The Dutch Data Protection Authority (DPA) has fined Uber EUR290m for transferring European drivers' data, including location data, photos, ID documents and medical and criminal offence data, to its US servers without adequate safeguards.

You would be forgiven for thinking that this is just the latest example of a high-rolling disruptive organisation playing fast and loose with the law. Perhaps that is the case, but it is also fair to say that the landscape for international data transfers to third countries from the EU has evolved considerably since the implementation of the GDPR. The same is the case for transfers to third countries from the UK, and the position remains nuanced. To recap briefly, replacing the old Safe Harbor regime, the Privacy Shield mechanism was designed to allow transfers of personal data between the EU and the US in a manner which allowed compliance with the GDPR. However, in July 2020, the European Court of Justice invalidated the Privacy Shield in its judgment in the Schrems II case. As a result, data transfers from the EU to the US were only permitted if the transferor was able to rely on an “appropriate safeguard” for GDPR purposes, such as standard contractual clauses (SCCs) or binding corporate rules. In 2023 the EU issued a new adequacy decision relating to EU-US data transfers, creating a new EU-US Data Privacy Framework. This left a gap of several years between the Privacy Shield and the EU-US Data Privacy Framework and it is this period that the DPA has focused on.

To transfer personal data from the EU to the US, it appears that Uber originally relied upon the Privacy Shield mechanism, moving then to use the SCCs for a period to August 2021 once the Privacy Shield mechanism became unavailable. At that point Uber then ceased to use the SCCs, with the Dutch DPA concluding that this left the relevant personal data insufficiently protected for over two years until Uber was able to use the new EU-US Data Privacy Framework.

Uber says that it plans to appeal the Dutch DPA's decision, arguing that businesses cannot be expected to wait for three years for a new legal framework for data flows without guidance from privacy watchdogs on navigating the significant legal uncertainty during this period. It also appears to be claiming that the personal data it transferred to the US was protected during this time to a GDPR standard, though it is unclear as to the nature of that argument – to date, ad hoc arrangements inferring protection for personal data do not generally constitute an “appropriate safeguard” for GDPR purposes unless formalised into binding corporate rules (using the applicable process).

We will continue to watch the developments in this case as they may inform similar scenarios in the UK. Uber will also wait to pay any fine until the legal proceedings are exhausted, so perhaps do not anticipate this wrapping up any time soon. More generally, this case also provides a high-profile example of the challenges businesses face in protecting EU data amid legislative uncertainty and the financial consequences of non-compliance.