A loophole in data protection legislation is costing American digital multinationals dearly. This week it cost Uber an additional 290 million euros, bringing the total to more than 2 billion. All this is due to the period between 2020 and 2023 in which there was no defined legal framework for the transfers of personal information from Europeans to the United States, even though many companies continued to do so. Now they are paying for it in fines.
The one imposed on Uber falls under the responsibility of the Dutch Data Protection Authority (DPA), which ruled this week that the sending of data from the app’s drivers across the Atlantic for three years was illegal. The DPA points out that “Uber collected, among other things, sensitive information” from workers, such as “taxi account and license data, but also location data, photographs, payment data, identity documents and, in some cases, medical and criminal data.” data from drivers.
Uber, like all American companies fined for this reason, has vigorously protested the resolution and does not accept the fine. “This erroneous decision and this extraordinary fine are completely unjustified. Uber’s cross-border data transfer process was GDPR compliant during a three-year period of immense uncertainty between the EU and the United States. We will appeal and continue to hope that common sense will prevail,” a spokesperson explained in a statement sent to elDiario.es.
The three-year gap began in July 2020, when the EU Court of Justice struck down the deal. Privacy Shield (Privacy Shield) that Brussels had signed with Washington four years earlier. This was a bilateral agreement authorizing the transfer of personal data from the EU to the United States, ensuring that this data was protected in accordance with European privacy standards.
However, the ECJ considered that this was not the case. The reason for this was US laws, which allow US intelligence services, such as the National Security Agency (NSA), to access any database without a court order, which is incompatible with European law. The author of the complaint was the young Austrian lawyer Max Schrems, who had already succeeded in 2015 in having the ECJ annul the old data transfer framework, called Safety port (Safe Port), for the same reason.
The transfers took place in a legal limbo until 2023, when the European Commission ratified a new agreement with the White House with the more modest name of “EU-US Data Protection Framework.” “According to the Court, standard contractual clauses could still constitute a valid basis for the transfer of data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice,” the DPA explains. However, “Uber had not used standard contractual clauses as of August 2021.”
“Companies are often required to take additional measures if they store personal data of European citizens outside the European Union. “Uber has not complied with the requirements,” said the director of the Dutch agency, Aleid Wolfsen: “This is very serious.”
More than 2 billion in fines
Although Uber has strongly opposed the fine and said it will appeal (a process that suspends payment until final resolution, which could take more than four years), the DPA has not been particularly harsh on the company. European law allows data protection authorities to fine companies that fail to comply with regulations up to 4% of global revenue. Uber invoiced €34.5 billion in 2023, which means the maximum fine could have been €1.38 billion.
In fact, the largest fine for data-sending practices to the US in the period 2020 to 2023 exceeds Uber’s by almost a billion. Facebook took it in 2023 and amounts to 1.2 billion. This is the strictest measure imposed in the EU on data protection and one of the largest in all areas. The sanction was reviewed by the body that brings together data protection agencies from across the EU after the Irish agency imposed a penalty that this supranational entity considered too weak.
In this case, it was considered an aggravating circumstance that, in practice, this was the third time that a European authority had made it clear to Facebook that sending its users’ personal data to the United States was illegal. The two CJEU judgments that overturned Privacy Shield And Safety port The analysis was based on transfers made by the social network, reported by Schrems. Facebook also announced that it would appeal the fine, deeming it unfair.
Other companies fined for this reason are Amazon (746 million euros, in a resolution that punishes other violations of the e-commerce giant unrelated to this case) and Google, which has received lighter sanctions from several European authorities. The search engine, however, has a pending resolution that could evolve in the same proportions as Facebook, thanks to its Advertising Analytics service.
Google and Facebook themselves are the two companies that have put the most pressure on regulators on both sides of the Atlantic to reach a new agreement that would give legal certainty to their activities. Meta has even offered its investors the possibility of withdrawing Facebook and Instagram from the EU if the situation is not resolved.
However, the peace may not last long. Noyb, the privacy association founded by Schrems, has once again denounced the new framework. “The third attempt by the European Commission to reach a stable agreement on data transfers between the EU and the US will probably be referred to the CJEU in a few months. The so-called ‘new’ transatlantic data privacy framework is largely a copy of the failed Privacy Shield. “Despite the European Commission’s PR efforts, there is little change in US law or in the EU’s approach,” it warned.
