Safe Harbor and Privacy Shield met the same end: invalidation by the Court of Justice of the EU. Regulation of personal data transfers to the United States remains a complex and often contested issue.
American digital players have not always taken into account the chaotic adventures of European regulation and adapted their practices. For continuing his transfers, Meta received a a record fine of 1.2 billion euro in 2023
Uber had alternatives to Privacy Shield
Zuckerberg’s company wasn’t the only one to voluntarily ignore the Privacy Shield repeal, however. It is the turn of Uber, whose European headquarters are located in Amsterdam, Netherlands, to be sentenced for the same violation.
Following the collective complaint by the League of Human Rights, the Dutch CNIL has already noted that Uber is transferring the personal data of drivers to the platform in the United States.
However, the authority penalized the online service for several failures to inform drivers. Result: a fine of ten million euros. But transfers in the US, despite the lack of a legal framework, have not been forgotten.
In close cooperation with the French CNIL, the investigations and proceedings continued. And they revealed that Uber maintained its transfers outside of Europe and without “appropriate safeguards”.
Transfers without proper guarantees
To achieve these transfers, the company had several legal options, including standard contractual clauses. Uber chose to ignore them between August 6, 2021 and November 21, 2023. Only on that date did the actor return to the straight and narrow.
Indeed, on November 21, Uber registered with the Data Privacy Framework. DPF succeeded the Privacy Shield after its invalidation. However, its resilience again seems very fragile.
As for Uber, its decision to continue data transfers from 2021 to 2023 without them being “framed with appropriate safeguards” earned it a conviction for breaching the GDPR. The Dutch counterpart of cnil applies 290 million euro penalty.
