The EU's data transfer rules are a mess: Three reasons I hate Uber's €290m GDPR fine

Last month, Uber got a GDPR fine.

The company's EU entity shared some pretty sensitive data about drivers with its US entity, allegedly including ID documents, location data, and even criminal offence data.

Because Uber made these transfers without implementing Standard Contractual Clauses (SCCs) or another transfer safeguard, the Dutch DPA found that the company had violated Article 44 of the GDPR and issued a fine of around 1% of Uber's 2023 revenues.

Here are three reasons I don't like this enforcement decision very much, and why I think it exposes some serious problems with the EU's rules on international data transfer rules.

Reason 1. The decision reduces data protection to pointless paperwork

Because of how the GDPR is constructed, Uber's violation was not—per se—transferring personal data to the US.

Uber's violation was transferring the data without having implemented SCCs (or another safeguard—henceforth, please imagine I have written "or another safeguard" whenever I write "SCCs" unless the context implies otherwise).

The GDPR does not prohibit international data transfers—even of the types of sensitive data shared between Uber's EU and US entities.

Instead, Chapter V of the GDPR sets conditions under which those transfers may occur. Unless an exception applies, an organisation must not conduct the transfer if it cannot meet the relevant conditions.

According to Article 46 of the GDPR, one such condition is that SCCs are in place.

? So, if Uber had put SCCs in place, would everything have been OK?

Probably not.

For one of many examples, recall last year's €1.2 billion fine against Meta—which did have SCCs in place, but was nonetheless found to have violated the GDPR's data transfer rules.

Meta's problem, among other things, was that the SCCs were basically pointless.

As we know from 2020's Schrems II case, paperwork does not trump national law.

If certain governments want to access personal data, a private contract will not stop them. The same principle applies to other paper-based transfer tools, like Binding Corporate Rules (BCRs).

Meta was fined despite—or perhaps due to—having SCCs.

? So what should Meta have done?

For Meta, the solution (in theory) was to either:

1. Implement "supplementary measures" to physically prevent the US government from accessing the data, or
2. Not conduct the transfer at all.

? Could Uber done have that?

Maybe, sure.

Those measures actually do have data protection and privacy benefits, but they would massively disrupt the operations of US businesses.

But this article's not about that.

And nor is the decision against Uber. The Dutch DPA barely touches on any that stuff, and focuses almost entirely on SCCs.

Here's how far the DPA gets:

• Uber made an international data transfer.
• Uber did not have SCCs.
• Therefore, Uber violated Article 44 of the GDPR and gets a fine.

Even if Uber had put SCCs or BCRs in place, it likely would have faced enforcement on similar grounds to Meta.

But we can't know for sure, because this decision is all about paperwork.

(Note that, since Biden's reforms of the intelligence services in his Executive Order, DPAs have much more faith in SCCs, but this wasn't relevant at the time of the Uber investigation)

Uber was not penalised for transferring sensitive data to the US—it was penalised for failing to sign a pointless contract.

? Now, now, the SCCs might be a flawed solution to international data transfers, but they surely aren't just pointless paperwork...?

SCCs aren't always pointless!

And, particularly since this decision, I strongly recommend using them whenever you're supposed to.

But in this scenario, having the SCCs would probably have made no difference to anyone, as I'll explain below.

Reason 2. European Commission guidance supports Uber's legal interpretation

Let's put Schrems II and the arguable pointlessness of SCCs to one side.

The core problem here was that Uber took the SCCs out of its inter-company agreement.

? Everyone knows when to use SCCs. Why would Uber choose to remove them from the agreement between its EU and US entities?

Uber argued that because its US entity was subject to the GDPR under Article 3, the data transfer rules did not apply and there was no need for SCCs.

The Dutch DPA agreed on one point—Uber US was directly subject to the GDPR.

But from this common position, there's a fundamental difference in how various people interpret the GDPR's data transfer rules.

? It's hardly unusual for a controller to disagree with a DPA...

Oh, but it's not just Uber who disagrees with the DPA's interpretation of the data transfer rules—it's also the European Commission.

Uber appears to decided not to implement the latest SCCs based on some Commission FAQs.

Among other things, the Commission's guidance addresses the following question:

Can these SCCs be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR?

This question is relevant to Uber's scenario, where its US entity was subject directly to the GDPR.

Here's the Commission's answer:

No.

? How did the Commission come to that conclusion?

According to the Commission, the SCCs “do not work for importers whose processing operations are subject to the GDPR pursuant to Article 3," as they would "duplicate and, in part, deviate from the obligations that already follow directly from the GDPR.”

In other words...

The SCCs are designed to impose GDPR-style data protection obligations on controllers and processors in third countries via a contract—because third-country data protection laws are often weaker than the GDPR.

But if you're already directly covered by the GDPR the Commission doesn't see much point in imposing a contract that duplicates—or sometimes contradicts—the law itself.

The Commission also says it is working on new SCCs to cover this scenario. We're still waiting on those new SCCs.

Any day now.

? But those FAQs aren't legally binding, right?

Correct.

The Commission's guidance has no legal effect.

The regulator's interpretation of the GDPR will—and should—take precedence.

And the Dutch DPA was pretty scathing about Uber's reference to these FAQs.

It said Uber could have "in no way interpreted" the Commission's guidance as meaning that there was no need for SCCs.

