On 22 August 2024, the Dutch Data Protection Authority (DPA) found the American company Uber Technologies Inc. and the Dutch company Uber BV guilty of transferring data of drivers operating in France outside the European Union (EU) to its headquarters in the United States, without sufficient guarantees, between 6 August 2021 and 21 November 2023. The investigation was opened in the Netherlands, where one of the Uber companies is headquartered, following a complaint in France by 172 drivers, and was conducted in collaboration with the French data protection authority (CNIL). Uber was fined €290 million.
- How does the GDPR regulate transfers of personal data to countries that do not comply with European standards?
The GDPR strictly regulates transfers of personal data outside the EU.
First, the European Commission may decide that a third country offers a adequate level of protectioni.e. equivalent to that of the European Union, which allows transfers without additional measures. In the absence of adequacy, companies must implement appropriate guaranteessuch as the conclusion of standard contractual clauses (SCCs) or binding corporate rules (BCRs). In certain exceptional cases, exemptions may be applied, such as the explicit consent of the data subject or the transfer necessary for the performance of a contract.
The list of suitable countries is limited and includes the member countries of the EEA zone as well as countries such as Canada or Japan.
The case of the United States is more complex. The country was considered “adequate” until a decision of the CJEU of July 16, 2020, called Schrems IIOn July 10, 2023, after intense negotiations, the European Commission recognized the country as “in partial adequacy”, via the so-called Data Privacy Framework mechanism allowing certain American companies to collect and process personal data from the European Union without additional steps.
All data transfers must also comply with the general principles data protection provisions set out by the GDPR.
- What steps could Uber take to comply with European data protection regulations and avoid such sanctions in the future?
The investigation revealed that Uber had stored sensitive personal data of its European drivers, such as their banking details or identity documents, on US servers without adequate safeguards for more than two years. Between the 2020 Schrems II ruling and the 2023 European Commission decision, the transfer of personal data to the US was only permitted under certain conditions that ensured a level of protection equivalent to that of the European Union. However, Uber did not implement such measures until the end of 2023.
To comply with European regulations, Uber could take several measures, some of which are cumulative, including:
- ensure that all transfers of personal data to third countries are regulated by appropriate guaranteessuch as personal data processing agreements (DPAs) concluded between different entities, including those within the same group;
- strengthen its internal security measures to protect personal data, by implementing strong encryption protocols and limiting access to sensitive data;
- perform regular audits of its data management practices to ensure their compliance with the GDPR;
- train your employees.
- What are Uber users’ rights in this context, and how can they ensure their data is protected in accordance with the GDPR?
Everyone in the EU has rights under the GDPR to protect their personal data, including the right to information, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object.
To assert them, users can take the following measures in particular:
- Exercising their rights : The company is required to respond to these requests within one month. In the absence of a response, users may contact the competent national data protection authority, such as the AP in the Netherlands or the CNIL in France;
- Use data protection tools : such as privacy settings and consent options to control how data is shared and used.
- What are the consequences of this fine for Uber, both financially and for its reputation in Europe?
On the plan financialthe company was fined 290 million. In terms of reputationthis fine could tarnish Uber’s image in Europe, especially since Uber has already been convicted for data security violations.
Uber appealed the AP’s decision and denounces a period of uncertainty between the United States and the EU on how to ensure the protection of personal data following the 2020 “Schrems” II decision, which stripped the United States of its adequate country status until the European Commission’s decision in 2023.
- What are the implications of this case for other international companies operating in Europe, in terms of compliance with the rules of the GDPR?
This case serves as a reminder to businesses of the importance of continuous compliance GDPR rules. This regulation applies to any organization, whether public or private, regardless of its size or sector of activity, as long as it processes personal data of EU residents. This concerns companies established in the EU and non-EU companies, when they offer goods or services to EU residents.
Businesses must remain extremely vigilant when transferring personal data outside the EU. The Uber case shows that European data protection authorities are closely monitoring these transfers and are not hesitant to impose severe penalties in the event of non-compliance.
A contribution from Mathilde Carlelawyer at Kramer Levin (Paris), with the assistance of Mathilde Pennèsstudent lawyer.
