Uber has been slapped with a hefty €290 million fine from the Dutch Data Protection Authority the Autoriteit Persoonsgegevens (AP) for breaching the GDPR rules on international data transfers. The AP imposed the penalty after Uber transferred sensitive information (including taxi licences, location data, and medical records) of European drivers to its US headquarters without implementing necessary data protection safeguards.
If you are a UK business and you have operations or customers in the EU or around the world, you’ll need to comply with the relevant data protection laws when transferring data internationally.
Where did Uber go wrong?
The investigation that led to this fine was triggered by complaints from over 170 French Uber drivers. The AP’s investigation revealed that Uber had been transferring this sensitive data over a period of more than two years without using protections such as Standard Contractual Clauses (SCCs). Without SCCs or other GDPR-compliant international transfer safeguards, these transfers were deemed a serious violation of GDPR.
What are the key lessons for businesses?
Here are some key takeaways from this case:
- Cross-border data transfers are under intense scrutiny: Businesses that transfer personal data outside the EU must ensure that the data is safeguarded to the same level as it would be within the EU. This means using mechanisms such as SCCs or other GDPR-compliant international data transfer mechanisms. The Uber case shows us that regulators are closely watching cross-border data transfers and are prepared to enforce compliance rigorously. For both UK and EU businesses, it highlights the risks of incorrect safeguards when working with overseas businesses, such as US service providers. UK businesses should also take note, as they too need to comply with international transfer rules under the UK GDPR and this decision may inform similar outcomes here.
- Significant financial penalties can be made: The €290 million fine against Uber is a strong warning to businesses about the severe financial risks which can come about if you neglect mandatory data protection responsibilities. European regulators are serious about GDPR enforcement and the UK’s ICO may well follow their example in the case of serious breaches.
- Compliance measures should be up to date with fast-changing rules: The scrutiny around EU-US data transfers has increased, particularly following the invalidation of the Privacy Shield. With the new EU-US Data Privacy Framework now in place, it’s critical for businesses to stay up to speed with fast-changing rules and adjust their data protection measures accordingly as required. For instance, make sure you are using the correct and most up-to-date version of the SCCs, or confirming that the US entity you are sharing data with is compliant with the Data Privacy Framework or US-UK Data Bridge.
How can you protect your business?
Uber’s fine is a warning of the serious consequences of non-compliance.
For businesses in both the UK and EU, it's crucial to ensure that personal data transferred internationally is adequately protected.
When transferring personal data out of the UK, you must ensure you carefully assess your data transfers, put in place appropriate safeguards (such as SCCs or an IDTA) and complete transfer impact or risk assessments where necessary.
International data transfers can be complex and high-risk. If you need advice on making compliant international data transfers, contact our data protection law team for support.
Related articles
How can we help?
To access legal support from just £145 per hour arrange your no-obligation consultation today. We aim to respond to all messages received within 24 hours.
Call 0800 689 1700 or email
enquiries@harperjames.co.uk.
