Brussels, BELGIUM – Today, the Dutch Data Protection Authority (AP) announced that it is imposing a fine of €290 million on Uber, arguing that the company’s transfers of drivers’ personal data from the European Union to the United States were in breach of the EU’s General Data Protection Regulation (GDPR).
The Computer & Communications Industry Association (CCIA Europe), however, stresses that the issue at hand dates back to 2021-2022, preceding the new EU-US Data Privacy Framework that only came into force last year. During this period, non-EU companies already subject to the GDPR had virtually no legal bases to move data to the United States.
Ever since an EU Court decided to invalidate Privacy Shield – the previous framework that allowed for data transfers between the EU and the United States – back in 2020, the so-called Schrems II ruling, European and American companies were left without any clear guidelines for transatlantic data flows for a period of nearly three years.
Moreover, this uncertainty was compounded by regulatory contradictions as a result of data protection authorities disagreeing with the European Commission. The Commission, on its part, ruled out the use of so-called Standard Contractual Clauses for non-EU companies already subject to European data protection rules. This left those companies without any straightforward mechanism to move EU data to servers in the US.*
The period of legal uncertainty did not only affect tech firms, but organisations of all types and sizes, including nonprofits and governments. Those acting in good faith longed for clarity during that period, but didn’t get any workable guidance on data flows from EU authorities. While the Data Privacy Framework finally came into effect in 2023, it does not account for the three-year legal gap left behind.
If data protection authorities now suddenly start to retroactively fine companies for data transfers during the post-Schrems II period, they would effectively make the way the entire internet worked for almost three years illegal. That means great legal uncertainty for anything that happened online between the EU and US from 2020 to 2023, ranging from video conferencing during COVID to the processing of online payments.
The following can be attributed to CCIA Europe’s Head of Policy, Alexandre Roure:
“The fact that the Dutch Data Protection Authority today decided to issue a massive fine to a tech company for EU-US data flows that happened back in 2021 ignores reality. The busiest internet route in the world could not simply be put on hold for three entire years while governments worked to establish a new legal framework for these data flows.”
“Any retroactive fines by data protection authorities are especially worrisome given that these very privacy watchdogs failed to provide helpful guidance during this period of significant legal uncertainty, in absence of any clear legal framework.”
Notes for editors
* See recital 7 of the European Commission Implementing Decision (EU) 2021/914: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914