Uber hit with €290m fine for transferring European driver data to its US HQ

The question

What does the Uber fine signal for international data transfers and the consequences of failing to comply with the EU General Data Protection Regulation (EU GDPR)?

The key takeaway

The EU GDPR sets out strict rules governing the transfer of personal data from the EU to countries outside the EU that are not held to offer an adequate level of protection for that data, including the US. Failure to comply with these rules, including around the use of data transfer mechanisms, may result in substantial financial penalties from EU data protection authorities. This includes intra-group data transfer arrangements, which should be subject to regular review to check for compliance.

The background

Other than in very narrow circumstances, the EU GDPR only permits personal data transfers to countries outside of the European Economic Area (EEA) if the European Commission determines that the third country provides an adequate level of data protection (an Adequacy Decision), or if appropriate safeguards are in place to protect personal data.

The EU-US Privacy Shield, the previous EU-US data transfer mechanism, was successfully challenged in the Schrems II case and as a result the ECJ declared the EU–US Privacy Shield invalid on 16 July 2020. Entities could not then rely on an Adequacy Decision for EU-US data transfers and had have put in place appropriate safeguards, such as the implementation of standard contractual clauses (SCCs) and associated transfer impact assessments, to be compliant with the EU GDPR. The European Commission approved an Adequacy Decision in the form of the EU-US Data Privacy Framework on 16 July 2023, but this did not cover transfers between the two dates.

The development

On 26 August 2024, the Dutch Data Protection Authority (the Dutch DPA) announced its decision to fine Uber €290m for violations of the cross-border transfer provisions within the EU GDPR. The decision follows the DPA's investigation into Uber's EU-US data transfer practices, having received a number of complaints from French Uber drivers. Uber's European headquarters are in the Netherlands, which is why the Dutch DPA led the investigation.

The Dutch DPA's decision noted that Uber had failed to adequately protect and safeguard the personal data of its EU-based drivers when this personal data was transferred to Uber's US headquarters over a two-year period between 2021 and 2023. During this period, the data sharing agreement between Uber's Dutch and US companies (which were joint controllers of driver data, and both subject to the EU GDPR) did not include standard contractual clauses and the Dutch DPA rejected Uber's argument that an EU GDPR derogation applied to the transfers.

These data transfers took place at a time when there was no Adequacy Decision for EU-US data transfers in place, and after the invalidation of the EU-US Privacy Shield. The personal data which was transferred included drivers' identification documents, licences, location data, and some special category data, in the form of health information. Uber has announced that it will appeal the fine.

Why is this important?

The DPA's decision is important as it signifies that European regulators are willing and able to investigate complaints from data subjects regarding international data transfers and, where necessary, impose substantial financial penalties on entities it finds to be in breach of the EU GDPR. As evidenced in Uber's case, the financial penalties imposed can be significant, with supervisory authorities having the power to impose fines of up to €20 million or four per cent of an entity's total worldwide annual turnover, whichever is the greater.

Any practical tips?

Organisations with operations that are caught by the EU GDPR should take great care when transferring personal data to countries outside of the EU, including where these data transfers are on an intra-group basis. Regularly reviewing all contracts involving data transfers is never a bad idea, including internal transfer arrangements.  This Uber decision shows just how high fine-wise the EU's data regulators are willing to go to punish non-compliant transfers.