Background
In 2020, the Privacy Shield, a legal framework governing data transfers between the EU and the U.S., was declared invalid due to concerns over U.S. surveillance practices. Although companies were allowed to use Standard Contractual Clauses (SCCs) to transfer data, these clauses needed to ensure an equivalent level of data protection as within the EU. However, Uber failed to apply these clauses or any other sufficient safeguards for the data transfers. This led to the violation of Article 44 of the GDPR, which mandates that personal data transfers outside the EU must have proper protections in place.
Why It Happened
Uber's data transfers included highly sensitive information, and without adequate legal protections post-Privacy Shield, the data was vulnerable.
How the case came to light
More than 170 French Uber drivers raised concerns about how their personal data was handled, which prompted a human rights group to submit a complaint to the French authorities. This complaint was forwarded to the Dutch DPA, as Uber's European operations are based in the Netherlands.
Uber's Response
Uber disagrees with the fine, stating that the decision was unjustified and that the company operated in a period of "immense uncertainty" between the invalidation of the Privacy Shield and the establishment of the new EU-U.S. Data Privacy Framework in 2023. Uber claims it complied with GDPR requirements during this time, although the DPA concluded otherwise. Uber intends to appeal the fine, arguing that the company could not simply halt data transfers while awaiting a new legal framework.
Current Actions
As of late 2023, Uber has adopted the EU-U.S. Data Privacy Framework, which now governs data transfers between the two regions and provides sufficient legal grounds for such transfers.
Implications for US companies
As Uber appeals the fine, American technology companies should examine if they have the proper practices and documentation in place to back up their compliance with the framework and the GDPR.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
