The Dutch Data Protection Authority fined the rideshare giant last month following complaints by more than 170 French drivers that the company transferred their location data and other sensitive information to US servers without proper safeguards. Uber’s actions constitute a “serious violation” of the European Union’s landmark General Data Protection Regulation, it said.
The transfers occurred after the EU Court of Justice’s 2020 decision striking down the 2016 EU-US Privacy Shield that gave thousands of US companies a safe harbor to transfer data west across the Atlantic. The EU didn’t approve a replacement deal, known as the EU-US Data Privacy Framework, until July 2023—and that appears likely to be challenged, too.
As Uber appeals the fine, American technology companies should examine if they have the proper practices and documentation in place to back up their compliance with the framework and the GDPR, said Joe Jones, director of research and insights for the International Association of Privacy Professionals. Already, the consumer-privacy group whose challenges led to the fall of the Privacy Shield and an earlier transatlantic agreement has signaled it’s considering taking the new framework to court. If it’s successful, companies could again be plunged into the uncertainty from which Uber’s fine derived.
“The industry breathed a sigh of relief when the agreement was adopted and they thought, ‘OK, now we’re looking forward,’” said Jones.
Despite the 2023 framework, the Dutch authority is still “going after” Uber for “this historic violation,” he said. “I suspect companies will be bristling at the severity of this.”
Uber Enforcement
Uber, like other companies, was left without the benefit of an EU-US deal overseeing its transfer practices when the Privacy Shield was struck down. This created both uncertainty from 2020 to 2023 and anticipation that the ambiguity would soon be resolved, Jones said.
This is what made the Dutch authority’s decision to go after Uber for its practices during that window such a “shock,” Jones said.
If authorities start to “retroactively fine” companies for transfers not covered by a US-EU agreement, “they would effectively make the way the entire internet worked for almost three years illegal,” the Computer & Communications Industry Association Europe said in a statement.
Uber has insisted it complied with the GDPR—and said it’s confident “common sense will prevail.”
“This flawed decision and extraordinary fine are completely unjustified,” an Uber spokesperson said in an emailed statement.
Contract Confusion
Under the GDPR, companies generally can’t transfer personal data outside the bloc without first having their data protections and procedures blessed by European officials. Lacking an EU finding that US laws provide adequate protection to EU data, agreements negotiated between the bloc and US accomplished that.
But without an intergovernmental agreement in effect from July 2020 to July 2023, companies looked to other safeguards under the GDPR, including binding corporate rules and standard contractual clauses. The latter mechanism is aimed at ensuring appropriate protections are enshrined in agreements between data exporters and importers, including related entities such as Uber Netherlands BV and Uber Technologies Inc.
The EU high court’s invalidation of the Privacy Shield in 2020 cast doubt on these clauses’ sufficiency when data moved to the US. While they remain a valid mechanism, companies should perform a case-by-case assessment to determine what additional safeguards are needed, it said.
Uber, which stopped using the standard clauses in August 2021 during that window of uncertainty, lacked a lawful transfer mechanism, Dutch officials said, according to a translation of the Dutch enforcement decision posted on GDPRhub, which is operated by the privacy advocacy group NOYB—European Center for Digital Rights.
The Dutch enforcers rejected Uber’s argument that it was exempt from having appropriate GDPR safeguards, including the clauses, because the transfer was necessary for the performance of a contract between customers and the company, the translated decision said. They emphasized that the GDPR’s obligations on non-EU companies are meant to ensure that there’s no weakening of protections when data is moved outside of the EU.
Unlike Uber, most companies moving EU data to the US did have clauses in place for the time after the Privacy Shield fell and the new framework became effective, Jones said.
But even that may not be enough to prevent enforcement actions.
“Clearly the contracts are important, but they’re not a silver bullet,” Jones said.
Future Ambiguity
The 2023 framework won’t survive a well-argued challenge, predicted European privacy advocate Max Schrems, the chairman of NOYB, the group that successfully challenged the two earlier frameworks. Like those agreements, the new one is “going to die,” he said.
The new transatlantic deal, which allows eligible US companies to self-certify their compliance, carries over “basically the same text” as before, and it hasn’t addressed fatal flaws of its predecessors, he said.
“The heart of the problem” for EU officials and advocates is a lack of control over the extent to which US government entities can access EU citizens’ personal information stored by American companies, Goodwin Procter partner Omer Tene said.
Meta’s use of standard clauses “wasn’t enough because there’s nothing these companies can do that would be enough to mitigate the real risk here that the Europeans are concerned about—which is that the NSA or the FBI would look at this data,” he said.
Nevertheless, EU and US officials reached a deal, and months of negotiation produced some changes that might mollify EU judges. The US Justice Department has created a Data Protection Review Court, the second level of a redress system for people with complaints US intelligence violated US law.
Companies should be prepared, though, for the deal to be upended like the two before it.
Specific guidance—which is ever-evolving and subject to disagreement among EU entities—may be in flux , said Curtis, Mallet-Prevost, Colt & Mosle partner Elisa Botero, but companies can continually look to the GDPR’s focus on protecting EU citizens’ sensitive data.
“The GDPR has been pretty stable, and that’s the overarching umbrella for the whole area,” Botero said, “and the principles that underlie that regulation are pretty clear.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.