The Dutch Uber Choice and the Relationship Between GDPR Article 3 and Chapter V · European Regulation Weblog – Tech Cyber Internet

Regardless of being one of the crucial talked about areas of the GDPR and the topic of a number of CJEU selections, key parts of GDPR’s information switch regime are nonetheless open to interpretation. One lingering space of authorized ambiguity is below what circumstances switch safeguards are required by the GDPR if a overseas agency is already topic to the GDPR.  The basic information switch state of affairs may contain a overseas firm not ruled by the GDPR receiving EU private information transmitted by an EU primarily based companion. On this state of affairs, the GDPR information switch safeguards be certain that the GDPR’s excessive stage of safety is just not diminished when the info is moved. Nonetheless, of the GDPR’s extraterritorial impact, corporations positioned overseas that focus on the EU for enterprise can be topic to the GDPR. For these overseas firms below the GDPR’s umbrella, making use of the GDPR’s information switch safeguards is just not at all times intuitive.

A current enforcement motion by the Dutch DPA towards Uber levied a steep 290 million euro nice for failing to use GDPR’s Chapter V switch safeguards for the corporate’s EU-U.S. information transfers – the biggest to this point from the Dutch DPA. However Uber within the U.S. was topic to the GDPR and was primarily accumulating private information immediately from drivers within the EU. This choice departed from EDPB steering which might not require the GDPR’s switch safeguards for overseas corporations immediately accumulating information from EU information topics. The choice muddies authorized necessities for information transfers, and the CJEU’s closing phrase is important to make clear the connection between the GDPR’s territorial scope and switch regime.  

 

I.                             GDPR Authorized Obligations: Article 3 and Chapter V

Some background on the GDPR’s territorial scope and switch safeguards is essential to set the stage. Article 3 of the GDPR defines the territorial scope of the GDPR, whereas Chapter V establishes the safeguards obligatory when private information is transferred from the EU to a 3rd nation. A spread of switch mechanisms can be found to assist transfers from the EU to different international locations below Chapter V – probably the most well-known amongst them adequacy selections and commonplace contractual clauses.  Nonetheless, the textual content of the GDPR does little to reply how the territorial scope pertains to the switch mechanisms.

Beneath Article 3(1), entities processing EU private information might be topic to the GDPR  if they’ve an “institution” within the EU, Regulation (EU) No 2016/679. Nonetheless, below Article 3(2), entities can be topic to the GDPR if they don’t have an institution within the EU however are they engaged in:

(a)     the providing of products or providers, regardless of whether or not a cost of the info topic is required, to such information topics within the Union; or

(b)    the monitoring of their behaviour so far as their behaviour takes place inside the Union.

 

In observe, this implies the scope of the GDPR is extraterritorial, immediately making use of to firms working overseas with no EU presence however that focus on the EU for enterprise. 

Chapter V of the GDPR units out required safeguards for information transfers from the EU to a 3rd nation. Beneath Article 44, a “switch” of information can happen to a 3rd nation provided that the situations of Chapter V are complied with. In response to the CJEU, this requires sustaining an “basically equal” stage of safety to that within the GDPR, learn in mild of the EU Constitution of Basic Rights, Case C-311/18 (para. 105). Articles 45-47 of the GDPR articulate switch instruments that entities can depend on for information flows to a 3rd nation: 1) an adequacy choice by the European Fee discovering that the third nation ensures an ample stage of safety, or 2) “applicable safeguards” put in place between the info exporter and importer, similar to commonplace contractual clauses (SCCs) adopted by the Fee, advert hoc contractual clauses permitted by a reliable DPA, and binding company guidelines for switch inside a multinational company or teams of firms. Importantly, below the current Schrems II choice, when relying upon “applicable safeguards” to switch information, a agency can also be required to independently assess whether or not that software will guarantee basically equal safety or whether or not supplementary measures like encryption must be applied, Case C-311/18 (para. 105). This requires corporations to investigate the proportionality of potential third nation regulation enforcement or nationwide safety entry to the transferred information. Article 49 additionally consists of strictly interpreted derogations from the necessities for a switch software, like consent or contractual necessity, designed for restricted and irregular transfers.

The textual content of the Regulation is just not specific about how Article 3 and Chapter V work collectively: are they utilized concurrently, mutually unique, or some mixture primarily based on the details? Chapter V additionally solely requires safeguards in cases of a “switch”- however switch is just not outlined. These ambiguities begin to trigger points when information is transferred to a overseas entity to which the GDPR is immediately relevant, or the place a overseas firm ruled by the GDPR is immediately accumulating information from EU people. On the one hand, when the GDPR is already relevant to a overseas firm, layering Chapter V safeguards on high is duplicative. And, if a motivating concern is the potential for disproportionate authorities entry within the non-EU jurisdiction, many primary GDPR duties already present some backstop (e.g. necessities for DPIAs or safety of processing). As such, the burdens of making use of Chapter V could be weighed towards relative threat, taking a narrower interpretation of the switch guidelines. Others contend that the chance of potential non-EU regulation enforcement or nationwide safety entry when information is processed overseas necessitates a broad studying of Chapter V, even when a given firm is already ruled by the GDPR. Chapter V additionally supplies oversight, enforcement, and redress alternatives for corporations positioned overseas, which might be tougher to implement towards.

