290 million reasons to know your Transfers

3 key lessons from the Dutch DPA’s €290m fine on Uber for transfers to the USA in between Privacy Shield and the Data Protection Framework.

First – it’s Summer 2020

Anyone working in Privacy in summer 2020 remembers the chilling feeling when the Schrems II decision landed – no more transfers to the USA? Wait, at all, or can we still use SCCs? What are supplemental measures? Help!

• Most UK and EEA practitioners poured over the decision, hoped EU regulators gave a similar grace period or rushed out a successor as quickly as when Safe Harbor died (spoiler: they didn’t), then reviewed all transfers to the USA, decided which might work with SCCs and supplemental measures and, if the US transfers had to keep going commercially, put SCCs + supplemental measures in place for those transfers. At least they’ve a defensible position of sorts, until the replacement adequacy decision.
• At the same time, US suppliers were churning out reasons why Schrems II was wrong, reasons why transfers to them were still fine, what supplemental measures they’d put in place, and of course offered SCCs.
• The Data Processing Addendum and the TIA were born.

Apparently Uber, not so much

It appears Uber decided not to put SCCs in place – indeed, the Dutch DPA (Autoriteit Persoonsgegevens) says Uber carried on with transfers to the USA without using any transfer tool* at all.

For a period of over 2 years, Uber transferred those data to Uber’s headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient.

* Transfer tool is a phrase that came into being with the very tardy EDPB Guidance on transfers post-Schrems II and simply means any safeguard in Chapter V of GDPR, which you can use as a basis for a transfer: adequacy decisions, SCCs, BCRs, and – go on, test you! In practice, it’s adequacy or SCCs.

SCCs *may* have saved Uber

Everyone knows the main arguments of the two camps, on SCCs and supplemental measures in the aftermath of Schrems II:

• one camp argued that no amount of supplemental measures could protect transfers to the USA save for, possibly, full encryption with encryption keys held in the EEA.
• the other camp argued that there’s a risk-based approach, based on the actual risk to individuals – cue transparency reports, Excel spreadsheets and more.

Those arguments (now moot for transfers to the USA, with the DPF adequacy decision in place) were raging in the ‘in between’ period. But at least having SCCs in place, with detailed supplemental measures, would have given Uber an argument, as the Dutch DPA noted:

According to the Court [in Schrems II], Standard Contractual Clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice.

Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected, according to the Dutch DPA. Since the end of last year, Uber uses the successor to the Privacy Shield.

But with no SCCs in place, whether or not it would have carried the day, that line of defence wasn’t available.

3 Lessons for your daily role

#1 – Know your Processors (joint controllers, separate controllers, international organisations …)

If you don’t know who your processors are, you’ve no way of knowing where your transfers are going. And you’ll have transfers to other parties such as joint controllers.

Keepabl’s instant reports surface who you’re sharing personal data with, where it’s going, and why. All essential for the next step.

#2 – Know your Transfers

Now you know who you’re sharing personal data with, you can check off the transfers. Adequacy decisions? Check. SCCs with supplemental measures if needed? Check.

Keepabl’s intuitive Data Map powers your instant Transfer Registers. Need to know transfers outside the EEA when GDPR applies? Easy. Want to see transfers from India, or the US, or Australia? Easy.

Knowing your transfers based on applicable jurisdictions lets you zero in on the appropriate transfer tool from those available.

#3 – Always (always) have an arguable position

Most importantly – do something! If there’s a compliance gap, close it. Have – at least – an arguable, defensible position. Yes, the 2020s have been a period of immense pressures on businesses with a pandemic, multiple conflicts and recessions, but even (maybe particularly) in those periods you still need to have a position.

Rise above Privacy Stress

Why not take a demo and free-trial of our award-winning Privacy Management SaaS to see how intuitive Privacy Governance can be, so you can rapidly identify those compliance gaps and have excellent reports to show regulators, auditors, customers, investors and the board.