Platform Workers and Data Privacy: What is the sentiment behind Uber’s cross-border data transfers from the EU to the US?

Nikola Murdzev — a PhD Candidate at Iustinianus Primus Faculty of Law (North Macedonia), researching the impact of digitalization and correlated technological processes in the world of work. This blog is produced as a part of the Reshaping Work Fellowship Programme. The opinions and views expressed in this publication are those of the author. They do not purport to reflect the opinions or views of Reshaping Work or organisations that have supported the programme.

General Overview of the Cross-Border Data Transfers from an EU Country to another Country

Sometimes some organizations that operate in the European Union are not fully compliant with how they process, store, collect, or transfer personal data, thus it happens that at certain point some of them are failing to uphold optimal level of compliance with the GDPR.

In the context of platform workers generating an income through digital platforms, one of these sections addressing the need for optimal compliance is related to cross-border data transfer mechanisms under the GDPR. Namely, differences in territorial transfers consider two factors: (1) where the data is being transferred from; and (2) where the data is being transferred to, and subsequently whether the starting or the ending point of these transfers is considered to take place within EU/EEA Countries or to another Country. These cross-border data transfers could be:

1. Data transfers from an EU/EEA Country to another EU/EEA Country

2. Data transfers from an EU/EEA Country to a non-EU/EEA Country

a. Data transferred from an EU Country to a non-EU Country which has an appropriate or adequate level of data protection, recognized by the European Commission under an Adequacy Decision

b. Data transferred from an EU Country to a non-EU Country which does not have an appropriate or adequate level of data protection by providing appropriate safeguards from the Controller, which can be, as underlined under Article 46 of the GDPR, such as:

i. Legally binding and enforceable instrument between public authorities or bodies

ii. Binding Corporate Rules

iii. Standard Contractual Clauses adopted by the European Commission

iv. Standard Contractual Clauses adopted by a supervisory authority and approved by the European Commission

v. Approved code of conduct with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards

vi. Approved certification mechanism with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards.

Lately, the list of third countries which ensure an adequate level of protection has been expanded by the European Commission on July 10, 2023, thus operationalizing the existence of the newly-formed adequacy decision known as the EU-US Data Privacy Framework. In the case of US-based companies that have established and operate in a EU Member State market for profit, this framework facilitates and governs cross-border data transfers between the EU and US companies, so that legal entities can certify and participate in the EU-US Data Privacy Framework. The administration of the EU-US DPF is conducted by the US Department of Commerce, which processes applications for certification and monitors the approved certification depending on whether the certified legal entities uphold and meet the projected criteria that are required for cross-border data transfers. The EU-US Data Privacy Framework compliance is enforced by the US Federal Trade Commission.

The Dutch Data Protection Authority's findings on the assessed failure of Uber in upholding an appropriate level of data protection compliance on the EU-US cross-border data transfers

The GDPR covers a section on administrative fines. On the notion of GDPR administrative fines, additional information is available on the following blog.

The case of Uber in the Netherlands signals how compliance is still presumably lacking on how personal data is being processed, collected and ultimately shared by a company that is an active participant in the EU-US Data Privacy Framework. In 2016, the Dutch Data Protection Authority (Dutch DPA) issued the first administrative fine to Uber totalling €600.000, triggered due to a data breach that occurred in 2016 which resulted in unauthorized access to drivers’ and customers’ personal data. The Dutch Data Protection Authority analysis concluded that the data breach affected 174,000 Dutch citizens and 57 million Uber users worldwide. Some categories of personal data that were exposed included names, email addresses, and telephone numbers of both the customers and the drivers.

Additionally, the Dutch DPA issued Uber a second administrative fine on Jan. 31, 2024, this time amounting to €10 million, triggered due to presumable infringement of privacy regulations regarding drivers’ personal data. More specifically, according to the Dutch DPA, Uber failed to specify in its Privacy Terms and Conditions (T&Cs) how long the drivers’ personal data is subject to being retained and how is the data secured while being transferred outside of the EEA. We observe that the Dutch DPA detected two specific issues: (1) failure to disclose the full details of the data retention periods for data concerning the European drivers; and (2) naming or listing the non-European countries with which Uber shares the data.

Following up on the second administrative fine, triggered by a group of more than 170 French drivers. French Uber drivers made a complaint to Ligue des droits de l’Homme (LDH), a French human-rights interest group, which subsequently filed a complaint to the French Data Protection Authority (French DPA). Based on the EU’s one-stop shop data protection mechanism, which establishes that an organization that processes personal data in several Member States of the EU has to deal with one Data Protection Authority, the complaint has been forwarded from the French DPA to the Dutch DPA. As Uber’s European headquarters are based in Amsterdam, and the legal entity is registered under the applicable legal regime in the Netherlands, hence, as the lead supervisory authority, the Dutch DPA, which has the primary responsibility for dealing with investigating compliance with Data Subject Access Requests or investigating lodged complaints on alleged infringement of personal data relating to a particular individual.

The findings of the Dutch DPA on the third administrative fine suggest that, although Uber is an Active Participant within the EU-US cross-border data transfer mechanism, the company collected several categories of personal data of the drivers from Europe, including special categories of data, and subsequently some categories of personal data have been transferred from the EU’s legal entity to Uber’s legal entity in the US without using appropriate and currently applicable cross-border data transfer mechanism. Therefore, the required level of data protection was presumably not achieved by Uber, due to the fact that the Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020 and Uber opted out of using the pre-approved Standard Contractual Clauses by the European Commission from August 2021 onwards. Some of the categories of personal data that were transferred from the EU to the US include account details, taxi licences, location data, photos of individuals, payment details, identity documents, and in some cases criminal and medical data of the drivers.

The third imposed administrative fine on Uber in the Netherlands is in the amount of 290 million euros, which is within the upper administrative fine bracket of a maximum of 4% of the annual global turnover of the business, which was 34,5 billion euros for Uber in 2023.

Currently, Uber can appeal the decision by the Dutch Data Protection Authority. If the appeal is unsuccessful, the next instance available to Uber to contest and litigate the case is the Dutch courts. This GDPR administrative fine is not subject to payment prior to a decision on the submitted appeal by Uber. Depending on the complexity of the case, the decision might take up to four years.

The case of Uber is one of the first cases in the EU where an Active Participant within the EU-US Data Privacy Framework is subject to being fined, which points out that participating and certifying a company within this framework, is not solely sufficient in upholding an optimal level of data protection compliance, such as in the case of pursuing cross-border data transfers without implementing and using the European Commission’s pre-approved Standard Contractual Clauses as a legitimate international data transfer mechanism under the GDPR or another data transfer safeguard.

***

Reshaping Work Fellowship is supported by Zurich Insurance.

***

#GigEconomy #DataPrivacy #DataProtection #GDPR #PrivacyProtection