AP (The Netherlands) - Uber: Difference between revisions
mNo edit summary |
No edit summary |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 74: | Line 74: | ||
=== Facts === | === Facts === | ||
Uber B.V. (UBV) is a company based in the Netherlands and is part of the Uber group of companies. Uber Technologies Inc. (UTI) is based in the United States (US) and is the parent company of, among others, | Uber B.V. (UBV) is a company based in the Netherlands and is part of the Uber group of companies. Uber Technologies Inc. (UTI) is based in the United States (US) and is the parent company of, among others, UBV (the controller). | ||
Drivers (the data subjects) make use of the Uber Driver App to offer rides to customers. Using this app required the creation of a driver account. Via their account, data subjects are rated by their customers after a ride and paid by Uber for services rendered. | Drivers (the data subjects) make use of the Uber Driver App to offer rides to customers. Using this app required the creation of a driver account. Via their account, data subjects are rated by their customers after a ride and paid by Uber for services rendered. The data subjects located in the EEA entered into an agreement with UBV when they would make use of the app. | ||
For this, the controller used a centralised IT infrastructure and servers that are located in the US. Personal data of | For this, the controller used a centralised IT infrastructure and servers that are located in the US. Personal data of the the data subjects that are located in the EEA were therefore processed in the United States in two situations: | ||
1. Through the driver app, the personal data of | 1. Through the driver app, the personal data of the data subjects, who are located within the EEA, are collected and stored on a platform physically located in the US. This includes account, location, criminal and health data, proof of identity and a cab license. | ||
2. When data subjects want to exercise their rights under the GDPR, | 2. When data subjects want to exercise their rights under the GDPR, UBV is responsible for responding to these requests. However, as the personal data is stored in the US, UTI is responsible for making the personal data available to UBV in order to respond to requests. | ||
UBV and UTI previously entered into the controller-to-controller standard contractual clauses of the European Commission ('SCCs') in their joint controllership agreement. However, the controllers removed the SCCs in their revision of their agreement, effective from 6 August 2021, as from the updated SCC by the European Commission it followed, according to the controller, that SCCs | UBV and UTI previously entered into the controller-to-controller [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914 standard contractual clauses of the European Commission] ('SCCs') in their joint controllership agreement. However, the controllers removed the SCCs in their revision of their agreement, effective from 6 August 2021, as from the updated SCC by the European Commission it followed, according to the controller, that SCCs may not be used when a processing falls within the scope of the GDPR. | ||
The French DPA (“''Commission Nationale de l'Informatique et des Libertés - CNIL''”) received a complaint against the controllers from the French human rights interest group the ''Ligue des droits de l’Homme'' on behalf of over 170 Uber drivers. Due to Uber having its main establishment in the Netherlands, the complaint was forwarded to the Dutch DPA (“''Autoriteit Persoonsgegevens – AP''”). After the CJEU’s ruling in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II,]] the adequacy decision with the United States ("Privacy Shield") was no longer valid | The French DPA (“''Commission Nationale de l'Informatique et des Libertés - CNIL''”) received a complaint against the controllers from the French human rights interest group the ''Ligue des droits de l’Homme'' on behalf of over 170 Uber drivers. Due to Uber having its main establishment in the Netherlands, the complaint was forwarded to the Dutch DPA (“''Autoriteit Persoonsgegevens – AP''”). After the CJEU’s ruling in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II,]] the adequacy decision with the United States ("Privacy Shield") was no longer a valid instrument for the transfer of personal data. In light of this, the data subjects argued that the legal position of the controllers was not clear. | ||
The controllers argued that [[Article 3 GDPR]] on the territorial scope and Chapter 5 GDPR on the transfer of personal data to third countries or international organisations could not apply at the same time, as UBV and UTI were joint controllers for whom the GDPR applied directly under [[Article 3 GDPR#1|Article 3(1) GDPR]]. Thus, according to the controllers, Chapter V of the GDPR could not apply and therefore there was no transfer of personal data. | The controllers argued that [[Article 3 GDPR]] on the territorial scope and Chapter 5 GDPR on the transfer of personal data to third countries or international organisations could not apply at the same time, as UBV and UTI were joint controllers for whom the GDPR applied directly under [[Article 3 GDPR#1|Article 3(1) GDPR]]. Thus, according to the controllers, Chapter V of the GDPR could not apply and therefore there was no transfer of personal data to a third country. | ||
The controllers further argued they were exempted under [[Article 49 GDPR|Article 49(1)(b) and (c) GDPR]] to have either an adequacy decision or appropriate safeguards under [[Article 46 GDPR]] for the transfer of personal data to the US. The controllers argued that the transfer was necessary for the performance of a contract between the controllers and the data subjects and unavoidable due to the controllers' centralised IT infrastructure which was in turn crucial for their specific services as well as for their global application of technical and organisational GDPR measures. | The controllers further argued they were exempted under [[Article 49 GDPR|Article 49(1)(b) and (c) GDPR]] to have either an adequacy decision or appropriate safeguards under [[Article 46 GDPR]] for the transfer of personal data to the US. The controllers argued that the transfer was necessary for the performance of a contract between the controllers and the data subjects and unavoidable due to the controllers' centralised IT infrastructure which was in turn crucial for their specific services as well as for their global application of technical and organisational GDPR measures. | ||
Line 111: | Line 111: | ||
The DPA dismissed the controller’s argument and stated that transfers of personal data between joint controllers who are both subject to [[Article 3 GDPR]] may also occur and are not excluded from Chapter 5. The DPA reiterated that the regulation of international transfers counterbalanced the difficulty of enforcing obligations under EU law against parties outside the EU. | The DPA dismissed the controller’s argument and stated that transfers of personal data between joint controllers who are both subject to [[Article 3 GDPR]] may also occur and are not excluded from Chapter 5. The DPA reiterated that the regulation of international transfers counterbalanced the difficulty of enforcing obligations under EU law against parties outside the EU. | ||
The DPA dismissed the controller’s argument that they are in fact not exporters of personal data, but the data subjects themselves as they provide their personal data through their personal devices on the controllers’ app. The DPA found that as the data subjects are required to provide their personal data through the app, which is then processed by the controllers, data subjects have little influence over their personal data. The DPA stated that even if they entered into the contract of their own free will, they do not have influence on determine the purposes and means of the processing, especially since the terms and conditions that | The DPA dismissed the controller’s argument that they are in fact not exporters of personal data, but the data subjects themselves as they provide their personal data through their personal devices on the controllers’ app. The DPA found that as the data subjects are required to provide their personal data through the app, which is then processed by the controllers, data subjects have little influence over their personal data. The DPA stated that even if they entered into the contract of their own free will, they do not have influence on determine the purposes and means of the processing, especially since the terms and conditions that the data subjects must accept are drafted in advance and are not negotiable. | ||
Thus, the DPA held that UBV was the exporter, who in both situations (collecting and storing personal data in the US and responding to access requests) transferred personal data from the EEA to the US. | Thus, the DPA held that UBV was the exporter, who in both situations (collecting and storing personal data in the US and responding to access requests) transferred personal data from the EEA to the US. | ||
Line 125: | Line 125: | ||
In the absence of an adequacy decision under [[Article 45 GDPR]] between 16 July 2020 and 10 July 2023, the transfer of personal data to the US was only allowed subject to appropriate safeguards and enforceable rights and effective legal remedies. | In the absence of an adequacy decision under [[Article 45 GDPR]] between 16 July 2020 and 10 July 2023, the transfer of personal data to the US was only allowed subject to appropriate safeguards and enforceable rights and effective legal remedies. | ||
The DPA agreed with the controllers that the European Commission in their [https://commission.europa.eu/system/files/2022-05/questions_answers_on_sccs_en.pdf FAQ] held that SCCs cannot be used in a situation where processing by controllers falls directly under the GDPR. However, immediately after this, the | The DPA agreed with the controllers that the European Commission in their [https://commission.europa.eu/system/files/2022-05/questions_answers_on_sccs_en.pdf FAQ] held that SCCs cannot be used in a situation where processing by controllers falls directly under the GDPR. However, immediately after this, the European Commission stated that it was “in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under the GDPR." The DPA held that the controllers could not have inferred from these statements that SCCs did not need to be used if the processing fell under [[Article 3 GDPR]]. The DPA therefore held that the European Commission’s statement did not exempt the controllers from compliance with the GDPR. | ||
Thus, the DPA found that from 6 August 2021 to 27 November 2023, the controller UBV (as exporter) did not have a lawful transfer mechanism for the transfer of personal data of the data subjects from the EEA to the United States. | Thus, the DPA found that from 6 August 2021 to 27 November 2023, the controller UBV (as exporter) did not have a lawful transfer mechanism for the transfer of personal data of the data subjects from the EEA to the United States. | ||
Line 137: | Line 137: | ||
''Incidental'' | ''Incidental'' | ||
The DPA held that | The DPA referred to Recital 111 and held that an exemption under [[Article 49 GDPR]] can only be used if the transfer was incidental. The DPA found that the transfer of data of the data subjects between the controllers were systematic, repetitive and ongoing and therefore not incidental. | ||
The DPA dismissed the controllers’ argument that the 'incidental' criterion was not set out in [[Article 49 GDPR]] and that recitals are not binding. Although the recital is not binding, the DPA held that recitals can explain the content of the provisions of that law, which is supported by CJEU case law (see [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-528%252F16&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=de&lg=&page=1&cid=5612562 C-528/16 - Confédération paysanne and Others]) | The DPA dismissed the controllers’ argument that the 'incidental' criterion was not set out in [[Article 49 GDPR]] and that recitals are not binding. Although the recital is not binding, the DPA held that recitals can explain the content of the provisions of that law, which is supported by CJEU case law (see [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-528%252F16&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=de&lg=&page=1&cid=5612562 C-528/16 - Confédération paysanne and Others]) | ||
Line 143: | Line 143: | ||
''Necessity'' | ''Necessity'' | ||
The DPA held that | The DPA held that the controllers could not rely on [[Article 49 GDPR|Article 49(1)(b) and (c) GDPR]], as the transfer was not necessary for the implementation of an agreement between the controllers and the data subjects. Although the controllers explained the necessity by pointing out that the transfer took place in the context of their Data Sharing Agreement, the DPA found that this did not make the transfer necessarily. The DPA took into account the CJEU’s judgement in [https://gdprhub.eu/index.php?title=CJEU_-_C-252/21_-_Meta_Platforms_and_Others_v_Bundeskartellamt C‑252/21 - Meta Platforms and Others v Bundeskartellamt] that held that the mere existence of the agreement itself cannot constitute necessity. To assume necessity, the CJEU held that there must be "no practicable, less intrusive alternatives" and the controller must be able to demonstrate this. The DPA held that the controllers failed to demonstrate the necessity. The DPA explained that the personal data could also have been processed on a server in the EU if a third country did not provide an adequate level of protection. The DPA also held that in almost every conceivable case, a transfer to a country without an adequate level of protection actually compromises the level of protection provided by the GDPR. | ||
<u>Conclusion</u> | <u>Conclusion</u> | ||
Line 150: | Line 150: | ||
== Comment == | == Comment == | ||
This is the third fine the Dutch DPA issued against Uber. The Dutch DPA fined Uber €600,000 in 2018 for violating the data breach notification obligation (see [https://www.autoriteitpersoonsgegevens.nl/documenten/boete-uber-datalek here]), and €10 million in 2023 for a nontransparent privacy policy and not allowing data subjects to exercise their rights in an accessible manner (see [[AP (The Netherlands) - Decision of 11 December 2023 imposing administrative fine on Uber|here]]). Uber has appealed the decision of 2023. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 08:56, 28 August 2024
AP - Uber | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 3 GDPR Article 44 GDPR Article 46 GDPR Article 49 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 22.07.2024 |
Published: | 25.08.2024 |
Fine: | 290,000,000 EUR |
Parties: | Uber B.V. Uber Technologies Inc. |
National Case Number/Name: | Uber |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Autoriteit Persoonsgegevens (in NL) |
Initial Contributor: | ec |
The DPA fined Uber €290,000,000 for not having the necessary appropriate safeguards under Article 46 GDPR in place for the transfer of the Uber drivers’ personal data to the parent company in the US.
English Summary
Facts
Uber B.V. (UBV) is a company based in the Netherlands and is part of the Uber group of companies. Uber Technologies Inc. (UTI) is based in the United States (US) and is the parent company of, among others, UBV (the controller).
Drivers (the data subjects) make use of the Uber Driver App to offer rides to customers. Using this app required the creation of a driver account. Via their account, data subjects are rated by their customers after a ride and paid by Uber for services rendered. The data subjects located in the EEA entered into an agreement with UBV when they would make use of the app.
For this, the controller used a centralised IT infrastructure and servers that are located in the US. Personal data of the the data subjects that are located in the EEA were therefore processed in the United States in two situations:
1. Through the driver app, the personal data of the data subjects, who are located within the EEA, are collected and stored on a platform physically located in the US. This includes account, location, criminal and health data, proof of identity and a cab license.
2. When data subjects want to exercise their rights under the GDPR, UBV is responsible for responding to these requests. However, as the personal data is stored in the US, UTI is responsible for making the personal data available to UBV in order to respond to requests.
UBV and UTI previously entered into the controller-to-controller standard contractual clauses of the European Commission ('SCCs') in their joint controllership agreement. However, the controllers removed the SCCs in their revision of their agreement, effective from 6 August 2021, as from the updated SCC by the European Commission it followed, according to the controller, that SCCs may not be used when a processing falls within the scope of the GDPR.
The French DPA (“Commission Nationale de l'Informatique et des Libertés - CNIL”) received a complaint against the controllers from the French human rights interest group the Ligue des droits de l’Homme on behalf of over 170 Uber drivers. Due to Uber having its main establishment in the Netherlands, the complaint was forwarded to the Dutch DPA (“Autoriteit Persoonsgegevens – AP”). After the CJEU’s ruling in C-311/18 - Schrems II, the adequacy decision with the United States ("Privacy Shield") was no longer a valid instrument for the transfer of personal data. In light of this, the data subjects argued that the legal position of the controllers was not clear.
