In today’s interconnected world, businesses often find themselves transferring personal data across borders. This practice, however, comes with significant responsibilities under the General Data Protection Regulation (GDPR). The recent €290 million fine against Uber by the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (AP), highlights the seriousness of non-compliance with international data transfer regulations under the GDPR. This case serves as a warning to businesses about the critical importance of adhering to data protection rules.

The Uber Case: A Breach of GDPR Standards

In August 2024, Uber was hit with a €290 million fine after it was found that the company transferred personal information, including medical records, location data, and taxi licenses of European drivers, to its US headquarters without the required GDPR safeguards. These transfers lacked Standard Contractual Clauses (SCCs) or other GDPR-compliant safeguards, leaving sensitive data vulnerable. This investigation was initiated after complaints by over 170 French Uber drivers, showcasing the risks and financial consequences associated with improper data transfers.

Key Takeaways for Businesses

The Uber case offers several lessons that businesses operating in the UK and EU should take seriously:

1. Increased Scrutiny of Cross-Border Data Transfers: Businesses must ensure that personal data transferred outside the EU or UK is protected by safeguards that offer the same level of security as within these regions. Using SCCs or other mechanisms such as the International Data Transfer Agreement (IDTA) for UK transfers is essential to avoid penalties.

1. Financial Consequences of Non-Compliance: The hefty €290 million fine demonstrates the financial risks businesses face if they neglect their data protection obligations. GDPR non-compliance can have a severe financial impact, making it crucial for businesses to stay compliant with data transfer regulations.
2. Keeping Up with Regulatory Changes: The regulatory landscape has and continues to shift significantly. Businesses must stay informed about developments, including the new EU-US Data Privacy Framework, and implement up-to-date data protection measures.

There is also an ongoing review of SCCs. The EU Commission has launched consultations to potentially revise SCCs, particularly for situations where the data importer remains subject to the GDPR. Businesses should prepare for any updates to these clauses to ensure continued compliance with GDPR regulations.

Adequacy Regulations and Safeguards

When transferring personal data to countries outside the UK or EU, businesses must consider whether the destination country offers ‘adequate’ protection, as defined by adequacy regulations. Transfers can proceed freely if the destination country is covered by these adequacy decisions. The European Economic Area (EEA), certain territories like Gibraltar, and specific sectors in countries like Japan, Canada, and the United States (via the EU-US Data Privacy Framework) are currently deemed adequate.

The UK has also prioritized developing adequacy regulations with countries such as Australia, Brazil, India, and the Dubai International Financial Centre (DIFC).

Best Practices for International Data Transfers

To avoid the pitfalls seen in cases like Uber’s, businesses must take proactive steps to ensure compliance with data transfer regulations. By going through the following checklist before an international transfer is made business can ensure compliance with international data transfer regulations under the GDPR:

• Is there a transfer of personal data outside the UK?

• If no, the transfer can proceed.
• If yes, move to question 2.

• Is the transfer a restricted one of personal data under UK GDPR?

• If no, the transfer can proceed.
• If yes, move to question 3

• Are there UK ‘adequacy regulations’ (country, territory where receiver is located or a sector which covers the receiver)?

• If yes, the transfer can proceed.
• If no, move on to question 4.

• Have you put in place one of the ‘appropriate safeguards’ referred to in the UK GDPR, such as the IDTA or Binding Corporate Rules?

• If yes, move to question 5.
• If no, move to question 6.

• Have you conducted a risk assessment?

• If satisfied that for the data subjects of the transferred data, the relevant protections under the UK data protection regime will not be undermined, the transfer can proceed.
• If not, go to Q6.

• Does an exception provided for in the UK GDPR apply?

• If yes, you can make the transfer.
• If no, you cannot make the transfer in accordance with the UK GDPR.

If you reach the end without finding a provision which permits the restricted transfer, you are unable to make that restricted transfer in accordance with the UK GDPR.

Conclusion

The Uber case serves as a stark reminder that non-compliance with GDPR can result in significant penalties. Businesses that operate across borders must ensure they have the right safeguards in place for data transfers, such as SCCs or the IDTA. By staying informed and taking proactive measures, businesses can mitigate risks and avoid the financial and reputational damage that comes with GDPR violations.

For further guidance on how to ensure your business complies with international data protection laws, contact our expert team at FS Legal Services.