal data to countries outside the EU. Article 44 of the GDPR establishes the general principle that data transfers may only occur if the transferred data enjoys an equivalent level of protection in the destination country as it would within the EU. This principle is further elaborated by Articles 46 and 49, which specify appropriate safeguards, such as SCCs, Binding Corporate Rules (BCRs), or derogations for specific situations that must be in place to legitimise cross-border data transfers.
Under Article 46, SCCs provide one of the primary mechanisms to ensure that transferred data remains protected even when sent to countries that do not benefit from an adequacy decision. However, the European Court of Justice (ECJ) in the Schrems II decision emphasised that the mere presence of SCCs is not sufficient; companies must assess whether the recipient country provides an “essentially equivalent” level of protection in practice. This has shifted the focus from a formalistic adherence to SCCs to a broader assessment of practical safeguards.
The Dutch DPA’s decision, therefore, aligns with GDPR requirements in principle but overlooks whether Uber had implemented alternative mechanisms that could have ensured adequate protection of personal data.
Background of the Uber Case: Cross-Border Data Transfers and Non-Use of SCCs
The Dutch DPA’s investigation began after 170 Uber drivers in France filed complaints with the Ligue des droits de l’Homme (LDH), which subsequently forwarded the complaints to the French DPA. As Uber’s lead authority was based in the Netherlands, this is so because, as a business that processes data in several EU Member States, Uber has to deal with one DPA and that is the authority in the country in which the business has its main headquarters. Pursuant to the GDPR, businesses that process data in several EU Member States have to deal with one DPA: the authority in the country in which the business has its main establishment. Uber’s European headquarters is based in the Netherlands.
Therefore, the Dutch DPA took up the case under the GDPR’s One-Stop-Shop procedure. The case revealed that Uber transferred sensitive data of its drivers, such as identity documents, taxi licenses, and payment details, to its US headquarters without relying on SCCs or any other valid transfer mechanism for over two years. During the investigation, the Dutch DPA closely cooperated with the French DPA and coordinated the decision with other European DPAs.
Following the invalidation of the EU-US Privacy Shield in 2020, Uber ceased using SCCs from August 2021 until the implementation of a new data transfer framework at the end of 2023. During this period, Uber failed to use any recognized transfer tools, a violation of the GDPR’s requirements for international data transfers under Article 46.
The Dutch DPA’s Formalistic Approach to SCCs
In imposing the €290 million fine, the Dutch DPA primarily focused on the fact that Uber did not use SCCs or any other authorised transfer tools during the two-year period in question. This approach, however, reflects a formalistic reading of the GDPR, which might not fully account for the practical protections Uber could have employed to secure the personal data of its EU drivers. The DPA’s decision was consistent with the GDPR’s technical requirements, but it neglected to assess whether Uber had established any alternative safeguards that could have provided comparable protection.
The GDPR, following the Schrems II ruling, requires that data controllers and processors not only implement recognized transfer tools but also ensure that these tools are applied in a manner that guarantees data protection in practice. Therefore, the question of whether Uber used SCCs or not should be accompanied by an inquiry into whether Uber’s actual practices met the GDPR’s standards of data protection.
Uber Responses/View
Uber’s legal team argues that the case exists in a gray area of regulatory law, pointing out that the GDPR’s Chapter V, which governs international data transfers, shouldn’t apply when processing already falls under Article 3 of the same regulation. They contend that such an application would be redundant and potentially conflict with broader EU international commitments. Moreover, Uber highlights the lack of clear regulatory guidance on what exactly constitutes a “transfer” in the digital age, noting that even the European Data Protection Board’s interpretation remains non-binding.
The company also presents a timeline of its compliance efforts, stating that even if their actions were considered transfers, they were compliant with GDPR requirements and implemented Standard Contractual Clauses in their data-sharing agreements until August 2021. These were later removed, Uber claims, in good faith response to new guidance from the European Commission.
Uber maintains that no suitable SCCs were available for their situation in the interim period and that alternative transfer mechanisms were not feasible relying on The European Commission (EC) stated in its FAQ that the relevant new standard contract clauses (SCCs) cannot be used in a situation where processing by controllers is directly subject to the (GDPR). Immediately after this, the EC notes that the “European Commission is in the process of developing an additional SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under the GDPR.” The Dutch DPA believes that Uber could in no way have inferred from these statements that SCCs or other transfer instruments need not be used if the processing (by Uber’s admission) falls under Article 3 GDPR. Thus, the EC’s statement does not exempt Uber from compliance with the GDPR.