The controllers argued that Article 3 GDPR on the territorial scope and Chapter 5 GDPR on the transfer of personal data to third countries or international organisations could not apply at the same time, as UBV and UTI were joint controllers for whom the GDPR applied directly under Article 3(1) GDPR. Thus, according to the controllers, Chapter V of the GDPR could not apply and therefore there was no transfer of personal data to a third country.
The controllers further argued they were exempted under Article 49(1)(b) and (c) GDPR to have either an adequacy decision or appropriate safeguards under Article 46 GDPR for the transfer of personal data to the US. The controllers argued that the transfer was necessary for the performance of a contract between the controllers and the data subjects and unavoidable due to the controllers' centralised IT infrastructure which was in turn crucial for their specific services as well as for their global application of technical and organisational GDPR measures.
Holding
On the applicability of Article 3 GDPR and Chapter V
The DPA noted that the rationale behind Chapter V of the GDPR on data transfer was complementary to the rationale of Article 3 GDPR on the territorial scope, as it prevents the denial, undermining or circumvention of data protection under EU law. The DPA noted that although the GDPR applies to all processing operations under Article 3 GDPR, the application of the GDPR outside the EEA territory did not provide the same protection. Therefore, the provisions in Chapter V contain mechanisms, which counterbalance the difficulty of enforcing obligations under EU law against parties in third countries. The DPA held that any other interpretation of these mechanisms would result in a weakening of the protection offered within the Union, which is not consistent with the standard required by the CJEU (see C-40/17 - Fashion ID). Thus, the controllers' argument that Chapter V did not apply when Article 3 GDPR applies, would be contrary to the rationale behind Chapter V in the GDPR. The DPA also stated that nowhere in the GDPR was stated that Article 3 GDPR took precedence over Chapter V. The DPA further noted that the protection the provisions in Chapter V offer were in fact complementary to Article 3 GDPR to set a higher standard of protection both in practice and by law to avoid circumventing the protection provided by EU law.
The DPA rejected the controller’s argument that if Article 3 GDPR and Chapter V could apply at the same time, this would be in violation with the WTO agreement, because the WTO agreement did not take precedence over EU law, specifically the GDPR.
Transfer of personal data
The DPA used the EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR’s three cumulative criteria to qualify whether the controllers’ processing operation was a transfer:
Criteria 1: A controller or a processor (“exporter”) is subject to the GDPR for the given processing
The DPA found that the controllers were subject to the GDPR. The controllers themselves have also explicitly stated they are both bound by the GDPR under Article 3(1) GDPR.
Criteria 2: The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”)
The DPA dismissed the controller’s argument and stated that transfers of personal data between joint controllers who are both subject to Article 3 GDPR may also occur and are not excluded from Chapter 5. The DPA reiterated that the regulation of international transfers counterbalanced the difficulty of enforcing obligations under EU law against parties outside the EU.
The DPA dismissed the controller’s argument that they are in fact not exporters of personal data, but the data subjects themselves as they provide their personal data through their personal devices on the controllers’ app. The DPA found that as the data subjects are required to provide their personal data through the app, which is then processed by the controllers, data subjects have little influence over their personal data. The DPA stated that even if they entered into the contract of their own free will, they do not have influence on determine the purposes and means of the processing, especially since the terms and conditions that the data subjects must accept are drafted in advance and are not negotiable.
Thus, the DPA held that UBV was the exporter, who in both situations (collecting and storing personal data in the US and responding to access requests) transferred personal data from the EEA to the US.
Criteria 3: The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.
The controller UTI was geographically located in the US and imported the personal data of data subjects from the EEA into a third country under Article 44 GDPR.
Thus, the DPA held that the controllers’ processing operation should be considered a transfer as all the criteria were met. Therefore, the controllers must comply with the obligations under Chapter V of the GDPR. The DPA held that the controller UBV needed to ensure that the level of protection of natural persons guaranteed by the GDPR was not undermined and therefore needed to assess whether the transfer instrument it intends to use was effective in light of the law and legal practice in force in the third country.
Transfer mechanisms
In the absence of an adequacy decision under Article 45 GDPR between 16 July 2020 and 10 July 2023, the transfer of personal data to the US was only allowed subject to appropriate safeguards and enforceable rights and effective legal remedies.
The DPA agreed with the controllers that the European Commission in their FAQ held that SCCs cannot be used in a situation where processing by controllers falls directly under the GDPR. However, immediately after this, the European Commission stated that it was “in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that already apply directly to those controllers and processors under the GDPR." The DPA held that the controllers could not have inferred from these statements that SCCs did not need to be used if the processing fell under Article 3 GDPR. The DPA therefore held that the European Commission’s statement did not exempt the controllers from compliance with the GDPR.
Thus, the DPA found that from 6 August 2021 to 27 November 2023, the controller UBV (as exporter) did not have a lawful transfer mechanism for the transfer of personal data of the data subjects from the EEA to the United States.
The DPA did not receive an application from the controllers regarding other appropriate transfer mechanisms under Article 46 GDPR. Thus, the controllers were in violation of Article 44 GDPR.
Exception of Article 49 GDPR
The DPA held that an exception under Article 49 GDPR needs to be interpreted strictly and can only be used if strictly necessary. For example, when public interests or the interests of the data subject, which may outweigh the (other) data subject's right to privacy.
Incidental
The DPA referred to Recital 111 and held that an exemption under Article 49 GDPR can only be used if the transfer was incidental. The DPA found that the transfer of data of the data subjects between the controllers were systematic, repetitive and ongoing and therefore not incidental.
The DPA dismissed the controllers’ argument that the 'incidental' criterion was not set out in Article 49 GDPR and that recitals are not binding. Although the recital is not binding, the DPA held that recitals can explain the content of the provisions of that law, which is supported by CJEU case law (see C-528/16 - Confédération paysanne and Others)
Necessity
The DPA held that the controllers could not rely on Article 49(1)(b) and (c) GDPR, as the transfer was not necessary for the implementation of an agreement between the controllers and the data subjects. Although the controllers explained the necessity by pointing out that the transfer took place in the context of their Data Sharing Agreement, the DPA found that this did not make the transfer necessarily. The DPA took into account the CJEU’s judgement in C‑252/21 - Meta Platforms and Others v Bundeskartellamt that held that the mere existence of the agreement itself cannot constitute necessity. To assume necessity, the CJEU held that there must be "no practicable, less intrusive alternatives" and the controller must be able to demonstrate this. The DPA held that the controllers failed to demonstrate the necessity. The DPA explained that the personal data could also have been processed on a server in the EU if a third country did not provide an adequate level of protection. The DPA also held that in almost every conceivable case, a transfer to a country without an adequate level of protection actually compromises the level of protection provided by the GDPR.
Conclusion
The DPA found that the controller UBV failed to provide the necessary appropriate safeguards described in Article 46(2) GDPR at least between 6 August 2021 and 27 November 2023. Thus, the controllers violated Article 44 GDPR. Due to the seriousness of the violation, the DPA imposed an administrative fine of €290,000,000 on the joint controllers.
Comment
This is the third fine the Dutch DPA issued against Uber. The Dutch DPA fined Uber €600,000 in 2018 for violating the data breach notification obligation (see here), and €10 million in 2023 for a nontransparent privacy policy and not allowing data subjects to exercise their rights in an accessible manner (see here). Uber has appealed the decision of 2023.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
AutoriteitPersoonsgegevens PO Box 93374, 2509AJ DenHaag HogeNieuwstraat 8, 2514EL DenHaag Confidential/Registered T0708888500-F0880712140 autoriteitpersoonsgegevens.nl [confidential] Date Our reference 22 July 2024 [confidential] Contact person [confidential] Subject Decisiontoimposeanadministrativefine Dear[confidential], TheDutchDataProtectionAuthority(AP)hasdecidedtoimposeanadministrativefineof€290,000,000onUberTechnologiesInc.andUberB.V.(hereinaftertogether:Uber).TheAPisoftheconvictionthatUber violatedArticle44oftheGeneralDataProtectionRegulation(GDPR),becauseUber allowedtransfersofpersonaldatatotakeplacetotheUnitedStateswhilenoappropriatesafeguardswereprovidedasprovidedinChapterVoftheGDPR. The APisoftheopinionofanadministrativefineonUberisnotonlyappropriatebutalsonecessary.TheAPhasfoundthattheintendedinterestofArticle44GDPR,namelythecontinuityofthehighlevelofprotectionoftheGDPRwhentransferringpersonaldatatothirdcountries,hasnotbeenguaranteedbyUber.TheAPconsidersthatforthisreasonithasbeentakentoenforcementagainstUber. Thisdecisionexplainstheadministrativefine.Tothisend,thereasonfortheinvestigation,thefacts,theestablishedviolationsandtheamountofthefinearesubsequentlydiscussed.Finally,theoperativepartfollows. 1Date Our reference 22 July 2024 [confidential] Contents Contents.....................................................................................................................................................................2 1. Background investigation..................................................................................................................................................4 2. Facts and circumstances..................................................................................................................................5 2.1 Introduction..................................................................................................................................................5 2.2 Uber drivers and the driver app..................................................................................................5 2.3 Processing activities...................................................................................................................................7 2.4 Number of Uber drivers and GDPR requests from data subjects..................................................12 2.5 The application of a transfer instrument by Uber..................................................................................12 3. Uber's opinion..................................................................................................................................................13 4. Assessment..................................................................................................................................................................16 4.1 Processing of personal data.......................................................................................................................16 4.2 Controller and authority of the AP........................................................................................16 4.3 Territorial application areas of the GDPR chapter........................................................................17 4.4 Is there a transfer of personal data? ................................................................................20 4.4.1 Legal framework.................................................................................................................................21 4.4.2 Assessment....................................................................................................................................22 4.4.3 Conclusion..................................................................................................................................28 4.5 DidUhaveatransferinstrument?.........................................................................................................29 4.5.1 Legal framework.........................................................................................................................29 4.5.2 Assessment...................................................................................................................................30 4.5.3 Conclusion...................................................................................................................................31 4.6 CanUbesuccessfullyrelyonanexceptiontoArticle49GDPR?...............................32 4.6.1 Legal framework....................................................................................................................................32 4.6.2 Assessment....................................................................................................................................33 4.6.3 Conclusion........................................................................................................................................ 39 4.7 Final conclusion........................................................................................................................................ 