The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP) imposed a EUR 290 million fine (the AP’s highest ever fine) on Uber for violating article 44 GDPR by unlawfully transferring personal data of EU-based drivers to the United States. The AP, acting as the lead Supervisory Authority for Uber (the Uber EMEA HQ is established in the Netherlands), started its investigation in April 2021 after the French Data Protection Authority forwarded a complaint from a French NGO, Ligue des droits de l’Homme (LDH), on behalf of 172 Uber drivers.
Background
International data transfers to third countries outside the EEA are only allowed under the GDPR if the destination country benefits from an EU adequacy decision or where a permitted transfer mechanism like Standard Contractual Clauses (SCCs) is in place. Following the ECJ’s Schrems II ruling in 2020, the EU-US Privacy Shield (based on an adequacy decision) was invalidated. However, Standard Contractual Clauses (SCCs) were still allowed as a valid basis for transferring data to countries outside of the EU/EEA under the GDPR, potentially with supplementary measures to protect the data.
Investigation
The AP’s investigation into Uber mainly focused on whether Uber was compliant with the data transfer provisions of Chapter V of the GDPR. In its investigation, the AP found that Uber processed a variety of (sensitive) data through its app, such as location data, photos, payment details, ID records and criminal and health records of its drivers. The AP states that this data was collected through Uber’s EU entity (UBV) and transferred to its US-based entity (UTI). The AP also established that Uber stopped using SCCs in August 2021, and continued data transfers without adequate safeguards until November 2023. After that, Uber certified under the EU-US Data Privacy Framework.
Uber’s defence and the AP’s decision
Uber defended its actions by putting the arguments forward (i) that Chapter V GDPR was not applicable because Article 3 GDPR already applies to the data processed in the US as UBV and UTI are joint controllers; (ii) that Chapter V GDPR is subordinate to Article 3 GDPR and both could therefore not be applied simultaneously; (iii) that the concept of “data transfer” was not defined in the GDPR; (iv) that no “data transfer” occurred because EU-based drivers provided data to UTI directly and; (v) that Uber could successfully invoke the exceptions of Article 49(1)(b) and (c) GDPR.
The AP rejected these arguments, stating that Chapter V GDPR is complementary to Article 3 GDPR, and they must be applied together to ensure data protection is not undermined or circumvented. The AP also stated that the function of Chapter V is to ensure international data transfers may only take place if all other relevant provisions of the GDPR are met. In regards to the definition of “data transfer”, the AP referred to the EDPB guidelines for clarification of this definition and concluded that Uber’s data processing activities constituted a “data transfer” within the meaning of Article 44 GDPR. Finally, the AP rejected Uber’s reliance on Article 49 GDPR, clarifying that these exceptions are meant for incidental transfers only. Uber’s cessation of SCCs and the absence of other appropriate safeguards resulted in a breach of the GDPR.
Factors considered relevant for the fine
The EUR 290 million fine was calculated pursuant to the EDPB guidelines, mainly considering the following factors:
- the gravity and duration of the violations
- Uber’s global scale
- Uber’s financial capacity
- the two-year period of non-compliance
- the exposure of sensitive driver data, and
- Uber’s insufficient mitigation measures.
The AP notes that the penalty was set to ensure effectiveness, proportionality and deterrence, reflecting the GDPR’s principles. Uber has announced its intention to appeal the fine. The main take-away is that the AP is upping its game and will not hesitate to impose significant fines where it considers them appropriate.