? ...Really?

The question again:

"Can these SCCs be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR?"

The answer:

A straight-up "No."

...and the Dutch DPA says there is "no way" to interpret this answer as meaning that the SCCs are not to be used when the importer is subject to Article 3?

If Uber relied on these FAQs, perhaps it messed up.

But it did not misinterpret the Commission. The FAQs are very clear.

And they aren't the only place we find this interpretation.

3. The Commission's SCCs Implementing Decision supports Uber's position

Just so you know I'm keeping this all in proportion, here are a few facts about the European Commission:

• The Commission does not enforce the GDPR.
• The Commission's interpretation of the GDPR matters in relatively few circumstances.
• The Commission must take advice on the GDPR from the European Data Protection Board (EDPB).
• The Commission itself doesn't have a great data protection track record.

But here are some other Commission facts.

• The Commission drafted the SCCs.
• The Commission gave effect to the SCCs via an Implementing Decision,
• The Commission drafted the GDPR, or at least the initial proposal.

Perpahs surprisingly, these things don't count for much.

But about that Implementing Decision...

? What Implementing Decision?

In 2021, the Commission adopted Implementing Decision (EU) 2021/914 to give effect to its latest set of SCCs—to make them a legitimate international data transfer mechanism under the GDPR.

The Implementing Decision isn't legally binding on Uber or other controllers, but it explains what the SCCs are and how the Commission intended them to be used.

Here's an extract from Article 1 of the Implementing Decision:

The standard contractual clauses set out in the Annex are considered to provide appropriate safeguards... for the transfer by a controller or processor of personal data processed subject to (the GDPR)... to a controller or (sub-)processor whose processing of the data is not subject to that Regulation...

Got that? According to the Implementing Decision, the SCCs are used to transfer personal data:

• From a controller or processor subject to the GDPR,
• To a controller or processor not subject to the GDPR.

And here's something from Recital 7:

The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of (the GDPR)...

So according to this recital, the SCCs may only be used to the extent that the importer is not covered by the GDPR.

This reflects Uber's case: Its US entity was subject to the GDPR.

So is that surprising that Uber did not put these new SCCs in its agreement? According to the Implementing Decision, the SCCs were not appropriate.

? Who cares? Why are you talking about FAQs and the recitals of Implementing Decisions?

I know, right? Again, these things don't apply to Uber.

But they do show how messed up and confusing this area of law is.

Remember, though: As far as Uber is concerned—along with virtually anyone likely to read this—the GDPR is the law, not the Implementing Decision, and certainly not some blog post, not even EDPB guidelines.

But we do know what the EDPB thinks about this issue.

? What does the EDPB think?

In the EDPB Guidelines 05/2021, the board says very clearly that an international data transfer can occur irrespective of whether Article 3 applies to the importer—though it admits that there is scope for confusion in this area and invites the Commission to resolve it.

So the EDPB disagrees with the Commission, and the Dutch DPA has to align its enforcement with the EDPB.

Now, yet again—EDPB guidelines aren't legally binding either. All that ultimately matters is what the GDPR and the CJEU say.

But given that EDPB guidelines do tell us how EU DPAs will likely interpret the law, maybe Uber should have just gone along with that interpretation to stay out of trouble.

(Except that the EDPB guidelines weren't published until long after the relevant period for this enforcement decision)

—

But wait...

How is this level of confusion and conflict acceptable?

Whose data is being protected here?

Who benefits from this—except people like me who are paid to explain it?

If Uber had kept the SCCs despite its interpretation of the GDPR, do we really think it would have made any meaningful difference to anyone?

I mean in the real world, not in the legal pontifications of the regulator and some LinkedIn commentators.

I don't think the Dutch DPA's decision is necessarily wrong, but I find it a particularly dull and parsimonious approach to data protection enforcement.

I love data protection. Even data transfer stuff. In fact, I confess that Chapter V GDPR is among my favourite topics (in the abstract).

But is this really what data protection should be about?

Epilogue: What I am saying and what I am not saying

In anticipation of the comments, here are a few things I do not think—or at least that I do not say above:

• Uber did nothing wrong.
• Uber did not violate the GDPR.
• The Commission's FAQs or Implementing Decision have legal relevance to Uber or take precedence over the GDPR.
• The Commission and Uber's interpretation of the GDPR is right and the Dutch DPA's interpretation is wrong.
• The GDPR should not include rules on international data transfers.

And here are a couple of things I do think:

• Uber drivers had a legitimate grievance and were entitled to complain about Uber's transfers of their personal data.
• To play it relatively safe, Uber probably should have followed the EDPB Guidelines (but that's coming from a non-lawyer).
• The Dutch DPA should have accounted for this confusion and conflict when deciding on Uber's penalty.
• Everyone should use SCCs whenever appropriate. This decision is a good opportunity to check all your stuff.
• The CJEU could go either way on this, but I can see it siding with the Dutch DPA against Uber.
• At the time of Uber's alleged violations, there was no satisfactory solution beyond stopping the transfers altogether.
• The law on international data transfers has become a confusing mess.
• The Commission and the EDPB should resolve their differences as soon as possible so that the law is clear, predictable, and applied fairly.

Thanks for reading. If you enjoyed this rant, a less obnoxious version is available in video form on my profile.