39 5. The fine........................................................................................................................................................ 39 5.1 Fine authority and Uber's point of view.................................................................................................. 39 5.2 System for determining the amount of the fine..................................................................................41 5.3 Calculation of the amount of the fine..................................................................................................41 2/48Date Our reference 22 July 2024 [confidential] 5.3.1 Step 1: Determining actions and infringements..................................................................................41 5.3.2 Step 2: Determining the starting amount..................................................................................42 5.3.3 Step 3: Assessing other relevant circumstances.................................................................. 46 5.3.4 Step 4: Exceeding the control for the infringements and the applicable maximum amounts............. 46 5.3.5 Step 5: Assessment of the requirements of effectiveness, proportionality and deterrence................. 46 6. Decision..........................................................................................................................................................................48 3/48 Date Our reference 22 July 2024 [confidential] 1. Reason for the investigation 1. Uber is an internationally operating company that, among other things, acts as an intermediary between taxi drivers and passengers. Passengers use the general Uber App (for mobile phones) or, if necessary, a browser to book a ride. Drivers use the Uber Driver App (hereinafter: driver app) to offer rides. 2. To use the driver app, it is mandatory for drivers to create an account. DriversareassessedbytheircustomersafteratripandpaidbyUberfortheservicesprovided. 3. On12June2020,theCommissionNationaledel’InformatiqueetdesLibertés(CNIL)receivedacomplaintfromtheFrenchnon-governmentalorganisationLigueDesDroitsDeL’hommeEtDuCitoyen (LDH,hereinafter:thecomplainant)onbehalfof21Uberdrivers.Overthecourse,151moreUberdriversjoinedthecomplaint,sothatitfiledthecomplaintonbehalfof172complainants.LDHsubsequentlyfiledanadditionalcomplaintwiththeCNILon29September2020,whichwasforwardedtotheAPon11January2021. 4. Inthisadditionalcomplaint,thecomplainantclaimsthatUber’slegalpositionisnotclearfollowingtheso-calledSCHREMSIIjudgmentoftheCourtofJusticeoftheEuropeanUnion(hereinafter:CJEU).IntheSCHREMSIIjudgment,theCJEUstatesthatthereisnoequivalentlevelofprotectionintheUnitedStatesforthetransferofpersonaldatafromtheEuropeanUnion(hereinafteralso:EU)totheUnitedStates.Asaresult,theUnitedStatesadequacydecision(‘PrivacyShield’)wasnolongervalidasaninstrumentforthetransferofpersonaldata.However,theCJEUstatedthat“StandardContractualClauses”(SCC)madeitpossibletocontinuetotransferdatatotheUnitedStates,providedthatsufficientadditionalmeasuresweretakentoensureanequivalentlevelofprotection.1 5. On 16 April 2021, the AP informed Uber in writing that it had launched an investigation into complaints filed by French Uber drivers. The investigation focused on whether Uber complies with the requirements set out in Chapter V of the GDPR for the transfer of personal data of drivers from the EU to the United States. 6. The AP subsequently established a violation of Article 44 of the GDPR in its investigation, because Uber allowed transfers of personal data to take place while no appropriate safeguards were provided as stipulated in Chapter V of the GDPR. The investigation report was sent to Uber by letter dated 13 April 2023. Uber provided its views on the investigation report by letter dated 9 June 2023. On 5 July 2023, Uber orally explained its views during a hearing at the AP's office. 1CJEU16July2020–DataProtectionCommissionerv.FacebookIrelandLtd.andMaximillianSchrems,C-311/18. 4/48 Date Our reference 22July2024 [confidential] 2. Factsandcircumstances 2.1 Introduction 7. UberisthenameofanelectronicplatformdevelopedbyUberTechnologiesIncorporated(hereinafterUTI).UTIhasitsheadquartersinSanFrancisco,UnitedStates.TheUberplatformisrepresentedintheEuropeanEconomicArea(hereinafterEEA)byUberB.V.(hereinafterUBV). In cities where Uber is active, Uber enables passengers to order transport services via the Uber platform. Rides can be requested with Uber in various European cities and countries. 2 and Uber has drivers operating in those territories. 8. According to Uber’s privacy statement, UBV and UTI are joint controllers for the processing of personal data of Uber drivers in the EEA. 3 Their responsibilities for complying with the obligations under the GDPR are set out in an agreement. 9. UBV has several data processing agreements with other Uber subsidiaries in EEA countries. For example, in relation to Uber France SAS, Uber’s subsidiary in France, UBV is considered the controller and Uber France SAS is considered the processor. In 5 the data processing agreement it is stated that within this mutual relationship, UBV is the entity that makes the personal data of Uber drivers available to other subsidiaries of Uber in the EEA. In an explanation, Uber indicated to the court that although UBV is responsible for the personal data of Uber drivers in the EEA, technically speaking, these are made accessible by UTI. 6 10. Uber drivers in the EEA must enter into a contract with UBV in order to 7 become drivers for Uber. 2.2 Uber drivers and the driver app 11. Uber describes drivers as “users of the platform who provide 8 transportation services individually or through partner transportation companies using the 8 Uber Driver application.” In order to become an Uber driver, one must 2 File document 20, Locations of Uber. 3TheUberprivacynoticeisavailableat:https://www.uber.com/legal/en/document/?name=privacy-notice&country=netherlands&lang=nl 4UberDataSharingAgreementbetweenUberB.V.andUberTechnologiesInc.Scope:UberPersonalData&EmployeeDataclosedon6 August2021. 5Filedocument17,Responsetorequestforinformation2,AppendixProcessingAgreementUberFranceSAS. 6Seetheminutesoftheviewhearingheldon5July2023. 7 8Filedocument4,UbersupplementaryconditionsforDrivers. In response to the information request of 7 July 2021, Uber B.V. provided their administration regarding Driver Personal Data Processing Activities to the AP on 9 August 2021. What is meant by this is stated under ‘III. Categories of Data Subjects Whose Personal Data Uber Processes’. 5/48 Date Our reference 22 July 2024 [confidential] create an account on the driver app. In order to gain access to the platform, the 10 driver must also accept the ‘Conditions for independent Uber Partners’. These conditions can be unilaterally amended by Uber. After the driver has met the requirements and logged into the app, he can ‘go online’. The driver can then accept, refuse or ignore rides (requested by passengers located nearby). A driver who is online, but who decides to refuse a requested ride three times in a row, is automatically logged out of the platform. However, the driver still retains access to the other facilities on the platform. It should be noted that a driver has the option to cancel rides that have already been accepted by him. With regard to the acceptance, refusal and cancellation of rides by the Uber driver, Uber keeps track of the percentage of rides that are cancelled by a driver. 12 [Confidential]. After completing the ride, the passenger (customer) is asked to rate the driver on a scale of 1 to 5. An average score below the threshold could (previously) lead to exclusion from the platform. 12. When requesting a ride, the driver receives information about the type of ride requested (UberX, Uber Green, etc.), the name of the passenger, the user rating, the pick-up location (including the distance to the driver), the destination location, and the estimated duration of the ride. In addition, the Uber driver can contact the passenger by text message or telephone. The passenger can in turn request a specific type of ride from one location to another and receives a price quote for the ride. After agreeing to the ride price, the information about the driver who accepted the ride is shown to the passenger. This information includes, but is not limited to, the driver's photo, name, rating, the type of ride the driver is providing, the live location, the type of car, the license plate number, and any messages and/or phone calls from the driver. 13. UberalsoassignsdifferentclassificationstoUberdrivers,suchasGold,PlatinumorDiamond. Basedontheclassification,adriverisgivencertainprivilegesonridesthatcanbeprofitable. 13 Toachieveacertainclassification,adrivermustmeetthefollowingcriteria:1) aratingof4.85outof5;2)anacceptancerateof85%orhigher,and3)acancellationrateof4%orlower.Uberalsohasapointssystemwithwhichadrivercan earnpointsthatcontributetotheclassification. 14 14.Disagreementsbetweenapassengerandadriver,forexampleaboutthefareprice,arehandledbyUber.Insuchacase,Ubermayunilaterallydecidetorefundthefare(inpartorincomplete)tothepassenger,afterwhichthedriverwillbepaidaloweramountfortheride. 15 9 GeneralUberTerms of Use, available at: https://www.uber.com/legal/nl/document/?name=general-terms-of- use&country=netherlands&lang=nl,article5.3andfurther. 1Dossierdocument4and'TermsforindependentUberpartners',updated12July2020. 1GeneralUberTerms of Use, available at: https://www.uber.com/legal/nl/document/?name=general-terms-of- use&country=netherlands&lang=nl,article16.1. 1[confidential] 1Ibid. 14 15bid,r.o.1.17. Ibid,r.o.1.16. 6/48 Date Our reference 22 July 2024 [confidential] 15. Finally, Uber can unilaterally decide to no longer grant an Uber driver access to the Uber platform. Reasons for denying access include, for example, failure to comply with the rules, fraud, unacceptable behavior or dangerous driving. However, an average rating below 4.5 out of 5 could (previously) also lead to exclusion from the platform. 16 2.3 Processing activities 16. UberhasacentralisedITinfrastructureonitsplatformandUTIserverslocatedintheUnitedStates.ThepersonaldataofUberdriverslocatedintheEEAarethereforeprocessedintheUnitedStates.Initsinvestigation,theAPhasidentifiedthefollowingtworelevantsituationsinwhichprocessingoccursthatqualifyastransferswithinthemeaningoftheGDPR. 17. Inthefirstsituation,thepersonaldataofUberdriverslocatedwithintheEEAarecollectedviathedriverappandstoredonaplatformphysicallylocatedintheUnitedStates. In addition to account and location data, other data is also stored in the United States (depending on the legal rules in a country), such as identity documents, criminal and 18 health data, and a taxi license. 18. The second situation concerns the exercise of GDPR rights by data subjects. UBVis is responsible for assessing the scope of requests regarding the rights of data subjects and for communicating with data subjects. UTIisresponsibleformakingthepersonaldataavailabletoUBVinordertorespondtorequestsfromdatasubjects.AccordingtotheAPiser, astructuralexchangeofpersonaldatabetweenUBVintheNetherlandsandUTIintheUnited States.Firstly,viathedriversappsbyemail(fromthedeviceintheEEA),thepersonaldataofUberdrivers,whichareprocessedwithintheEEAunderUBV'sresponsibility,enduponUTI'sserversintheUnitedStates.Secondly,astructuralexchangeofpersonaldatatakesplacebetweenUBVandUTI. 19. TheabovesituationsareexplainedinmoredetailbyUberasfollows. 20 Situation 1 20. The first situation concerns the driver app within which Uber drivers in the EEA share personal data with UTI via their smartphone. When the driver uses the app for the first time, the 1 Ibid, r.o. 1.13. 1 See file document 11, Response to request for information 1, Appendix section International Data Flows, page 2. See also file document 17, Response to request for information 2, Appendix UBV-UTIDataSharingAgreement, page 2 et seq. 1See file document 23, Requirements for drivers and file document 17, Response to information request 2, Appendix 2012 UBV ROPA. See also file document 17, Response to information request 2, Appendix 2012 UBV ROPA, page 2. The document discusses, among other things, “evidence of health or fitness to provide services”. 1See file document 17, Response to information request 2, Appendix UBV-UTIDataSharingAgreement, pages 2 and 3, “UBV shall be responsible for assessing the validity and the scope of requests for the exercise of data subject rights, and for responding to the data subjects.” 2See ‘Uber’s Opinion on research reports and intention to enforce’ of 9 June 2023, p. 19-26. 7/48 Date Our reference 22 July 2024 [confidential] thedriverwasaskedtoprovidepersonaldatasuchashisname,emailaddressandtelephonenumber. ThedataisthenstoredinUTI'sserversintheUnitedStates.UberindicatesthatinthissituationthedriverprovideshispersonaldatadirectlytoUTIwithout(technical)interventionfromUBVorotherEuropeansubsidiaries.Thisisconfirmedin,amongotherthings,theagreementbetweenUTIandUberB.V.ontheresponsibilitiesofbothpartiesandotherdocumentationprovidedbyUber. 21 Situation2 21. Thesecondsituationrelatestotherightsofdatasubjects.Morespecifically,1)theassessmentofthescopeofthedatasubjects'requestwithregardtotheirrightsundertheGDPR,and2)thecommunicationwithdatasubjectsabouttheexerciseoftheirrights. 22. According to Uber, data traffic takes place from the moment the Uber driver submits a request (relating to his/her rights under the GDPR) until the moment that Uber responds to the data subject's request. Uber further states that the data traffic between the data subject, UBV and UTI depends on the specific request that a driver has made. Uber then provides a description of the standard procedures used when handling a data subject's request. 23. According to Uber, the first step in such a procedure is the way in which the data subject makes the request. Uber gives drivers the opportunity to exercise their rights by: a) filling in the form in the driver app or on the Uber website; b) send an email to Uber; or c) use other forms of communication (via a letter addressed to Uber or a telephone conversation with an Uber employee). Ad(a) 24. TheUberdriverappandtheUberwebsiteuseUTIserverslocatedintheUnitedStates.WhenanUberdriverwishestoexercisetheirrightsundertheGDPRdirectlyviatheUberdriverapporUberwebsite,thedataflowrelatedtotheprocessingofsuchrequestswill(directly)goviathesmartphoneorotherdeviceoftheUberdriverlocatedintheEEAtoUTIserverslocatedintheUnitedStates.Thisisirrespectiveoftheentitytowhichthedatasubjectchoosestocontact.UberstatesthatatthisstageUTIistheonlyentityreceivingtherequest,astherequestisbeingmadetoUber’splatform,whichUTIoperatesandmanages. Ad(b) 25. AnUberdrivercanchoosetoexercisehisrightsbysendinganemailtoanaddresswithintheuber.comdomain(emailaddressendsintheuber.com).Uber’semailtrafficuses 2Seefiledocument17,Responsetoinformationrequest2,9August2021,page16etc.andAppendixUBV-UTIDataSharingAgreement,page2etc. 8/48 Date Ourreference 22July2024 [confidential] UTI’sITsystemslocatedintheterritoryoftheUnitedStates.Uberdeclaresthat inthissituation,datatrafficonlyoccursdirectlybetweenthedatasubject(viahispersonaldevice)intheEEAtoUTI’ssystemslocatedintheUnitedStates. Ad(c) 26. TheUberdrivercanchoosetoexercisehisrightsundertheGDPRinotherways,suchasbymailorbytelephone.UberindicatesthattheseotherwaysonlyrepresentasmallpercentageoftherequestsUberdriversmakeintheEuropeanUnion(lessthan10 requestsperyear).IftheUberdriverchoosestosendalettertoUTI'saddressintheUnitedStatesorwhentheUberdrivertelephonesanemployeeintheUnitedStatesandindicateshiswishtoexercisehisrights,UberstillconsidersdirectdatatrafficfromthedriverlocatedintheEEAtoUTIintheUnitedStates. 