3 key lessons from the Dutch DPA’s €290m fine on Uber for transfers to the USA in between Privacy Shield and the Data Protection Framework.
Anyone working in Privacy in summer 2020 remembers the chilling feeling when the Schrems II decision landed – no more transfers to the USA? Wait, at all, or can we still use SCCs? What are supplemental measures? Help!
It appears Uber decided not to put SCCs in place – indeed, the Dutch DPA (Autoriteit Persoonsgegevens) says Uber carried on with transfers to the USA without using any transfer tool* at all.
For a period of over 2 years, Uber transferred those data to Uber’s headquarters in the US, without using transfer tools. Because of this, the protection of personal data was not sufficient.
* Transfer tool is a phrase that came into being with the very tardy EDPB Guidance on transfers post-Schrems II and simply means any safeguard in Chapter V of GDPR, which you can use as a basis for a transfer: adequacy decisions, SCCs, BCRs, and – go on, test you! In practice, it’s adequacy or SCCs.
Everyone knows the main arguments of the two camps, on SCCs and supplemental measures in the aftermath of Schrems II:
Those arguments (now moot for transfers to the USA, with the DPF adequacy decision in place) were raging in the ‘in between’ period. But at least having SCCs in place, with detailed supplemental measures, would have given Uber an argument, as the Dutch DPA noted:
According to the Court [in Schrems II], Standard Contractual Clauses could still provide a valid basis for transferring data to countries outside the EU, but only if an equivalent level of protection can be guaranteed in practice.
Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU were insufficiently protected, according to the Dutch DPA. Since the end of last year, Uber uses the successor to the Privacy Shield.
But with no SCCs in place, whether or not it would have carried the day, that line of defence wasn’t available.
If you don’t know who your processors are, you’ve no way of knowing where your transfers are going. And you’ll have transfers to other parties such as joint controllers.
Keepabl’s instant reports surface who you’re sharing personal data with, where it’s going, and why. All essential for the next step.
Now you know who you’re sharing personal data with, you can check off the transfers. Adequacy decisions? Check. SCCs with supplemental measures if needed? Check.
Keepabl’s intuitive Data Map powers your instant Transfer Registers. Need to know transfers outside the EEA when GDPR applies? Easy. Want to see transfers from India, or the US, or Australia? Easy.
Knowing your transfers based on applicable jurisdictions lets you zero in on the appropriate transfer tool from those available.
Most importantly – do something! If there’s a compliance gap, close it. Have – at least – an arguable, defensible position. Yes, the 2020s have been a period of immense pressures on businesses with a pandemic, multiple conflicts and recessions, but even (maybe particularly) in those periods you still need to have a position.
Why not take a demo and free-trial of our award-winning Privacy Management SaaS to see how intuitive Privacy Governance can be, so you can rapidly identify those compliance gaps and have excellent reports to show regulators, auditors, customers, investors and the board.
What happens to DPDI 2 now that Prime Minister Sunak, on 22 May 2024, called a snap general election for 4 July 2024? Let’s look at DPDI 2’s path through Parliament,…
Original posted on FinTECHTalents on 6 April 2021 The following is the first in a six part part series on GDPR & Financial Services from Keepabl. Keepabl will review how…