The latest set of SCCs launched by the European Fee stoked this debate. In response to the Fee’s FAQ, the present clauses solely apply to transfers from entities “topic to the GDPR to switch private information to controllers or processors exterior the EEA whose actions should not topic to the GDPR.”  They can’t be used to switch private information to overseas entities already topic to the GDPR.  The European Fee has acknowledged that it’s creating commonplace contractual clauses for transfers the place the importer is topic to the GDPR, but it surely has but to subject any further SCCs.

 With out apparent textual solutions in regards to the interaction between the GDPR’s territorial scope and its switch obligations, the difficulty requires for clarification by Europe’s establishments. This want has turn into extra urgent as enforcement round information transfers will increase following the Schrems I and Schrems II judgments.

                   

II.                         EDPB Pointers on the Relationship Between Article 3 and Chapter V

In 2021, the European Information Safety Board (EDPB) launched steering on the connection between GDPR Article 3 and Chapter V to resolve these lingering ambiguities. Whereas not binding, these extremely authoritative tips each outlined the idea of a “switch” and concluded that in cases of direct assortment of private information from the EU, a overseas firm already topic to the GDPR didn’t have to put in place Chapter V safeguards.  

The EDPB started by defining “switch” for the primary time. As famous above, Chapter V safeguards are solely implicated in cases of a “switch” to 3rd international locations, however the GDPR doesn’t outline that time period. The EDPB concluded {that a} switch happens when:

1)        A controller or a processor (“exporter”) is topic to the GDPR for the given processing.

2)        The exporter discloses by transmission or in any other case makes private information, topic to this processing, out there to a different controller, joint controller or processor (“importer”).

3)        The importer is in a 3rd nation, regardless of whether or not or not this importer is topic to the GDPR for the given processing in accordance with Article 3, or is a global organisation

 

Pointers 05/2021 (para. 9)

Beneath this definition, Chapter V is required for transfers from an EU entity (controller or processor) to a overseas entity already topic to the GDPR. The second criterion does require that there be two separate entities transmitting and receiving the info, however this will embody joint controllers, Pointers 05/2021 (para. 20). However, critically, below this definition a switch doesn’t happen when information is immediately disclosed by a person within the EU to a agency in a 3rd nation, Pointers 05/2021 (para. 18) (“…this second criterion can’t be thought of as fulfilled when there is no such thing as a controller or processor sending or making the info out there (i.e. no “exporter”) to a different controller or processor, similar to when information are disclosed immediately by the info topic to the recipient”).

EDPB additionally took pains to notice that even when there is no such thing as a switch requiring Chapter V safeguards, firms topic to the GDPR ought to nonetheless assess potential third nation authorities entry in relation to their different GDPR obligations. The EDPB acknowledged that firms processing information exterior the EU are accountable for reviewing the chance of disproportionate authorities entry, Pointers 05/2021 (Instance 12). Firms positioned within the EU which are topic to 3rd nation legal guidelines on authorities entry, similar to an EU subsidiary of a overseas multinational, should additionally contemplate this threat. Whereas Chapter V might not apply, a number of different GDPR duties may nonetheless be triggered, similar to safety of processing (Article 32), information breach notification (Article 33), Information Safety Affect Assessments (Article 35), and others, Pointers 05/2021 (para. 31).

The EDPB tips helped to settle the connection between Article 3 and Chapter V, specifically by making clear that direct assortment from the EU was not thought of a switch. The Board additionally addressed any potential hole from limiting the attain of Chapter V, concluding firms should not merely off the hook from contemplating the dangers of third nation authorities entry to information.

 

III.                      Dutch DPA Uber Choice

Nonetheless, a current Dutch DPA enforcement motion towards Uber reopened the talk over the connection between territorial scope and transfers. In coordination with the CNIL, the Dutch DPA introduced in August 2024 that Uber transferred information to the U.S. with out Chapter V safeguards, levying a nice of 290 million euro. The nice originated from a grievance to the French CNIL by NGO Ligue Des Droits De L’homme in regards to the switch of French Uber drivers’ information to the US. The switch concerned Uber B.V. (UBV), the Netherlands outpost of Uber, and Uber Applied sciences Inc (UTI), the guardian firm within the US. The Dutch DPA took a extra expansive view of Chapter V than the EDPB. The DPA additionally stopped in need of a crisply articulated various commonplace for its view on the connection between Article 3 and Chapter V.

Uber traditionally relied upon SCCs when there was no EU-U.S. adequacy choice out there, as was the case when the CJEU choice struck down the Privateness Defend in 2020 till the brand new Information Privateness Framework was adopted in 2023, Case No. [Redacted] (para. 42) [hereinafter Uber Decision]. In August 2021, Uber modified interpretations and determined that SCCs have been not obligatory since Article 3 of the GDPR immediately utilized to UTI’s processing of private information within the U.S., Uber Choice (paras. 43-44). Uber then started to depend on the Information Privateness Framework in November 2023, but it surely had no information switch mechanism in place from August 2021until November 2023, Uber Choice (para. 45).