27. If the Uber driver chooses to send his request to UTI, which is located in the EEA, or to another subsidiary located in EEA territory, Uber will then have direct data traffic between the driver and that entity. Uber will reach the same conclusion if the Uber driver chooses to communicate by telephone with an Uber employee located in the EEA. After receiving the request, the employee advises the Uber driver to make his request in the driver's app, because this is the fastest way to handle the request. If the Uber driver chooses not to do this, the employee will place a note directly in UTI's IT systems. Although these are located in the United States, the Uber employee (who is located in EEA territory) will have remote access to them. 28. In the case of letters, these are forwarded by UBV to UTI. Forwarding the letter and making a note (of a telephone conversation) is handled digitally by the UBV employee. The UBV employee connects to the Bliss Content system via the browser on his computer, which uses the UTI servers in the United States. The content of the request made by the driver is described by the employee in this system. Uber indicates that in this situation there is data traffic from the computer in the EEA to the systems in the United States. 29. In further detail of the data that is processed, Uber declares that an Uber driver who exercises a right via the driver app or website does not have to enter his personal data on the platform. Most Uber drivers are logged in to the platform via their personal account. The data traffic that takes place when submitting the request then consists of the specific request that the driver makes (the data that is requested) and the 'Universally Unique Identifier' (UUID) linked to the Uber driver's account. Each account on the Uber platform is linked to a UUID that can be used to identify the Uber driver on the platform and Uber's systems. 9/48 Date Our reference 22 July 2024 [confidential] 30. If the Uber driver is not logged in to the platform (driver app or website), a request can be made on the driver app or website by providing information regarding the rights to be exercised, the name, email address and telephone number linked to the Uber driver's account. This information is necessary to link the request to the driver's UUID and to initiate the process of handling the driver's request. If the Uber driver makes the request by email, post or telephone, the driver will be asked for the same type of information. 31. Thesecondstepintheprocedureisthepreparatoryprocesstoanswerthedatasubject’srequest.Mostdatasubjectrequestsareautomaticallyhandledviatheself-serviceportalthattheUberdriverhasaccessto.Theself-serviceenvironmentislocatedonUTI’sserversintheUnitedStatesandhastwofunctions:1)‘ExploreYourData’,whichallowstheUberdrivertoviewtheirpersonaldata,and2)‘DownloadYourData’,whichallowsanUberdrivertodownloadacopyoftheirpersonaldata.Iftherequestcanbecompletelyhandledthroughthesefunctionsintheself-serviceenvironment,thenalltherequiredpersonaldatawillbeautomaticallycollectedinUTI’ssystemsintheUnitedStates.ThisdatawillthenbeshareddirectlywiththedatasubjectwithoutanyinterventionfromanUberemployee.Thisfullyautomatedpreparation Uber states that there is no data traffic from the EEA to the United States. 32. If the self-service environment cannot handle the request due to questioning or complexity, an Uber employee must (partly) manually prepare the response to the driver's request. Uber notes that in the first four months of 2023, approximately 25 requests per month were handled in this way. 33. Intheprocessofpartiallymanuallyansweringtherequest,aUBVemployeemustbeabletoviewthedatasubject’srequest.TheemployeedoesthisbyaccessingUTI’ssystemslocatedintheUnitedStatesviathebrowserofhis computerthatisintheEEA.UberindicatesthatthissituationinvolvesdatatrafficfromtheUnitedStatestotheEEA,whichincludestheUUIDnumberandthecontentofthedriver’srequest. 34. Uberindicatesthatitdependsonthetypeofrequestfromthedatasubject,whichtypeofpersonaldataoftheUberdrivermustbecollectedinordertorespondtotherequest.BecauseUberhasacentralizedITinfrastructureontheplatformandUTIserverslocatedintheUnitedStates,thepersonaldataofUberdriverslocatedintheEEAareprocessedintheUnitedStates.Inordertorespondtotherequest,theemployeemustcollectdatalocatedonUTIservers.Inordertocollecttherelevantpersonaldataontheservers,theUBVemployeemustassesthescopeofthedatasubject’srequest. Once the scope has been determined, the UBV employee accesses the relevant UTI systems via the browser on his computer located in the EEA. The scope of the data subject's request - parameters indicating the nature of the personal data - are entered into the search engine by the employee concerned, together with the UUID of the Uber driver. IntheUTIsystems 10/48 Date Our reference 22July2024 [confidential] thensearchesforthepersonaldatathatmeetthecriteriaenteredinthe searchenginebytheUBVemployee.ThisprocesstakesentirelyontheserverslocatedintheUnitedStatesandittakesseveralhoursbeforetheresultsofthesearcharetransferreddirectlytoaspreadsheetontheserverintheUnitedStates.Aftertheinformationhasbeentransferredtothespreadsheet,theemployeereceivesamessagethattherequestedinformationisready.TheUBVemployeecanthenviewthespreadsheetviathebrowserofhiscomputerintheEEA. 35. The UBV employee reviews the information collected and removes information that falls outside the scope of the driver's request. If the collected data does not provide the information that can be used to adequately answer the request, the employee performs a new search using the procedure described earlier. This procedure is repeated until the employee has the necessary personal information to adequately answer the request. Uber notes that the employee in question does not add any personal data to the spreadsheet. 36. UberindicatesthatdatacollectionalmostexclusivelyinvolvesdatatrafficwithintheUnitedStates.ItisfurthernotedthattheUBVemployeeonlyhasaccesstothepersonaldatastoredinUTIserversintheUnitedStates.UberexplicitlynotesthattheUBVemployeehasaccesstothepersonaldataremotelyandthatthisdoesnotappearontheUBVemployee'sserverorcomputerlocatedinEEAterritory.UberonlyregardstheentryoftheselectionparametersasdatatrafficfromtheEEAtotheUnitedStates. 37. The final step in the (partly manual) processing of data subjects' rights is to respond to the request made by the driver. When the aforementioned spreadsheet is filled with the personal data falling within the scope of the request, the spreadsheet is ready to be shared with the Uber driver. This step is performed by the UBV employee who, from the browser on his computer, has access to the spreadsheet and UTI's systems located in the United States. The employee in question instructs the system to export the spreadsheet to the so-called 'file mailbox'. The data traffic associated with this process only concerns the data flow within the territory of the United States. Uber explains this in more detail by stating that the 'file mailbox' is located on UTI's servers and that the spreadsheet that is located on UTI's servers from one system to another (but remains on the UTI server). Once the data is transferred to the 'file mailbox', it is opened by the UBV employee and the employee then makes it available to the Uber driver. More specifically, the 'file mailbox' sends a link to the Uber driver in the EEA and the Uber driver can download the personal data contained in the spreadsheets via the link. According to Uber, this concerns data traffic from the United States to the driver in Europe. 38. Ubernotesthatatemporaryexceptiontothisprocessexistsinthecaseofdata datasubjectrightswithregardtopaymentreceipts.Ifapaymentreceiptispartofadriver’sinspectionrequest,theUBVemployeemustdownloadthepaymentreceiptfromtheUTIservers 11/48 Date OurReference 22July2024 [Confidential] tohiscomputerlocatedintheEEA.ThisdocumentisthenmanuallyuploadedbytheUBVemployeetothe“filesinbox”ontheserversintheUnitedStates. Afterthisdocumentisuploaded,theUBVemployeewilldeletethedocumentfromtheircomputer.The datatrafficthatthisentailsinvolvesatransferofpersonaldatafromtheUnitedStatestotheEEAandbacktotheUnitedStates.Ubernotesthatthiswayofprocessingpaymentreceiptsistemporaryandthattheyexpectthisprocesstobealignedwiththeproceduredescribedabovewithregardtoprocessingdatasubjectrequests. 2.4NumberofUberdriversandGDPRrequestsfromdatasubjects 39. TheAPhasaskedUberaboutthenumberofregisteredUberdriversintheEUandhowoftendatasubjectshaveinvokedtheirGDPRrights. 40. From 6 August 2021 to mid-February 2023, there were an average of [confidential] drivers active in France and [confidential] drivers in the entire EU. On 17 February 2023, there were a total of [confidential] active drivers in the EU. 22 41. BetweenAugust2021andFebruary2023,Uberprocessed[confidential]accessrequestsfromdriversfromtheEUwiththeautomatic‘downloadyourdatatool’.ThisallowsdriverstodownloadtheirpersonaldatabasedonthegenericcategoriesthatUberoffersinthe‘downloadyourdatatool’.Uberalsoexecuted[confidential]deletionrequestsfor(former)driversfromtheEU.Uberalsostates:“in additiontotheuseofthe'DownloadYourData'tool,between6August2021and1February2023,Uberprocessed[confidential]requestsfromFrench(former)driversforanextendedaccessrequest.” 2.5 TheapplicationofatransferinstrumentbyUber 42. Uberhasdeclaredthefollowingonthetransferofpersonaldatatothirdcountries: “Fortransfersofdatasubjects’datatothirdcountries,Uber’sstandardpracticeis(andhasbeen)tohavestandardcontractualclauses(SCCs)inplacewhenathirdcountryhasnotbeenaffordedanadequacydecisioninordertoensureahighlevelofprotection,andtoconducta“thirdpartyriskmanagement”assessmenttoidentifypotentialrisksandensuredataprotectionforitsuser’sdata.” 43. In2021,UberjudgedthatnostandardcontractualclausesarerequiredfortheprocessingofEUdrivers’personaldataintheUnitedStates.UberstatesthatthereisnotransferandthatthejointresponsibilityofUBVandUTImeansthatArticle3oftheGDPRappliesinfulltopersonaldataprocessedintheUnitedStates. 22 Seefiledocument26,Responsetorequestforinformation4,13March2023.TheAPaskedUberforthenumberofregistereddriversintheEU. TheAPprovidedanumberofreferencedatestogetanimpressionofthenumberofdriversoveraperiod.Uberhasprovidedthefigures 2 Seefiledocument30,Uber’sAdditionalresponses23March2023.inthe28dayspriortoareferencedate. 2See file document 17, Response to request for information 2, 9 August 2021, page 6. 12/48 Date Our reference 22 July 2024 [confidential] 25 Referring to the updated SCCs of the European Commission, Uber states the following: “In light of this, Uber revisits this joint controller agreement to delete the SCCs, and to clarify joint controller responsibilities. Therefore, Uber has adopted a new version of its joint controller agreement, in which the new regulatory requirements and relationship between UTI and UVB are reflected”. 26 44. TheDataSharingAgreementtowhichUberreferstohasasversiondate6August2021.BasedonUber’sdeclaration,theAPthusestablishesthatUberremovedthestandardcontractualclausesforthetransferofpersonaldatatothirdcountriesfromtheabovementionedagreementasof6August2021. Uberhadalsonotimplementedothertransferinstrumentsafterthat,suchasbindingcorporaterulesoracertificationmechanism. 28 45. On10July2023,theEuropeanCommissionadoptedthe“EU-USDataProtectionFramework.”UbercertifiedundertheEU-USDataPrivacyFrameworkon27November2023. Uber says the following about this in its privacy statement: 31 “When we transfer user data from the EEA, UK and Switzerland, we do so on the basis of the necessity to fulfill our agreements with users, consent, adequate decisions regarding the country of transfer (available here, here or here), and transfer mechanisms such as the Standard Contractual Clauses adopted by the European Commission (and their approved equivalents for the UK and Switzerland),andtheEU-U.S.DataPrivacyFramework(“EU-U.S.DPF”),theUKExtensionto theEU-U.S.DPF,andtheSwiss-U.S.DataPrivacyFramework(“Swiss-U.S.DPF”),assetforthbytheU.S.Departmentof Commerce.[…]UTIhascertifiedtotheUnitedStatesDepartmentofCommercethatitadheresto(1)theEU-U.S.Data PrivacyFrameworkPrinciplesregardingtheprocessingofpersonaldatareceivedfromEEAmembercountriesinrelianceontheEU-U.S.DPF[…]IntheeventthattheEU-U.S.DPFortheSwiss-U.S.DPFareinvalidated,Uberwilltransferdatathatis subjecttothesecertificationsinrelianceontheotherdatatransfermechanismsdescribedabove.” 3. Uber's Opinion 46. The AP considers that Uber violated Article 44 of the GDPR, because from 6 August 2021 to 27 November 2023, Uber allowed transfers of personal data to take place to the United States while there was no valid adequacy decision and no appropriate safeguards were provided as set out in Chapter V of the GDPR. The AP summarises Uber's opinion in Chapter 3. Chapter 4 provides the AP's legal justification for the violations and also the AP's response to Uber's opinion. Application of Chapter V of the GDPR 25 Implementing Decision (EU) 2021/914 of the European Commission. 26 See file document 17, Response to request for information 2, 9 August 2021, page 5. 27See file document 17 Response to information request 2, Appendix UBV-UTIDataSharingAgreement 28See articles 46 and 47 GDPR for a complete overview. 29https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en 30https://www.dataprivacyframework.gov/list 31https://www.uber.com/legal/nl/document/?name=privacy-notice&country=france&lang=en 13/48 Date Our reference 22 July 2024 [confidential] 47. UberisoftheopinionthatArticle44GDPRhasnotbeenviolated,becauseChapterVoftheGDPRdoesnotapplytotheprocessingsunderconsideration.Firstly,ChapterVdoesnotapply,accordingtoUber,becauseArticle3GDPRisalreadyapplicable.ChapterVdoesaccordingtoUberintendedtocasesthatareoutside thescopeofArticle3GDPRaretobecaptured,sothattheprotectionprovidedbytheGDPRisnotundermined.SincetheapplicationofArticle3GDPRalreadyprotectsthedata,thesimultaneousapplicationofArticle3GDPRandChapterVGDPRisdoublymeaningless. 