GDPR

A recent decision by the Dutch Data Protection Authority (“DPA”) has sparked significant debate over the interpretation of the General Data Protection Regulation (“GDPR”), particularly concerning the transfer of personal data between entities within a multinational company.

The DPA imposed an astonishing €290,000,000 fine for the violation of Article 44 of the GDPR because Uber allowed transfers of personal data to the U.S. while there was no lawful transfer mechanism and appropriate safeguards as stipulated in the GDPR.

Article 44 GDPR:

“Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation….”

The Personal Data Transfer in question

Within this decision, the internal transfer of personal data denotes two companies operated by Uber, one being in the U.S. and the other within the EEA: Uber Technologies Inc. and Uber B.V.

The processing in dispute, concerns two scenarios:

  1. Uber drivers based within the EEA inputting their Personal Data such as name, e-mail address and telephone number and other data such as location data, criminal records and health data; With such data being automatically transferred to Uber Technologies Inc; and
  2. Any exercise of the data subject rights made by a driver based within the EEA is also transferred to Uber Technologies Inc. automatically upon request, for processing.

The DPA also highlighted that Uber has control over the drivers' behaviour and personal data through their platform in other ways, namely by being controlled by an algorithm of the driver application which is predetermined by Uber Technologies Inc. and through which Uber exercises control over data processing.

The Dispute

The dispute centres around Uber's argument that it did not need to implement Standard Contractual Clauses (“SCCs”) for data transfers from its EU entity to its U.S. entity, citing its interpretation of GDPR Article 3(2).

Article 3(2) GDPR:

  • This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

Uber, the global ride-hailing giant, specifically based its argument on the extraterritorial reach of GDPR, specifically Article 3(2), which extends the regulation's application to entities outside the EU that process personal data of EU residents. Uber contended that since its U.S. entity is already subject to the GDPR under this provision, the use of SCCs or other data transfer mechanisms was unnecessary for internal data transfers from its EU entity.

However, the Dutch DPA took a different view. The authority argued that Uber "could in no way have inferred" from the Commission’s statements that SCCs or other transfer mechanisms were unnecessary for data transfers that fall under Article 3. The DPA emphasised that compliance with Article 3(2) does not exempt a company from using SCCs when transferring data outside the EU, in line with the landmark SCHREMS II case.[1]  In essence, the DPA suggested that Uber’s interpretation of the GDPR was flawed.

Despite its strong stance, the Dutch DPA did not provide a detailed explanation of why Uber's interpretation was incorrect or in this context. This lack of elaboration has led to further uncertainty and speculation in the legal community.

A Path to the Courts?

Legal experts anticipate that this clash could lead to a preliminary reference to the Court of Justice of the European Union (“CJEU”) for clarification. The question of whether GDPR's Article 3(2) can indeed negate the need for SCCs in certain situations is a matter of significant legal interpretation. While the Dutch DPA’s position may be legally sound, the ambiguity makes it easy to understand why Uber believed its approach was valid.

A potential CJEU ruling could provide much-needed clarity, not only for Uber but for other multinational companies navigating the complex landscape of international data transfers under the GDPR.

In the meantime, the decision has underscored the ongoing challenges businesses face in interpreting and complying with the GDPR, particularly in the context of data transfers across borders. As the digital economy continues to grow, such disputes are likely to become more frequent, making clear judicial guidance all the more critical.

--

The compliance with Data Protection regulations is tantamount and until there is more clarity, one should always consider the use of SCCs in their agreements.

GTG’s team of seasoned advocates has extensive experience in technology law and data protection, providing you with the highest level of legal advice.

Do not hesitate to contact Dr Ian Gauci or Dr Terence Cassar for more information and assistance.

 

[1] Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems, C-311/18.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.

We're here to help

Get In Touch
Skip to content