The Dutch DPA concluded Uber transferred drivers’ information to the US in two eventualities.  Situation one concerned private information of drivers within the EU collected through their Uber app and despatched on to UTI for storage within the U.S., Uber Choice (para. 17). Situation two concerned information referring to drivers’ train of rights below the GDPR by which UBV and UTI would collaborate; UBV scoped requests and communicated with information topics, whereas UTI processed and made the requested information out there to the requestor immediately from UTI within the U.S., Uber Choice (para. 18).

Uber lodged a number of totally different arguments in its protection: that Chapter V was not relevant due to UTI immediately collected information from EU information topics; that these information flows which did happen couldn’t be thought of worldwide information transfers since UBV and UTI have been joint information controllers to which the GDPR immediately utilized; and, lastly, that any transfers certified for Article 49(b-c) derogations on contractual necessity, Uber Choice (paras. 46-56). Uber additionally leaned on the truth that the Fee had not offered SCCs for eventualities by which the GDPR utilized immediately, so that they had no out there SCCs for any transfers from UBV to UTI, Uber Choice (para. 51).

The Dutch DPA didn’t settle for any of those arguments. First, the DPA concluded that transfers between joint information controllers topic to the GDPR and positioned in numerous international locations are ruled by Chapter V, Uber Choice (paras. 97-98). This level is in settlement with the EDPB choice, which acknowledges that information exchanges between joint controllers can nonetheless be a switch, together with entities which are part of the “identical company group: once they “qualify as separate controllers or processors,” Pointers 05/2021 (para. 21).

The place the Dutch DPA diverged from the EDPB was in its second conclusion: that each state of affairs one and state of affairs two concerned a “switch,” however the truth that  state of affairs one involved EU Uber drivers’ direct transmission of information to UTI within the US. For this, the AP leaned closely on the employment relationship with UBV and the dearth of management for drivers over the phrases of employment and the info collected, Uber Choice (paras. 89, 92-94). The DPA additionally cited coverage pursuits for studying Chapter V’s utility this broadly. A overseas firm to which the GDPR applies operates exterior of all layers of EU regulation, the DPA argued, and given the issue of enforcement towards a overseas entity, even when the GDPR governs a overseas firm the extent of safety could also be diminished when private information is processed overseas, Uber Choice (paras. 66-68). The Dutch DPA contended Chapter V was designed to counterbalance these dangers and ought to be learn broadly to present full safety, Uber Choice (paras. 68-70). As to the EDPB’s view, the DPA acknowledged there was no battle between its choice and the Pointers as a result of the EDPB didn’t contemplate an instance of a knowledge exporter within the contractual employment context, Uber Choice (para. 91).

Lastly, the Dutch DPA discovered that Uber didn’t have an applicable switch instrument in place from August 2021-Novemeber 2023, Uber Choice (para. 110). Although there have been no SCCs out there for eventualities by which the info importer is ruled by the GDPR, the Dutch DPA stated that Uber mustn’t have concluded that SCCs or different switch devices weren’t obligatory, Uber Choice (para. 109). Uber additionally couldn’t depend on Chapter V’s derogations Article 49(b) or (c) on contractual necessity, because the Uber’s transfers weren’t “incidental,” however ongoing, and weren’t “obligatory,” Uber Choice (paras. 118-26). Consequently, Uber violated Article 44.

 

IV.                     Evaluation and Subsequent Steps

Uber is interesting the choice. Given the conflicts between the EDPB and the Dutch place, the Dutch courts are more likely to ask the CJEU to weigh in on the connection between Article 3 and Chapter V. Regardless of the Dutch DPA’s take that the EDPB Pointers might be reconciled with its view, the EDPB choice was unequivocal that direct assortment of EU private information by a 3rd nation supplier topic to the GDPR is just not a switch. The Dutch DPA choice to view Uber’s exercise as a knowledge switch even in such instances reaches the alternative consequence. On this level, readability from the CJEU is crucial.

The Dutch DPA choice additionally provides to the confusion by failing to put out a transparent authorized commonplace for when, below its various view of Article 3 and Chapter V, a overseas supplier topic to the GDPR would want to use Chapter V safeguards. The Dutch DPA not solely thought of the employer relationship between UBV and the drivers, however appeared to a wide range of different contextual elements that bore on asymmetry of the Uber-driver relationship,  the involvement of each entities in figuring out the phrases of that relationship, and the info switch. If the CJEU determines that some cases of direct assortment by third nation suppliers are lined by Chapter V, the CJEU additionally has a chance to ascertain a concrete commonplace for when the provisions are triggered.

Till the difficulty is settled, EU entities topic to the GDPR below Article 3(2) unsure of their Chapter V obligations could be sensible to use Chapter V switch safeguards to their exercise.