48. Secondly, Uber states that Chapter V is subordinate to Article 3, and therefore cannot be applied simultaneously. According to Uber, another interpretation conflicts with the EU's international obligations, in particular the WTO Agreement and the associated GATS agreement. These international obligations imply that the agreement does not allow Member States to treat non-European entities less favourably than European entities. Case law has established that derivative Community law, including the GDPR, must be interpreted as closely as possible in line with international law. A simultaneous application of Article 3 GDPR and Chapter V conflicts with the EU's obligations under international law, the obligation to interpret derivative Community law in line with international law. Therefore, the relationship between Article 3 GDPR and Chapter V GDPR must be interpreted in such a way that they cannot be applied simultaneously. Theconceptof‘transfer’ 49. Uberstatesthattheconceptof‘transfer’isnotdefinedbytheGDPR.ThiswasaconsciouschoiceoftheEuropeanlegislatorwhodidsodespitetheobjectionsandadvicesofvariousinstitutionssuchastheEDPS,theEECCandEDPB.Inaddition,Europeandataprotectionauthorities,includingtheAP,havenevergiventheconceptanydetailuntil14February2023,despitethefactthatthiswasrequestedbyvariousstakeholders.Onlyon14February2023didtheEDPBcomeupwithanelaborationoftheconceptof‘transfer’,butinadditiontothefactthatititselfadmitsthatitisalegallyuncertainconceptbecausetheGDPRdoesnotprovideadefinitionofit,theEDPB’sinterpretationisonlyonepossibleinterpretationandisnon-binding.Inaddition,theEDPBrequestedtheECtofurtherdefinetheconcept. clarify. The AP cannot rely on this interpretation alone for the above without further substantiation. No transfer in the present case 50. Uber further argues that there is no transfer because, according to the EDPB guidelines, there must be a processor or controller acting as an exporter of the personal data, while in the present case the aim is for data subjects to make the same personal data available directly to UTI. To the extent that it is argued that Uber exports the data because the drivers do so under the responsibility of UBV, this argument fails, because the AP introduces a new standard that does not follow from the guidelines or from the GDPR. In addition, the argument fails because 1) the actual transfer of data must be assessed, 2) the qualification as a joint controller does not imply that UBV makes the personal data available itself. states3) from the factual and legal division of responsibilities between UBV and UTI, it does not follow that UBV is responsible for sharing personal data with UTI when a driver does so. 14/48 Date Our reference 22 July 2024 [confidential] Transfer instruments and exceptions 51. Uber states that even if there were a transfer, this transfer would be in accordance with Chapter VAVG. Firstly, Uber implemented standard contractual clauses in the Data Sharing Agreement (DSA) between joint controllers UBV and UTI until 6 August 2021 as a non-mandatory safeguard for the data traffic under investigation. Uber has removed the standard contractual clauses from this in good faith, because on 4 June 2021, the EC, with the introduction of new standard contractual clauses, stated in the considerations that the new standard contractual clauses may not be used insofar as processing by the importer is falls within the scope of Article 3(2) of the GDPR. The lack of any progress by the EC in developing standard contractual clauses specifically for importers who already fall within the scope of the GDPR also shows that the EC has so far taken the position that the application of Article 3 of the GDPR excludes the application of Chapter V of the GDPR. According to Uber, it is in any case certain that no standard contractual clauses were available to Uber in the meantime. In addition to the standard contractual clauses, Uber believes that all alternative transfer instruments are currently not realistic alternatives. 52. Secondly, any transfer of personal data by Uber is lawful, because Uber considers that it can rely on the exception in Article 49 paragraph 1 sub c GDPR. Uber states that transfers based on Article 49 GDPR do not require that the level of protection in the third country is broadly equivalent to the level of protection guaranteed within the EU by the GDPR. According to Uber, merely meeting the conditions as stated in Article 49 GDPR is sufficient. This follows, among other things, from the wording of the GDPR and from recital 202 of Schrems II. 53. In any case, according to Uber, both exceptions do not require, as the AP states, that the transfer be ‘’incidental’’. Although this does follow from consideration 111 of the GDPR, it is at odds with the text of the GDPR itself, the case law of the ECJ and the manual of the central government. Firstly, ‘‘incidental’’ is not in the text of the GDPR. In fact, it states that art. 49 can also be used for a series of transfers. Secondly, considerations in the GDPR do not create new standards, they do not have independent legal force, as is also confirmed by, among other things, standard case law of the ECJ. Thirdly, judges do not use ‘incidental’ as a condition, and art. 49 must be used for data transfers within companies. or in a group of companies, they are interpreted broadly. Fourthly, the manual of the Ministry of Justice and Security does not mention ‘incidentally’ as a condition. In addition, the ground for the transfer is required, but, as follows from Dutch case law, the connection of necessity does not have to be strictly substantial. 54. Uber argues that, if it is assumed that there is an international transfer, it can rely on Article 49(1)(c) for the situation in which drivers make GDPR requests and on Article 49(1)(b) for cases in which drivers use the driver app. 55. With regard to thesituationinwhichGDPRrequestsaremadebydrivers,thistransfermeetsalltheconditionsofart.49paragraph1subcGDPR.Inparticularbecausethetransfer 15/48 DateOurreference 22July2024 [confidential] isnecessaryfortheconclusionorperformanceofanagreementconcludedintheinterestofthedatasubjectbetweenthecontrollerandanothernaturalpersonorlegalperson.TheagreementwasconcludedintheinterestofthedatasubjectbecausetheDSAregulatesandfacilitatestheGDPRrightsthatconstituteandsupportthedataprotectionofdrivers,thisalsofollowsfromart.26GDPRandtherelatedrecital79.Thetransferisfurthernecessaryfortheperformanceoftheagreement.ThetransfernamelytakesplaceinthecontextoftheDSAandhas directlyrelatedtothecompletionofaccessrequests.Inaddition,datatransferisunavoidableduetoUber’scentralizedITinfrastructure,whichisinturncrucialforUber’sspecificservicesaswellasfortheglobalapplicationofUber’stechnicalandorganizationalGDPRmeasures.Finally,accordingtoUber,thereisverylittledatatransferinthecontextofaccessrequests(only25permonth). 56. As regards the situation in which drivers use the driver app, the transfer meets all the conditions of Article 49 paragraph 1 sub b, and in particular the condition that there is a transfer that is necessary for the performance of a contract between the data subject and the controller (UBV and UTI via the DSA). According to Uber, the necessity follows from the ability to fulfil the contract between UBV and the driver. Uber must fulfil its contractual obligation to offer rides, and can only do this on the basis of the transfer of data from the driver (e.g. his location). The transfer of data is therefore necessary to fulfil the contract between the driver and Uber. 4. Assessment 4.1 Processing of personal data 57. The AP arrives at the following assessment. The creation of an account for drivers is mandatory for the use of the driver app. The documents and personal information collected during this registration enable Uber to start its processing activities of personal data of Uber drivers. 58. The AP has determined in paragraph 2.3 that Uber processes various data from Uber drivers in this context. In addition to account data, location data, photos, proof of payment and assessments, Uber also processes other data, such as identity documents, criminal and health data, depending on the legal rules in a country. 59. The AP is of the opinion that Uber processes personal data as referred to in Article 4, parts 1 and 2, of the GDPR. 4.2 Controller and authority AP 16/48 Date Our reference 22 July 2024 [confidential] 60. Uber B.V. is a company established in the Netherlands and is part of the Uber group. Uber Technologies Inc. is established in the United States and is the parent company of, among others, Uber B.V. The (French) drivers have entered into an agreement with Uber B.V. 61. The terms “controller” and “processor” are functional terms: they are intended to allocate responsibilities according to the actual role of the parties, which means that the legal status of a party as a “controller” or a “processor” should in principle be determined by its actual activities in a specific situation, and not by the formal 32 designation of a party as a “controller” or “processor” (e.g. in a contract). 62. UberB.V.andUberTechnologiesInc.jointlydeterminethepurposeandmeansofprocessing forthepersonaldataofUberdriversintheEuropeanEconomicArea(EEA).TheAP isthereforeoftheconsiderationthatUBVandUTIshouldbeconsideredasjointcontrollersfortheinternationaltransferthatispartoftwolargersetsofprocessingactivitiesasdescribedinsituations1and2.Thejoint controllershiphasnotbeendisputedbyUber.Forrequestsrelatingtotherightsofdatasubjects(situation2),thedistributionisthatUBVisresponsibleforassessingsuchrequestsandUTIprovidingthetechnicalmeansandpersonaldata.UTIisalsothepublisherofthedriversapp. 63. The AP further establishes that when processing personal data of Uber drivers, data is processed in the context of the activities of an establishment of a controller or a processor in the Union, as determined in Article 3, paragraph 1 of the GDPR. 64. Finally, Uber offers its services in several EU Member States and processes personal data for these services. This means that data subjects in more than one Member State are significantly affected by the processing of personal data by Uber. This constitutes cross-border processing (Article 4, opening paragraph and 23, subparagraphs and (b), GDPR). The AP notes that the central administration of Uber in the EEA is located at Uber B.V. Uber B.V. is therefore regarded as the main establishment within the meaning of Article 4, subparagraph 16, GDPR. In view of this, the AP is competent to act as the lead supervisory authority within the meaning of Article 56, first paragraph, GDPR. 4.3 TerritorialapplicationchapterAVG 33 65. UberisoftheconsiderationthatArticle3AVGandChapterAVGcannotapplysimultaneously. 32 33ieEDPBGuidelines07/2020ontheconceptsof“controller”and“processor”intheAVG,pp.3and10. See‘Uberopiniononinvestigationreportsforintentiontoenforce’of9June2023,point6.2.2.,pp.28-31. 17/48 Date Our reference 22 July 2024 [confidential] 66. The AP notes that the ratio of data transfers in accordance with Chapter V GDPR is complementary to the ratio of the territorial scope of the GDPR as laid down in Article 3. Namely, preventing the protection provided for by EU law from being withheld, 34 or from being undermined or circumvented. By declaring EU law applicable to processing that takes place outside the borders of the EEA, Article 3 GDPR aims to ensure the 35 high level of data protection guaranteed by the GDPR. The provisions in Chapter V GDPR on transfers achieve this by making the application of protection based on EU standards mandatory for such 36 processing. It should be noted that while the GDPR applies to all processing under Article 3 GDPR, the application of the GDPR outside the EEA territory does not provide the same protection. The application of the GDPR within the Union is based on the legal framework of EU legislation in the areas of, for example, recognition and enforcement of judgments/judgments, legal order, independence of the judiciary and data protection authorities and other basic areas that, by their nature, do not apply to third countries. In several judgments concerning international data transfers, the CJEU has given expression to this concern by assessing whether personal data have been processed in a manner that complies with EU standards. 38 The APthereforenotesthattheprovisionsinChapterVcontainmechanismsthatcounterbalancetheeffortsinenforcingobligationsunderEUlawagainstpartiesinthecountries.TheAPisoftheconsiderationthatanyotherinterpretationofthesemechanismswouldleadtoaweakeningoftheprotectionprovidedforintheUnion,whichdoesnotcomplywiththestandardrequiredbytheCJEU. 67. In further explanation of the above, the AP notes that within the jurisdiction of the United States it is difficult to enforce compliance with the GDPR against foreign companies, including Uber. In order to counterbalance this, the provisions on data transfers in Chapter V do not impose a direct obligation on parties that process data in the countries by requiring them to comply with the standards of the GDPR. 68. With regard to Uber's argument that Article 3 of the GDPR prevails over Chapter V, or the argument that the provisions of Chapter V should not be applied when Article 3 of the GDPR applies, the AP notes that: 34 Concepts in data protection should be interpreted broadly so that no one is denied complete and adequate protection. This view is expressed by the CJEU in judgments on international data processing, which indicate that a consistent and uniform application of the Charter must be ensured and that circumvention of protection must be prevented. See in this regard C-311/18, Schrems II, ECLI:EU:C:2020:559, paragraph 101 and C-131/12, Google v Spain, ECLI:EU:C:2014:317, paragraphs 54 and 58. 3 Recital 23 of the GDPR. 36 37-362/14, Schrems, ECLI:EU:C:2015:650, paragraph 73. For example, Article 36 of the GDPR requires prior consultation with the relevant Data Protection Authority in cases where data processing would result in a high risk. However, the GDPR does not contain any provisions that would allow a competent Data Protection Authority to be determined for data processing outside the Union. 3C-362/14,Schrems,ECLI:EU:C:2015:650,para.90,Conclusion1/15,EU-CanadaPNRAgreement,ECLI:EU:C:2017:592,para.212-215andC-311/18,SchremsII, ECLI:EU:C:2020:559,para.184.Tenaan see the view of the CJEU that data transfers 'must ensure a high level of protection essentially equivalent to that under EU law' in C-101/01, Bodil Lindqvist, EU:C:2003:596. 39 See, for example,C-40/17, FashionIDGmbH&Co.KG,ECLI:EU:C:2019:629,r.o.50. 18/48 Date Our reference 22 July 2024 [confidential] that any variation on the interpretation described would be contrary to the status of Chapter V within the structure of the GDPR. Article 44 of the GDPR establishes the connection between Chapter V and other provisions by stipulating that transfers of personal data may only take place if all other relevant provisions of the GDPR have been met. TheCJEUhasconfirmedthisview bystatingthatthetransferofpersonaldatatoathirdcountryisprocessingthatfallswithinthescopeoftheGDPRandthatwheretheGDPRapplies,theprovisionsrelatingtodatatransfersmustalsoapply.Furthermore,theEuropeanDataProtectionBoard(hereinafter:EDPB)proposesthattheapplicationoftheGDPRentailsthatalltheprovisionsoftheGDPRapplytoprocessingsthatfallwithintheterritorialscopeoftheGDPR.IncludingtheobligationssetoutinChapterVoftheGDPR. 