How can multinational companies avoid hefty fines by Supervisory Authorities 'a la Uber' when transferring data from the EU?

The Dutch Data Protection Authority just slapped Uber with a hefty €290 million fine ($320 million). This is a timely reminder of the complexity of GDPR compliance posed for US-based and multinational companies which process EU-based data in the US or elsewhere. It highlights the necessity to have a good understanding of cross-border transfer rules under GDPR and their application to the initiation of volunteer data input by a user into a US-based platform.

Cross-Border Transfers and Joint Controllers: A Hidden Risk

One of the key takeaways from this case is how cross-border data transfers received a broader interpretation under the GDPR. Even if an EU-based user provides information directly to a U.S. platform and that information apparently pertains to employment or contractual obligations with an EU business, it can be interpreted as a cross-border transfer. That is especially true in the view that the two companies, the EU company and the US company, can be considered joint controllers of the data. So, then the EU entity will be the exporter of the data, and the US company will be the data importer. This perception will make an apparently simple operation of collecting data a potentially very stressful operation under Chapter V of the GDPR, which deals with trans-border data transfer.

Standard Contractual Clauses: A much-needed Safety Net

Another important insight concerns the interaction between Article 3 (Territorial scope) and Chapter V (Cross-border transfers of data). Even if in the past the European Commission clarified some SCCs may not apply ipso facto in the case of transfers between joint controllers, this does not mean that such a transfer would fall outside GDPR's onward transfer requirements. For data controllers outside the EU but directly under the provisions of the GDPR, it may be de-risking to conduct SCCs or to use some other transfer mechanism, which applies the principle of ‘better safe than sorry’ and could save organizations from costly penalties.

Limits of Article 49 Derogations to Centralizing HR Functions

This case also foregrounded the limited reliance that could be placed on Article 49 derogations for cross-border transfers—in particular, when an attempt is made to centralize HR functions within a US parent. The systematic and repetitive nature of the processing of HR data means these transfers often do not meet the threshold of necessity for contract or necessity for conclusion of a contract in the best interest of the individual. Further, the absence of an objective link between the execution of an agreement with the transfer and the potential compromise of data protection standards results in the weakening of the argument of necessity. These, however, are not sufficient justifications under the stringent requirements of the GDPR, even if centralization is much faster and more efficient.

Conclusion

Although it is worth noting that the Dutch DPA has already fined Uber 3 times (€600,000 in 2018 and €10 million in 2023), the Uber fine is the starkest warning that compliance with GDPR is not exactly a piece of cake, particularly for US-based and international companies. How cross-border data transfers work, how SCCs apply, and what derogations are possible under Article 49 form a minefield of rules which, if not watched out for, may see the company paying dearly. Companies will therefore have to weigh their data processing activities closely-where these involve EU-based data-so these meet the high standards of the GDPR.