The Dutch Uber GDPR fine has raised controversy with many experts arguing that the situation is essentially a matter of interpretation, questioning why a company should be penalized for a legitimate, interpretation of GDPR that is backed by the EU Commission’s own guidance.
Both the decision and fine has left many GDPR observers perplexed, with some privacy activists expressing anger at the Dutch authorities reasoning and arguing that this situation is essentially matter of interpretation… and why should a company be heavily penalised for a legitimate and rational interpretation of GDPR and the application of Standard Contractual Clauses (SCCs) that is supported by the EU Commission’s own guidance?
See Point 24 on this EU Commission guidance. It asks:
24. Can these SCCs be used for data transfers to controllers or processors whose processing operations are directly subject to the GDPR?
No… These SCCs provide a comprehensive data protection framework that has been developed to ensure continuity of protection in case of data transfers to data importers that are not subject to the GDPR. They do not work for importers whose processing operations are subject to the GDPR pursuant to Article 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR. The European Commission is in the process of developing an additional set of SCCs for this scenario,
The Commission believes that an enterprise already covered by GDPR should not be required to implement a contract that would either duplicate or even contradict GDPR. So, how can a company be fined so heavily for not using SCCs, as is the case here?
Note too that Commission in its guidance accepts that this area may cause confusion and commits to… develop an additional set of SCCs for this scenario. Over one year later we all still awaiting their development. (For a more detailed presentation of this argument see this excellent LinkedIn post by Robert Bateman). Uber spokesperson Caspar Nixon told Reuters that the company was confident that "common sense will prevail" as:
"Uber’s cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and U.S."
We hope he is correct… but how much energy and resources must businesses across the EU waste in the meantime?