69. TheAPnotesthattherearesignificantdifferencesbetweenArticle3GDPRandChapterVGDPRandexplicitlystatesthatArticle3GDPRdoesnottakeprecedenceoverChapterV.Furthermore,thereareconsequencestonotapplyingChapterVGDPR.TheterritorialscopeassetoutinArticle3,paragraph1,oftheGDPRmeansthattheregulationappliestotheprocessingofpersonaldatainthecontextofactivitiesofanestablishmentofacontrollerorprocessorintheUnion,irrespectiveofwhethertheprocessingtakesplaceintheUnion.TheGDPRisthereforealsoapplicableiftheprocessingdoesnottechnicallytakeplaceintheUnion,butisboundtotheGDPRbyasustainablerelationshipwithadurableestablishmentintheUnion(suchasabranchorsubsidiary).Sucharelationshipisquitequipment,forexampleiftheestablishmentintheUnionrevenues generatesfortheparententityinthethirdcountry.ThisiscertainlythecasebetweenUberB.V.andUTIinthepresentcase.TheprovisionsondatatransfersassetoutinChapterV,ontheotherhand,refertothespecificcontextoftransfersofpersonaldatatoanentityinathirdcountrybyaprocessororcontroller,wheretheexporterofthepersonaldatamusthaveinplaceappropriatesafeguardstoensurethatthepersonaldataenjoyalevelofprotectionequivalenttothatprovidedforbytheGDPRwithintheUnion.ThisprotectionisthereforecomplementarytoArticle3GDPR.ThisadditionalseriesofprovisionsoftheGDPRsetahighstandardofprotectionbothinpracticeandinlawtopreventtheprotectionprovidedforbyEUlawfrombeingcircumvented.3 70. UberfinallyargueswithregardtotherelationshipbetweenArticle3GDPRandChapterVGDPRthat theGDPR(beingsecondaryEUlaw)mustbeinterpretedinaccordancewithinternational agreements,inthiscasetheWTOagreements. 40 Article44GDPRstatesthatdatamayonlybetransferrediftheconditionsinChapterVarefulfilled,which entailsthatcompliancemustbeensuredbeforethetransfertakesplace. 4C-311/18,SchremsII,ECLI:EU:C:2020:559,r.o.83. 4EDPBGuidelines3/2018ontheterritorialscopeoftheGDPR(Article3),p.5. 4The CJEU noted in its judgments that the GDPR must provide sufficient protection, both in law and in practice, see C-362/14, Schrems, ECLI:EU:C:2015:650, r.o.64-65 and 95, Conclusion 1/15, EU-CanadaPNRAgreement, ECLI:EU:C:2017:592, marginal 220.C-3 11/18,SchremsII, ECLI:EU:C:2020:559,paragraphs105and187. 19/48 Date Our reference 22 July 2024 [confidential] 71. Uber first notes that the European Union, and each of its Member States, is a party to the Marrakesh Agreement establishing the World Trade Organization (WTO Agreement) and the Annexes to the WTO Agreement (including the GATS Agreement). Theseinternationalagreementsensuesthattheparticipatingstatesmaynottreatnon-Europeanentities,suchasUTI,toadisadvantagethanEuropeanentities.Because,accordingtoUber,simultaneousapplicationofboththeobligationsoftheGDPRonthebasisofArticle3GDPRandChapterVGGwouldbedisadvantageousforUTIasanon-Europeanentity,Uberisoftheconsiderationthatbothsystemscannotbeappliedsimultaneously.Inconclusion,theAP'sexplanation,namelythatChapterVandArticle3GDPRcanbeappliedsimultaneously,is,accordingtoUber,incontradictionwiththeEU'sinternationalobligations. 72. Although the AP will not dispute that the GDPR should in principle be interpreted as much as possible in accordance with international agreements, it must establish that Uber fails to recognise that it has already been established in case law that two cumulative conditions must be met for the interpretation proposed by Uber, namely: 1. The nature and purpose of that agreement (the WTO agreement in this case) do not preclude an action for annulment or an exception of illegality of (derived) Union law (the GDPR); 2. The provision (the WTO agreement) is sufficiently unconditional and sufficiently precise in content to be able to bring about an action for annulment or an exception of illegality of derived Union law (the GDPR). 46 73. It follows from settled case law that the WTO agreement does not satisfy the first requirement in any case. The grounding of the initiator of the objection seeks to prevent the WTO agreement from taking precedence over the GDPR. It also seeks to object to the proposition that the WTO agreement is leading for the interpretation of derived Union law (such as the GDPR). In this context, the AP therefore also maintains its position that Article 3 of the GDPR (and all obligations arising from it) and Chapter V of the GDPR apply simultaneously in this case. 74. In addition, paragraph 3 of the introduction to the attached list, to which Uber refers in its written 48 opinion, states in so many words that the rights and obligations arising from the GATS, including the list of commitments, do not have direct effect, “so that no direct rights for individual natural or legal persons arise from them.” Uber cannot therefore rely on the WTO agreement and the associated GATS commitments in the present case. 4.4 Is there a transfer of personal data? 4 Marrakech Agreement establishing the World Trade Organization, 15 April 1994. 4 General Agreement on Trade in Services, 15 April 1994. 4See, in particular, the judgment of 13 January 2015, Council et al. v. Vereniging Milieudefensie and StichtingStop LuchtvuilUtrecht, C-401/12 P–C-403/12 P, EU:C:2015:4, paragraph 54 and the case law cited there. 4See, in particular, judgments of 23 November 1999, Portugal v Council, C149/96, EU:C:1999:574, paragraph 47; 1 March 2005, VanParys, C377/02, EU:C:2005:121, paragraph 39, and 4 February 2016, C&J Clark International and Puma, C659/13 and C34/14, EU:C:2016:74, paragraph 85. 4 Schedule of specific commitments of the European Union annexed to the General Agreement on Trade in Services (GATS) (OJEU 2019/C 278), p. 59. 20/48 Date Our reference 22 July 2024 [confidential] 4.4.1 Legal framework 75. Article 44 GDPR provides that “personal data that are being processed or are intended to be processed after transfer to a third country or an international organisation may only be transferred if, without prejudice to the other provisions of this Regulation, the controller and processor have complied with the conditions laid down in this Chapter; this also applies to onward transfers of personal data from a third country or an international organisation to another third country or an international organisation. All the provisions of this Chapter shall be applied in order to ensure that the level of protection guaranteed to natural persons by this Regulation is not undermined.” 76. Furthermore, recital 101 of the GDPR states that “[...]However, where personal data are transferred from the Union to controllers, processors or other recipients in third countries or international organisations, this should not jeopardise the level of protection of natural persons in the Union ensured by this Regulation, even in the case of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or in the same or another international organisation.[...]Transfers to third countries and international organisations may in any case only take place in full compliance with this Regulation. A transfer may only take place if the controller or processor, subject to the other provisions of this Regulation, complies with the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations.” 77. The GDPRdoesnotprovideadefinitionof'transfer'.However,initsGuidelines,theEDPBhasestablishedthreecumulativecriteriathatatransfermustmeet: 1. Acontrolleroraprocessor('exporter')iscoveredbytheGDPRforthespecificprocessingactivity. 2. Personaldatawhicharethesubjectofsuchprocessingareprovidedbytheexporterbytransmissionorotherwisemadeavailabletoanothercontroller,jointcontrollerorprocessor('importer'). 49 3. TheimporterislocatedinChinaorathirdcountry(whetherornotthisimporteriscoveredbytheGDPRforthespecificprocessingactivityinaccordancewithArticle3)orisaninternationalorganisation. 78. Iftheabovementionedcriteriaaremet,thereisatransferandChapterVGDPRapplies.ThismeansthatthetransfermayonlytakeplaceundertheconditionssetinanadequacydecisionbytheEuropeanCommissionorbyprovidingappropriatesafeguards.If52 thisisnotmet,theGDPRprovidesderogations(exceptions)forspecificsituations.3 4SeealsoEDPBGuidelines07/2020ontheconceptsof“controller”and“processor”intheGDPR. 5EDPBGuidelines05/2021ontheinteractionbetweentheapplicationofArticle3andtheprovisionsoninternationaltransfers inaccordancewithChapterVoftheGDPR,p.7. 5Article45GDPR. 5Article46GDPR. 5Article49GDPR. 21/48 Date Our reference 22 July 2024 [confidential] 79. In the present case, the AP assesses whether the processing described in the situation 1 and 2 can be regarded as transfers of personal data that must comply with the provisions set out in Chapter VAV. 4.4.2 Assessment 80. With regard to the first criterion, the AP determines that the processing meets the requirements of Article 3, paragraph 1 GDPR, namely that a controller or processor falls under the GDPR with respect to the processing in question. ThisconclusionisacknowledgedbyUber.Morespecifically,UberhasdeclaredthatUBV,withregardtotheprocessingofthepersonaldataofUberdriversintheEEA,fallsundertheGDPR.AndUberfurtheremphasizesthatbothUBVandUTIareboundbytheGDPRonthebasisofArticle3,paragraph1oftheGDPR. 81. Withregardtothesecondcriterion,Uberstatesthatthereisnotransfer. Uberexplainsthisby statingthat“ChapterVoftheGDPRdoesnotapplytocertainaspectsofUber’sbusinessandtheinternationaldataflowsrelatedtheretocannotbeconsideredinternationaldatatransfers”becauseUBVandUTIarejointcontrollerstowhomtheGDPRisdirectlyapplicableunderArticle3(1)GDPR.Despitethisreasoning,Uber neverthelessrecognisesthatdataistransferredbetweenUBVandUTI.However,accordingtotheirwrittenstatements,theybelievethattheseshouldnotbeconsideredtransfersbecauseboth 55 UBVandUTIarecoveredbytheGDPR. 82. The DPA takes a different view. As noted earlier, not applying Chapter V of the GDPR, because UBVandUTIaredirectlysubjecttotheGDPR,wouldunderminethehighlevelofprotectionoftheGDPR.Transfersmayoccurindifferenttypesofcircumstances whereentitiesaresubjecttotheGDPRunderArticle3.TransfersbetweenjointcontrollersunderArticle3mayalsooccurandarenotexcludedfromtheGDPRprovisionsontransfers.ThisviewisinconsistentwiththeEDPB’spositionassetoutinthesecondcriterionfortransfer:“Personaldata whicharethesubjectofsuchprocessingareprovidedbytheexporterbytransmissionorotherwisemadeavailabletoanothercontroller,jointcontrollerorprocessor(“importer”)”. 83. TheCJEUrequiresthatdataprotectioniseffectiveinlawbutalsoinpractice.ThismeansthattheremustbeeffectiveredressmechanismsandlegalremediesagainstviolationsoftheGDPR. 56 IftheprocessingconcernedfallsundertheGDPRandthepersonaldataisprocessedbyanentityoutsidetheUnion,theprocessingwillfallunderlegalframeworksthatmaybeinconsistent 5Seealsoparagraph4.2.andEDPGuidelines3/2018ontheTerritorialscopeoftheGDPR(Article3). 5 File document 11, Response to request for information 1, Annex to International Data Flows, p. 6. 5 See also EDP Guidelines 3/2018 on the Territorial scope of the GDPR (Article 3) and C-311/18; Schrems II, ECLI: EU: C: 2020: 559, paragraphs 186- 189. 22/48 Date Our reference 22 July 2024 [confidential] with or undermine the GDPR. Regulations on international transfers therefore provide a counterbalance to the difficulty of enforcing obligations under EU legislation against parties outside the Union. 84. TheconceptofcontrollerassetoutinArticle4,introductionandpoint7,oftheGDPRmust,accordingtotheCJEU,beinterpretedbroadlyinordertoensureeffectiveandcomprehensiveprotectionofthedata datasubject. In the opinion of the AP, this view should be applied analogously to the concept of ‘exporter’. A restrictive interpretation of the criterion ‘exporter’ would mean that Uber drivers would not be effectively and fully protected, because there would then be no accountable exporter who is responsible for fulfilling obligations regarding the transfer of personal data outside the EEA. The exporter is the entity that must comply with the regulations on transfers in Chapter V and must assess which appropriate safeguards are necessary so that an equivalent level of protection for personal data (as guaranteed under the GDPR) is ensured. In addition, the data subject must be able to hold the controller accountable for his or her accountability within the meaning of Article 5, paragraph 2, in conjunction with Article 44 GDPR. 85. Furthermore, theCJEUrequiresthatpersonaldataoriginatingintheUnionmustenjoyahighlevelofprotection,eveniftheyareprocessedinortransferredtothirdcountries.AnyinterpretationorimplementationoftheprovisionsofArticle3andChapterVmustmeetthatstandard.ThisisalsothereasonthattheAPconsidersthattheconceptof‘exporter’inthesecondcriterionaselaboratedintheEDPBGuidelinesmaynotbeinterpretedrestrictively. 86. Developments in the law and case law also mean that a restrictive interpretation is not consistent with the aim of providing a high level of protection for personal data. Since the Charter of Fundamental Rights of the European Union (hereinafter: the Charter) became primary law, the CJEU has relied on the Charter to emphasise the high level of protection for international transfers in the context of international agreements of the Union, adequacy decisions of the Commission and the Commission's standard contractual clauses (SCCs). In the light of these judgments, the AP views international transfers from the perspective that the provision of a high level of protection is the starting point and interprets the concept of 'exporter' broadly. 87. Inthepresentcase,andtakingintoaccounttechnicaldevelopments,thecriterion''exporter'(acontrollerorprocessorintheEEAthattransferspersonaldatatoathirdcountry)deviatesfromtheso-calledclassicalmodel.Toillustratethis,theAPnotesthat,withinthegivencontext,Uberprovidesthedatasubject—theUberdriverintheEEA—extensiveinstructionsonthesupplyofspecificpersonaldata.Inaddition,theUberdriversmustobservetheconditionspredefinedbyUberwithregardtothesubjectsubject 57 See,forexample,C-210/16,UnabhängigesZentrumfürDatenschutzSchleswig-Holsteinv.WirtschaftsakademieSchleswig-Holstein, 58LI:EU:C:2017:796,r.o.28andC-25/17,Jehovah'switnesses,ECLI:EU:C:2018:551,r.o.66. See also Article 6(1) TFEU. 5Conclusion1/15,EU-CanadaPNRAgreement,ECLI:EU:C:2017:592,marginal 119-231. 60C-362/14,Schrems,ECLI:EU:C:2015:650,paragraph 38-40. 6C-311/18,SchremsII,ECLI:EU:C:2020:559,paragraph 99. 23/48 Date Our reference 22 July 2024 [confidential] othertheprocessingoftheirpersonaldatainthecontextofa(pre)contractual employmentrelationship.Furthermore,UberemployeesintheEEA,forexampleUBVemployees,willcomplywithUber'sinternalpolicyrulesthatprescribemediationbetweenUberdriversandUTI. UberalsoexplainedthatifanUberdriver,forexample,hasissues takingthemandatoryprofilephotoforthedriversapp,theUberdrivercangotoaGreenlight HublocationintheEEAwhereanemployeewillhelptheUberdriver(onsite)takeaphotowiththeUberdriver’ssmartphone.TheUberdrivercanthenuploadtheprofilephotototheUberITplatformmanagedbyUTI,withtheinstructionoftheemployee.Inthisspecificcase,thepersonaldataaretechnicallytransferredfromthedatasubject’spersonaldevicefromtheEEAtotheUberplatformmanagedbyUTIwhichislocatedinathirdcountry. DespitetheseprocessingactivitiesinstructedbyUber,whichtakeplacebeforeandduringthecontractualrelationshipbetweentheUberdriverandUBV,UberrightlyascribesthecontinuoustransferofpersonaldatafromtheEEAtoathirdcountryinsituations1and2tothedata datasubject. 