At the end of July 2024, the Dutch Data Protection Authority imposed a fine of EUR 290 million on Uber, as the authority deemed that Uber had transferred personal data from the EU to the United States over a period of more than two years without implementing the necessary safeguards required by the GDPR. Notably, two of the authority's findings—though not surprising—are also relevant for other companies:
- The concept of “transfer” to third countries is very broad
The GDPR imposes extensive obligations tied to the concept of transfer, but it does not explicitly define it, leading to ambiguity in many scenarios about when a third-country transfer actually occurs. Supervisory authorities, including in the Uber case, generally adopt a broad interpretation of this concept. It is therefore unsurprising that, according to the Dutch authority, a transfer can be deemed to have occurred even in cases of joint controllership between the exporter and the importer.
- Safeguards under Chapter V of the GDPR, such as the Conclusion of Standard Contractual Clauses, are also necessary when the data recipient in the third country is directly subject to the GDPR under the marketplace principle
The UK Information Commissioner’s Office (ICO) and, at least temporarily, the European Commission had assumed that the transfer of personal data to countries outside the European Union would exceptionally not be subject to the specific requirements for third-country transfers under Chapter V of the GDPR if the recipient in the third country is directly subject to the GDPR under the marketplace principle. However, this view is difficult to reconcile with the wording of the GDPR and is not shared by the EU's data protection authorities. As a result, data transfers to third countries must always be justified separately. This presents significant challenges for data exporters in the EU, as the Standard Contractual Clauses (the primary instrument for justifying third-country transfers) are expressly intended only for data transfers to recipients to whom the GDPR does not apply. Standard Contractual Clauses for recipients subject to the GDPR have been announced by the European Commission for years but are not yet available. Companies, therefore, have only the choice to either refrain from such transfers (often impractical), rely on Standard Contractual Clauses that do not fully apply (which is likely to be the preferred approach), or do nothing at all; the fine imposed by the Dutch authority clearly demonstrates that the latter option is not advisable.
This fine highlights the continued relevance of third-country transfers and the fact that some issues remain unresolved. In the absence of alternatives, companies currently have limited options and may only be able to take measures to mitigate risks. Despite their limited applicability, Standard Contractual Clauses remain the preferred option in most cases—had they been concluded, the fine in its current form might have been avoided.