International data transfers – Uber’s €290 million GDPR fine and potential impact on SCCs

In August 2024, Uber was issued a hefty €290 million fine from the Dutch Data Protection Authority the Autoriteit Persoonsgegevens (AP) for breaching the GDPR rules on international data transfers. The AP imposed the penalty after Uber transferred sensitive information (including taxi licences, location data, and medical records) of European drivers to its US headquarters without implementing necessary data protection safeguards.

If you are a UK business and you have operations or customers in the EU or around the world, you’ll need to comply with the relevant data protection laws when transferring data internationally.

Where did Uber go wrong?

The investigation that led to this fine was triggered by complaints from over 170 French Uber drivers. The AP’s investigation revealed that Uber had been transferring this sensitive data over a period of more than two years without using protections such as Standard Contractual Clauses (SCCs). Without SCCs or other GDPR-compliant international transfer safeguards, these transfers were deemed a serious violation of GDPR.

What are the key lessons for businesses?

Here are some key takeaways from this case:

• Cross-border data transfers are under intense scrutiny: Businesses that transfer personal data outside the EU must ensure that the data is safeguarded to the same level as it would be within the EU. This means using mechanisms such as SCCs or other GDPR-compliant international data transfer mechanisms. The Uber case shows us that regulators are closely watching cross-border data transfers and are prepared to enforce compliance rigorously. For both UK and EU businesses, it highlights the risks of incorrect safeguards when working with overseas businesses, such as US service providers. UK businesses should also take note, as they too need to comply with international transfer rules under the UK GDPR and this decision may inform similar outcomes here.  
• Significant financial penalties can be made: The €290 million fine against Uber is a strong warning to businesses about the severe financial risks which can come about if you neglect mandatory data protection responsibilities. European regulators are serious about GDPR enforcement and the UK’s ICO may well follow their example in the case of serious breaches.
• Compliance measures should be up to date with fast-changing rules: The scrutiny around EU-US data transfers has increased, particularly following the invalidation of the Privacy Shield. With the new EU-US Data Privacy Framework now in place, it’s critical for businesses to stay up to speed with fast-changing rules and adjust their data protection measures accordingly as required. For instance, make sure you are using the correct and most up-to-date version of the SCCs, or confirming that the US entity you are sharing data with is compliant with the Data Privacy Framework or US-UK Data Bridge.

Are new SCCs on the horizon? 

• SCCs have gained significant attention, especially after the Uber fine, which may have spurred major developments from the EU regarding SCCs.

• The EU Commission has launched a  consultation on new SCCs to complement existing SCCs, tackling the complex scenario in which the data importer is in a third country yet subject to the GDPR rules (a gap in the existing SCC regime).  

• Businesses will need to watch out for this new development, which may necessitate the need for repapering and updating their international data transfer documentation again. While this is in the early stages, with adoption planned only for the second quarter of 2025, it’s a point to have on your radar.

How can you protect your business?

Uber’s fine is a warning of the serious consequences of non-compliance.

For businesses in both the UK and EU, it's crucial to ensure that personal data transferred internationally is adequately protected.

When transferring personal data out of the UK, you must ensure you carefully assess your data transfers, put in place appropriate safeguards (such as SCCs or an IDTA) and complete transfer impact or risk assessments where necessary.

Monitor upcoming changes relevant to your industry, including possible new regulatory requirements like Standard Contractual Clauses (SCCs). 

International data transfers can be complex and high-risk. If you need advice on making compliant international data transfers, contact our data protection law team for support.