88. TheAPnotesthatUberdriversprovidetheirpersonaldatabyenteringthemontheUberplatformandthatthesearecollectedbyUberviatheUberdriver’spersonaldevicewithintheEEAandenduponUber’sITsystems(managedbyUTI)intheUnitedStates.ThisresultsindataflowofpersonaldatafromtheEEAtotheUnitedStates. In the opinion of the AP, this does not mean that the transfer of data by Uber, as this took place and still takes place in accordance with the description of situations 1 and 2, do not involve transfers of personal data from UBV to UTI within the meaning of the GDPR. Uber uses the driver app as a technical tool to transfer personal data from the EEA to the United States. UBV therefore bears the responsibility and has (technical) authority over the transfer of personal data from the EEA to the United States. 89. Furthermore, the AP is of the opinion that the question of whether there is an international transfer should not be assessed solely on the basis of the finding that it is the driver who operates the driver's app via his private device. It should also be taken into account that Uber exercises a great deal of influence on the context in which those actions and the driver's will take place. That context consists of various elements predetermined by Uber that in fact leave the driver no other choice than to enter the data into the Uber app. The following will explain which elements these are and how they determine the context in which the data transfers take place. It will become clear that the attribution of the transfer to the driver by Uber (which is only a link in the entire process and context of the processing) undermines the protection that the GDPR provides. providesforprocessingpersonaldata. 6Anexampleofthesepolicieswasexplainedintheviewinghearing,seetheminutesoftheviewinghearingheldon5July2023. 6WiththeexceptionofthecasewhereUbersendspersonaldatafromtheUStotheEEAwhenrespondingtorequestsfromdatasubjectsabouttheexerciseoftheirGDPRrights. 24/48 Date Our reference 22 July 2024 [confidential] 90. Firstly, the modern revenue model as well as the technical architecture of the platform and internal policies of Uber are designed in such a way that they serve Uber's business purposes. In the present case, UBV, which enters into an agreement with the Uber drivers (in the EEA territory), is regarded as the controller who, in a pre-contractual employment relationship, initiates the collection of personal data via the Uber platform. At this stage, the drivers provide their personal data via their personal device, within the EEA, on the platform of the driver app that is managed by UTI, which is located outside the Union. From that moment on, Uber continuously collects and processes personal data via the personal device of the Uber driver. Subsequently, the personal data of Uber drivers in the EEA are by means of transmission or otherwise made accessible to, and stored on, the servers of UTI in the United States. The AP therefore establishes that in the contractual relationship between the Uber drivers within the EEA and UBT, UBT is the exporter of the personal data and UBT is the importer. 91. This view is consistent with the 'providing effective and complete protection' of personal data required by the CJEU. Furthermore, this interpretation is not in conflict with the Guidelines. The64 Guidelinesprovidesvariousexamplesillustratinginwhichsituationsaprocessingshouldbeconsideredasatransfer.However,anexampleofasituationsuchasthatpresentinthepresentcase,morespecificallyanexampleofan'exporter'inthecontextofa(pre)contractualemploymentrelationship,isnotgiven.Inthiscase,thedatasubjectprovidethepersonaldataviatheirpersonaldeviceontheplatformoperatedbyanentityfromathirdcountry,UTI.ThecontractualrelationshipbetweenUberdriversintheEEAandUBV,wherethetermsareunilaterallydeterminedinadvancebyUber,enablesUberdriversintheEEAtohaveaccesstotheUberdriverplatform.Forthecoreactivity,namelytheprovisionoftransportservicesonUber'splatform,itisnecessarythattheUberdriver personal datauploadsthatUbercontinuouslycollectspersonaldatafromtheUberdriver’sdevice.ThepersonaldataisthenprocessedforvariouspurposesjointlydeterminedbyUBVandUTI,whichinvolvetransfersfromtheEEAtotheUnitedStates. 92. The AP's view, in which UBV is considered the 'exporter' and UTI is considered the 'importer', is further confirmed by the following details in the relationship between the Uber drivers and Uber (UBV and UTI). TheUberdriverplatformhasbeendesignedbyUberinsuchawaythattheUberdrivermustentertheirpersonaldataontheplatformviatheirpersonaldeviceinordertoaccesstheplatform,toplanactivities(i.e.informationevents),toreceivesupportandtoprovidetransportservices.UberalsoprovidesthatthepersonaldataofdriversintheEUareprocessedontheUTIplatforminathirdcountry.ThelimitedactualinfluencethatUberdrivershaveovertheirpersonaldatawithrespecttothecontrollersisanimportantfactorforqualifyingUBVasexporterinthepresentcase; 64 EDP Guidance05/2021ontheinteractionbetweentheapplicationofArticle3andtheprovisionsoninternationaltransfers underChapterVoftheGDPR. 25/48 Date Our reference 22 July 2024 [confidential] With regard to the collection of personal data and/or otherwise processing of personal data of Uber drivers via the Uber platform by UBV and UTI, AP reiterates that the purposes and means for the processing of personal data are determined unilaterally by UBV and UTI. If a data subject decides to become an Uber driver in the EU, this requires an account on the Uber platform and then the acceptance of the general terms and conditions. By agreeing to the general terms and conditions, the Uber driver enters into a contract with UBV, with which the Uber driver is then subject to the predetermined purposes and means for the processing of their personal data by UTI and UBV; TheAPexplicitlynotesthatalthoughUberdriversenteredintothecontractoftheirownwill, thisdoesnotautomaticallymeanthattheyhaveinfluenceondeterminingthepurposesandmeansforprocessingtheirownpersonaldata.Moreover,thegeneraltermsthatUberdriversmustacceptareestablishedinadvanceandarenon-negotiable.Furthermore,Uberexercisesfullauthorityoveractivitiesontheplatformandthedataprocessingresultingfromtheseactivities.Forexample,UberinfluencescertainaspectsofthebehaviourofUberdriversbyprovidingfinancialincentivestoperformmoretripsandbyhavingpassengersassesstheirUberdriver,whichmayleadtotheUberdriverbeingexcludedfromtheplatform.66 93. The AP has also found that Uber also has control over the behaviour of Uber drivers and their personal data via their platform in other ways, namely: Uber drivers are controlled by an algorithm of the driver app that has been determined in advance by Uber and by means of which Uber exercises control over the data processing. In addition, Uber sets certain requirements that an Uber driver must meet. In order to demonstrate that these requirements are met, the Uber driver must upload documents with personal data to the platform. For example, as an Uber driver, one must own a car. The vehicles that may be driven on behalf of Uber must meet certain requirements that appear to vary from country to country in which Uber transport services are provided. The vehicles must be approved and meet the requirements for compulsory insurance. The driver must also have a driving licence and must not have a criminal record. These documents are assessed by UBV and UTI before an Uber driver is given permission and/or permission to accept rides in his/her neighbourhood. Based on the quality of the driver and the type of vehicle, the transport services offered by Uber are divided into categories. [confidential] 6TheUberdriver’spersonaldataarethenenteredonserversownedandmanagedbyUTI.These serversarelocatedintheUnitedStateswherepersonaldataarefurtherprocessed. 6AmsterdamDistrictCourt,ECLI:NL:RBAMS:2021:5029,r.o.1.13. 6Ibid,r.o.16-35. 26/48 Date OurReference 22July2024 [confidential] [confidential] [confidential] [confidential] TheremainingamountwillbepaidtotheUberdriver. Inordertodothis,thepersonaldataofUberdriversareprocessedbyUTIandUBV. Uberenablespassengerstoaccesstheirplatformandtoperformtransportservicesin observanceofUber’sgeneraltermsandconditionsthatarebindingfordrivers bymeansofanagreementfortheuseoftheplatform.Thetermsconcerntheacceptanceandpursuitofactivitiesandeventhebehaviourofdriverswhileprovidingtheservice.Asdescribedbefore,thedriversappcontains,forexample,aratingfunctionthatallowspassengerstoratedriversandviceversa.Forthispurpose,thepassengerinquestionneedsthepersonaldataofhisUberdriversothathecanassessthequalityoftherideandotheraspectsoftherideprovidedbytheUberdriver.Anaverageratingbelowthethresholdcould(previously)leadtoexclusionfromtheplatform,particularlyfordrivers.Uber therefore exercises control over the quality of the services provided by their drivers. Uber cannot perform these activities without processing personal data. In particular, granting and denying access to the platform requires personal data about the Uber driver in question. As previously stated, Uber assigns different classifications to Uber drivers, such as Gold, Platinum or Diamond. In order to perform these activities for the purposes mentioned above, Uber keeps information about drivers. DriverswhomakemanytripsarefinanciallyrewardedbyUber.Uberinformsdriverswhereandwhentheycancountonalargenumberoftripsand/orpreferredtripprices.Disagreementsbetweenapassengeranddriverreportedontheplatform,forexampleaboutthetripprice,arealsohandledbyUber.Ubercanunilaterallydecidetorefundthetripprice(infullorpart)tothepassenger,afterwhichthedriverwillbepaidaloweramountforthetrip.69 94. Basedontheabove,itcanbeconcludedthatUber'sactivitiesinEEAterritoryandoutsidetheirterritoryconsistofofferingtripsinavehiclelocatedandbookedbymeansoftheplatform.ProvidingthisserviceformsthecoreofUber'srevenuemodel.Theserviceisalsoofferedandunderstoodinthiswaybytheapplicants. rides. WhenriderequestersdecidetousetheUberplatform,theyarelookingforatransportservicethatprovidescertainfunctionalitiesandaspecificqualitystandard.SuchaspectsarepredeterminedandguaranteedbyUber.TheAPthereforeconsidersthatUberexercisescontroloverimportantaspectsofthetransportserviceprovidedthroughtheirplatform.ThistypeofcontrolincludesthecollectionandfurtherprocessingofthepersonaldataofUberdriversintheEEA,includingthetransferoftheirpersonaldatatothirdcountries. 68 69-434/15,AsociaciónProfesionalÉliteTaxivUberSystemsSpainSL,ECLI:EU:C:2017:981,r.o.48. Amsterdam District Court, ECLI:NL:RBAMS:2021:5029, r.o.1.16. 27/48 Date Our reference 22 July 2024 [confidential] 95. In the present case, the AP expressly notes that the processing in question cannot be regarded as 70 'internal processing'. Namely, there are two controllers, UBV established in the EU and UTI established in the United States. These entities jointly determine the purposes and means of processing personal data of Uber drivers as described in situations 1 and 2. Furthermore, the data subjects in question have no say over these purposes and means of processing the personal data in question. The Uber drivers can therefore not be regarded as controllers within the meaning of the GDPR for the processing of personal data as described in situations 1 and 2. 96. Finally, the third criterion requires that “the importer is located in a third country (whether or not the importer is covered by the GDPR for the purpose of the particular processing activity in accordance with Article 3) or is an international organisation.” In the present case, UTI is geographically located in the United States and is importing the personal data of Uber drivers from the EEA to a third country within the meaning of the GDPR. 4.4.3 Conclusion 97. TheAPconcludesthattheprovisionsondatatransferinChapterVGDPRarecomplementarytoArticle3GDPR.TransfersofpersonaldatabetweenjointcontrollersthatfallunderArticle3arenotexcludedfromtheGDPRprovisionsoninternationaltransfers.ThispreventstheprotectionofpersonaldataprovidedbyEUlegislationfrombeingunderminedorcircumvented. 98. Secondly, it is sufficiently clear from Article 44 GDPR (and Recital 101 GDPR) that the movement of personal data from the Union to an entity in a third country constitutes a transfer. The AP notes that in this case there is a transfer within the meaning of Article 44 GDPR, because personal data are transferred from the EEA to the United States (a third country). The AP further notes that all the criteria for transfer as set out in these Guidelines have also been met. The processing of personal data as described in situations 1 and 2 are thus regarded as transfers from the EEA to the United States. 71 99. ThetransferbyUBVtoUTImeansthattheexporter,UBV,mustcomplywiththeobligationsundertheGDPR,includingChapterVGDPR.Finally,UBVmustensurethatthelevelofprotectionofnaturalpersonsguaranteedbytheGDPRisnotundermined.Morein particular,UBVmustassesswhetherthetransferinstrumentitintendstouseiseffectiveinthelightoftheknowledgeandlegalpracticeinforceinthethirdcountry. 70 Inotherwords,wheredataarenotprovidedbytransmissionorotherwisemadeavailabletoanothercontrollerorprocessor,includingwheresuchprocessingtakesplaceoutsidetheEU,seeEDPBGuidelines05/2021ontheinteractionbetweentheapplicationofArticle3andtheprovisionsoninternationaltransfersinaccordancewithChapterVoftheGDPR, paragraph17. 7WiththeexceptionthatUbertransferspersonaldatafromtheUStotheEEAwhenrespondingtodatasubjects’requestsfortheexerciseoftheirGDPRrights. 7EDPBGuidelines05/2021ontheinteractionbetweentheapplicationofArticle3andtheprovisionsoninternationaltransfers inaccordancewithChapterVoftheGDPR,p.15,paragraphs25-27. 28/48 Date Our reference 22 July 2024 [confidential] 4.5 DidUberhaveatransferinstrument? 4.5.1 Legalframework 100. Article45, paragraph 1 GDPRprovides: “AtransferofpersonaldatatoathirdcountryoraninternationalorganisationmaytakeplaceiftheCommissionhasdecidedthatthethirdcountry,aterritoryoroneormorecertainsectorswithinthatthirdcountry,ortheinternationalorganisationinquestionensuresanadequatelevelofprotection.Suchatransfershallnotrequireanyspecificconsent. 101. On10July2023,theEuropeanCommissionadoptedtheAdequacyDecision.This AdequacyDecision“hastheeffectthattransfersbycontrollersandprocessorsintheUnion tocertifiedorganisationsintheUnitedStatesmaytakeplacewithoutfurtherauthorisation.ThisiswithoutprejudicetothedirectapplicationofRegulation(EU)2016/679tosuchentities,providedthattheconditionsregardingtheterritorialscopeassetoutinArticle3ofthatRegulationarefulfilled.” 