They also assert that in many cases, data was directly provided by drivers (data subjects) to UTI (Uber Technologies Inc.) (US), rather than being “transferred” in a way that would fall under the GDPR’s purview. In its data sharing agreement between Uber BV (Netherlands) and its parent Uber Technologies Incorporated UTI (US), both are defined as joint controllers. Referring to the updated SCCs of the European Commission, Uber told the DPA: “In light of this, Uber revisited its joint controller agreement to delete the SCCs, and to clarify joint controller responsibilities. Therefore, Uber has adopted a new version of its joint controller agreement, in which the new regulatory requirements and relationship between UTI and UBV are reflected.”
Overall, Uber’s defense rests on challenging the applicability and interpretation of GDPR provisions in their specific circumstances.
A Purposive Interpretation of SCCs and Data Transfer Tools
The central issue in the Dutch DPA’s decision is the reliance on the absence of SCCs as the sole determinant of the violation. However, GDPR enforcement must adopt a more purposive interpretation of SCCs and other transfer tools, examining whether the measures implemented offer real protection for personal data. It is essential to shift from a narrow focus on formal compliance with the use of SCCs to a broader evaluation of the adequacy of the protections in practice.
The Schrems II decision clarifies that even when SCCs are in place, data controllers must assess the actual protections available in the destination country. This reasoning can also be applied inversely: when SCCs are not in place, the DPA should evaluate whether other mechanisms, if present, effectively protect the data.
In Uber’s case, for example, the DPA could have considered whether the company employed robust encryption methods, data minimization practices, or other technical and organisational measures that could have mitigated the risks associated with the transfer of personal data to the US. The GDPR permits flexibility in the measures used to protect personal data, as long as these measures ensure an adequate level of protection.
The Need for a Broader Assessment of Practical Safeguards and Interpretations.
A key flaw in the Dutch DPA’s decision is that it did not assess whether Uber’s practices during the two-year period actually exposed drivers’ personal data to risks or breaches. While the DPA concluded that Uber violated the GDPR by failing to use SCCs, it did not examine whether alternative safeguards were in place to protect the data. If Uber had implemented effective encryption and data access controls, for example, these measures could have mitigated the risks of data transfers to the US, even in the absence of SCCs.
This perspective aligns with the principle of accountability enshrined in the GDPR. Under Article 5(2), data controllers are required to demonstrate compliance with data protection principles. Uber should have been required to provide evidence of the practical measures it took to secure the data, rather than merely being penalised for failing to use SCCs.
The Uber case underscores the urgent need for clearer, more consistent interpretations of GDPR provisions across the European Union. As global businesses grapple with complex data protection regulations, the lack of uniform guidance can lead to significant legal and financial risks. This regulatory ambiguity not only affects companies’ ability to comply but also impacts the effectiveness of data protection enforcement. Clear, authoritative interpretations are crucial for ensuring fair application of the law and protecting privacy. Without such clarity, businesses may face unpredictable enforcement actions, potentially stifling digital economy growth and international data flows. As the Uber case demonstrates, the stakes are high, and the need for coherent, practical GDPR guidance has never been more pressing.
Conclusion: A Call for Pragmatic Data Protection Enforcement
The Dutch DPA’s decision in the Uber case underscores the importance of adhering to GDPR’s strict requirements for international data transfers, particularly following the invalidation of the Privacy Shield. However, this article contends that the decision should be reviewed to reflect a more purposive interpretation of SCCs and other transfer tools. GDPR enforcement must prioritise practical data protection outcomes over formalistic compliance with specific tools. By focusing solely on the absence of SCCs, the Dutch DPA missed an opportunity to assess whether Uber’s practical mechanisms were sufficient to protect personal data.
The article acknowledges the EU Commission’s announcement in September 2024 for the launch of a public consultation on new EU Standard Contractual Clauses (SCCs). These new SCCs, aimed for adoption in the second quarter of 2025, will address a critical gap in the current framework. Specifically, they will cover situations where the data importer is located in a third country but is directly subject to the GDPR – precisely the scenario at the center of the Uber fine. This move by the EU Commission came in response to the urgent need for action to prevent similar situations in the future. It underscores the pressing necessity for consistent interpretations of GDPR provisions, especially in complex cross-border data transfer scenarios.
Going forward, regulators should adopt a more holistic approach to assessing compliance with GDPR’s cross-border data transfer provisions. Rather than imposing fines based purely on the absence of SCCs or other tools, regulators should consider whether alternative safeguards effectively protect personal data, ensuring that enforcement decisions promote substantive data protection rather than mere procedural compliance.
–
Writers:
Desmond Israel Esq.
Lawyer | Data Privacy/Information Security Practitioner
Founder, Information Security Architects Ltd (Rapid 7 Gold Partner)
Adjunct Lecturer (Ghana Institute of Management and Public Administration)
Technology Policy Researcher (AI, Cybersecurity, Global Data Privacy, Metaverse, Blockchain)
Mohamed ElBaih
Data Protection and Cybersecurity Practitioner Lawyer
Data Privacy Legal Consultant / IFC – The Word Bank Group.
AI and Data Privacy researcher.