Background
Ligue des droits de l'Homme (a French human rights interest group) submitted a complaint to the CNIL (the French DPA), on behalf of 170 French Uber drivers. The CNIL subsequently forwarded the complaints to the Dutch DPA, as the Lead Supervisory Authority for Uber.
Findings
The Dutch DPA's investigation found that Uber had collected sensitive information relating to its European drivers (such as taxi licence information, location data, photographs, payment information, identity documents, criminal offence data and health data) and stored this on its US servers. Over a two year period, Uber had transferred this personal data to its headquarters located in the US.
Since the EU-US Privacy Shield had been invalidated by the judgment of the Court of Justice of the European Union in Schrems II, the EU Standard Contractual Clauses ("SCCs") could have been used as an appropriate safeguard for the transfer, but only if an equivalent level of protection was guaranteed by the recipient country.
Uber had stopped using the EU SCCs from August 2021, and as a result the Dutch DPA found that Uber had transferred this personal data to the US without having an appropriate safeguard in place.
The Dutch DPA stated this was a "very serious" contravention of the requirements of the GDPR, although it highlighted that the breach was rectified at the end of 2023 when Uber signed up to the EU-US Data Privacy Framework.
Uber's response
Uber has insisted that its transfer of the personal data was done so in compliance with the GDPR, stating that "we will appeal and remain confident that common sense will prevail". To date, there has been no updates on Uber's appeal but we will share more information as it becomes published.
Data transfers help
If you have any questions relating to this decision, simplifying the complexity of international personal data transfers or any other data protection-related issues, please do contact DWF's Data Protection and Cyber Security team or contact the article author directly - Kelly Marum