102. Article46(1)GDPRprovides:“IntheabsenceofadecisionpursuanttoArticle45(3),atransferofpersonaldatatoathirdcountryoraninternationalorganisationbyacontrollerorprocessormayonlytakeplaceiftheyprovideadequatesafeguardsandprovideenforceablerightsandeffectivelegalremediesfordata subjects.” 103. Article46(2)GDPRprovidesthat“theadequatesafeguardsreferredtoinparagraph1maybeprovidedforbythefollowinginstrumentswithoutrequiringspecificauthorisationfromasupervisoryauthority: a)alegallybindingandenforceableinstrumentbetweenpublicauthoritiesorbodies; b)bindingcorporaterulesinaccordancewithArticle47; c)standarddataprotectionclausesadoptedbytheCommissioninpursuanttotheexaminationprocedurereferredtoinArticle93(2); (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93(2); (e) an approvedcodeofconductinaccordancewithArticle40,togetherwithbindingandenforceablecommitmentsbythecontrollerorprocessorinthethirdcountrytoapplyappropriatesafeguards,includingasregardingtherightsofdata subjects;or (f) an approvedcertificationmechanisminaccordancewithArticle42,togetherwithbindingandenforceablecommitmentsbythecontrollerorprocessorinthethirdcountrytoapplyappropriatesafeguards,includingasregardingtherightsofdata subjects." Article46(3) of the GDPR providesthat"subjecttotheauthorisationofthecompetentsupervisory authority,theappropriatesafeguardsreferredtoinparagraph1mayalsobeprovidedfor,inparticular,by: a)contractualclausesbetweenthecontrollerorprocessorandthecontroller,the processor or recipient of the personal data in the third country or the international organisation; or[…] 7DecisionoftheEuropeanCommissionof10July2023on'theadequatelevelofprotectionofpersonaldataundertheEU-USDataPrivacy Framework'(C2023/4745final),paragraph8,p.3. 29/48 Date Our reference 22July2024 [confidential] 4.5.2 Assessment 104. Article44GDPRdescribesthegeneralprincipleontransfers,notingthattheprovisionsofChapterVshouldbeappliedtoensurethatthelevelofprotectionguaranteedbytheGDPRisnotunderminedwhenpersonaldataaretransferredtoathirdcountry. ChapterFishisalsointendedtoensurethatthestandardofprotectionresultingfromEUlawisnotcircumventedbytransfersofpersonaldatatoathirdcountryforthepurposeofprocessingthere. 75 105. IntheabsenceofanadequacydecisionwithinthemeaningofArticle45GDPR,transfersofpersonaldatatotheUnitedStatesmayonlytakeplacebetween16July2020and10July2023ifappropriatesafeguardswereprovidedanddatasubjectshadenforceablerightsandeffectivelegalredress.TheAPconsidersthattheseappropriatesafeguardsprovidedbythecontrollershouldensurethattherightsofthedatasubjecttothetransferareenjoyalevelofprotectionessentiallyequaltothatresultingfromtheGDPR,readinthelightoftheCharter. 106. The EDPB states in its guidelines that “where one of the transfer tools listed in Article 46 of the GDPR is relied upon, it should be assessed whether it ensures a level of protection of the transferred data that is substantially equivalent to that ensured in the EU, or whether additional measures should be taken, and where a controller or processor transfers data to an importer in a third country whose processing falls under Article 3(2) of the GDPR, the protection afforded by the GDPR may also be undermined by the legal framework applicable to the importer.” TheAPestablishesthatwheretheGDPRisdirectlyapplicableonthebasisofArticle3(1)GDPR,thesameargumentcanbefollowedwhenoneofthejointcontrollersisestablishedoutsidetheUnion.TheAPfurthernotesthatwhenpersonaldataareprocessedintheEEA,theyarenotonlyprotectedbytheprovisionsintheGDPR,butalsobyotherEUandMemberStatelegislation.Whenpersonaldataaretransferredand/ormadeaccessibletoentitiesoutsidetheEEA,theoverarchinglegalframeworkprovidedwithintheUnionisnolongerapplicable.Inthisregard,ChapterVAGhasnotestablishedamechanismtoensurethatthelevelofprotectionofnaturalpersonsguaranteedbytheGDPRisnotundermined.Themechanismsfordatatransferprovideadditional provisionstoensurethenecessarysafeguardstopreventtheprotectionprovidedbytheGDPRandthebroaderlegalframeworkoftheEEAfrombeingunderminedbyforeignlegislation, evenwheretheGDPRisdirectlyapplicableonthebasisofArticle3GDPR. 7Recital6oftheGDPRstatesthata'highlevel'ofprotectionofpersonaldatamustbeguaranteedbothwithintheUnionandinthecaseofatransfer outsidetheUnion.Seealsorecital101oftheGDPR. 7C-362/14,Schrems,ECLI:EU:C:2015:650,paragraph73andConclusion1/15,EU-CanadaPNRAgreement,ECLI:EU:C:2017:592,margin214. 7EDPBGuidelines5/2021ontheinteractionbetweentheapplicationofArticle3andtheprovisionsoninternationaltransfers underChapterVoftheGDPR,p.6,margins3and4.SeealsoEDPBRecommendations01/2020onmeasuressupplementingtransferinstrumentstoensurecompliancewiththelevelofprotectionofpersonaldataintheUnion,EDPBRecommendations02/2020 ontheEuropeanessentialguaranteesforsurveillancemeasuresandC-311/18,SchremsII,ECLI:EU:C:2020:559. 30/48 Date Our reference 22 July 2024 [confidential] 107. The EDPB Guidelines further state that “this means that the exporter must comply with the conditions of Chapter V and must use one of the instruments intended to protect the personal data after they have been transferred to a third country or an international organisation.” 108. TheAPhasestablishedthatUBVdidnothavealawfultransfermechanisminplacefrom6August2021to27November2023forthetransferofpersonaldatafromtheEEAtotheUnitedStates.InresponsetotheAP’squestions,Uberclarifiesthat“UBVandUTIpreviouslyenteredintothe controller-to-controllerstandardcontractualclausesoftheEuropeanCommission('SCCs')intheirjointcontrollership agreement.”Uberaddsthat“fromtheupdatedstandardcontractualclauses(‘SCC’)bytheEuropean Commission('EC'),itfollowsthatstandardcontractclausesdonotapplytoacontrollerwhoseprocessingissubjecttothe 77 GDPR.InlightofthisUberrevisitsthisjointcontrolleragreementtodeletetheSCCs.” UberhasthereforeremovedthestandardcontractualclausesforthetransferofpersonaldatatothirdcountriesfromitsDataSharingAgreementasof6August2021forthisreason. 109. TheEuropeanCommission(EC)hasstatedinitsFAQthattherelevantnewStandardContractualClauses(SCCs)cannotbeusedinasituationwheretheprocessing 78 bydatacontrollersfallsdirectlyundertheGDPR. Directly, the EC notes that the “European Commission is in the process of developing an additional set of SCCs for this scenario, which will take into account the requirements that are ready to apply directly to those controllers and processors under the GDPR.” The AP considers that Uber could in any case have inferred from these statements that SCCs or other transfer instruments do not need to be used if the processing falls (in Uber’s view) under Article 3 of the GDPR. The EC’s statement thus does not exempt Uber from compliance with the GDPR. Uber was currently required to use a transfer instrument in accordance with Chapter V of the GDPR. 79 110. Ubershouldhaveknownthatatransfermechanismwasnecessaryinviewofitslastprivacystatement.UberdeclareditwilladheretotheEU-USDPFandadditionallysaysthat:“IntheeventthattheEU-U.S.DPFortheSwiss-U.S.DPFareinvalidated,Uberwilltransferdatathatissubjecttothesecertificationsinrelianceontheotherdatatransfermechanismsdescribedabove”. 4.5.3 Conclusion 111. The AP concludes that UBV (as exporter) did not have a lawful transfer mechanism for the transfer of personal data of drivers from the EEA to the United States from 6 August 2021 to 27 November 2023. The AP has not received any request from Uber regarding other appropriate transfers. 77 File document 17, Uber's response to a request for information, dated 9 August 2021, p. 6. 78EC,THENEWSTANDARDCONTRACTUALCLAUSES–QUESTIONSANDANSWERS,question24,p.13,availableat: https://commission.europa.eu/system/files/2022-05/questions_answers_on_sccs_en.pdf 79TheAPnotesthat,dependingonthesituationinaparticularthirdcountry,Article46,paragraph2(c),GDPRmayrequirethecontrollertotakeadditionalmeasurestoensurethelevelofdataprotectionwithintheUnion,seeC-311/18, SchremsII,ECLI:EU:C:2020:559,r.o.133. 31/48 Date Our reference 22July2024 [confidential] instrumentsreceivedunderArticle46GDPR. The APtherefore finds that Uber was in violation of Article 44 of the GDPR during the aforementioned period. 4.6 Can Uber successfully rely on an exception to Article 49 of the GDPR? 4.6.1 Legal framework 112. Article 7 of the Charter states that “Everyone has the right to respect for his or her private and family life, home and communications.” Article 8, paragraph 1, of the Charter states that “Everyone has the right to the protection of personal data concerning him or her.” Processing personal data, as defined in Article 4, part 2 of the GDPR, of a data subject affects the fundamental rights to respect for privacy guaranteed in Article 7 of the Charter. Furthermore, such processing falls within the scope of Article 8 of the Charter. TheAPnotesthattherightsenshrinedinArticles7and8oftheCharterarenotabsoluterightsandmustbeconsideredinrelationtotheirfunctioninsociety.Inadditiontotheabove,Article8,paragraph2,ofthe Charterstatesthatpersonaldata“shallbeprocessedfairly,forspecificpurposesandwiththedatasubject’sconsentoronanotherlegitimatebasisprovidedforbylaw.” 113. As regardstheareasofapplicationoftherightsandprinciplesenshrinedintheCharter,Article52(1)oftheCharterstatesthat“anylimitationsontheexerciseoftherightsandfreedomsrecognisedinthisChartermustbeimposedbylawandrespecttheessentialcontentofthoserightsandfreedoms.Withdueobservanceoftheprincipleofproportionality,limitationsmaybeimposedonlyiftheyarenecessaryandgenuinelymeetobjectivesofgeneralinterestrecognisedbytheUnionortherequirementsfortheprotectionoftherightsandfreedomsofothers.” 114. ThederogationsforspecificsituationssetoutinArticle49GDPRstatethat“intheabsenceofanadequacydecisioninaccordancewithArticle45(3)orofappropriatesafeguardsinaccordancewithArticle46,includingbindingcorporaterules,atransferorasetoftransfersofpersonaldatatoathirdcountryoraninternationalorganisationmaytakeplaceonlyifoneofthefollowingconditionsismet: […] (b)thetransferisnecessaryfortheperformanceofacontractbetweenthedatasubjectandthecontrollerorfortheimplementationofpre-contractualmeasurestakenatthedatasubject’srequest; 80UbervoluntarilyincludedandimplementedtheSCCsintheIRDSA.ThesewereremovedbyUberonitsowninitiativeafterthenewSCCsofthe 81becameavailable. See, for example, C-92/09 and C-93/09, Markus Schecke and Eifert, EU:C:2010:662, paras. 49 and 52; C-594/12, Digital Rights Ireland, EU:C:2014:238, para. 29 and Conclusion 1/15, EU-Canada PNRAgreement, ECLI:EU:C:2017:592, marginals 122-123. 82See, for example, C-92/09 and C-93/09, Markus Schecke and Eifert, EU:C:2010:662, paras. 48; C-291/12,Schwartz,EU:C:2013:670,r.o.33;andConclusion 1/15,EU-CanadaPNRAgreement,ECLI:EU:C:2017:592,marginalnumber136. 83RestrictionsontheexerciseoftherightsenshrinedintheChartermustbeestablishedbylaw.Thismeansthatthelegalbasiswhichpermitstheinterferencemustdeterminethesamescopeoftherestrictionontheexerciseoftherightinquestion,seeConclusion 1/15,EU-CanadaPNRAgreement,ECLI:EU:C:2017:592,marginalnumber139. 32/48 Date Our reference 22 July 2024 [confidential] c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; […] WhereatransfercouldnotbebasedonaprovisionofArticles45or46,includingtheprovisionsonbindingcorporaterules,andnoneofthederogationsforaspecificsituationasreferredtointhefirstparagraphofthisparagraphapply,thetransfertoathirdcountryorinternationalorganisationmayonlytakeplaceifthetransferisnotrepetitive,concernsalimitednumberofdata subjects,isnecessaryforthepurposeof compellinglegitimateinterestsofthecontrollerwhicharenotoverriddenbytheinterestsorrightsandfreedomsofthedatasubject,andthecontrollerhasassessedallthecircumstancesrelatingtothedatatransferand,onthebasisofthatassessment,hasprovidedappropriatesafeguardsfortheprotectionofpersonaldata.Thecontrollershallinformthesupervisoryauthorityofthetransfer. The controller shall inform the data subject, in addition to the information referred to in Articles 13 and 14, of the transfer and the compelling legitimate interests pursued by him or her.” […]” 115. Recital 111 of the GDPR states: “Transfers should be possible in certain cases where the data subject has explicitly given his consent, where the transfer is incidental and necessary in the context of a contract or of legal proceedings, whether in a judicial, administrative or out-of-court procedure, including proceedings before regulatory authorities.[…]” 116. The EPD Guidelines 2/2018 on Derogations under Article 49 of Regulation 2016/679, adopted on 25 May 2018, states: “The EDPB notes that recital 111 uses the term ‘incidental’ and that in the second subparagraph of Article 49, the term ‘not’ is used in the derogation based on ‘compelling legitimate interests’ repetitive'isused. Thesetermsindicatethatsuchtransfersmayoccurmorethanonce-butnotregularly-andshouldnotbepartofthegeneralapproach,butforexample,underrandom,unknowncircumstancesandatirregularintervals.Thus,adatatransferthatoccursregularlywithinastablerelationshipbetweenthedataexporterandaparticulardataimportercangenerallybeconsideredsystematicandrepetitiveandthereforenotconsideredincidentalandnon-repetitive.[...]” 4.6.2 Assessment 117. TheAPnotesthattheprocessing(includingthetransfers)thattakeplaceasdescribedinsituations1and2withregardtothepersonaldataconcerningUberdriversfallwithinthescopeofArticles7and8oftheCharter.Theseprovisionsguaranteethefundamentalrightsofthe drivers. However, the AP notes that since these are not absolute rights, derogations that limit these rights are only permitted if they are in accordance with Article 52 of the Charter. According to Article 52 of the Charter, these rights may only be derogated from if 33/48 Date Our reference 22 July 2024 [confidential] they are established by law, respect the essential content of those rights and freedoms, and observe the 85 86 principle of proportionality. 118. Article 49 GDPR stipulates that in the absence of an adequacy decision or appropriate safeguards, a transfer or a series of transfers of personal data to a third country may only take place if the conditions of Article 49 GDPR are met. The AP notes that the derogations in this article must be interpreted restrictively and may only be used if strictly necessary. The 87 derogations are intended for situations where there is no adequate protection in the country to which the data will be transferred, and where “the risks for the data subjects are relatively small” or because “other interests” outweigh the right to privacy of the (other) data subject. For example, public interests or the interests of the data subject, which may outweigh the right to privacy of the (other) data subject. This 88 principle is underlined in several provisions of Article 49 of the GDPR, which impose restrictions on its use and the principle of derogations from fundamental rights under EU law. Therestrictiveuseofthisarticleisalsosupportedbythewordingof 84RestrictionsontheexerciseofarightenshrinedintheChartermustbeimposedbylaw.WhereprimaryandsecondaryEUlegislationisconcerned,thismustbeinterpretedwithfrequency.Furthermore,thelawmustbeinforceandlawful.TherequirementoflegalityfollowsfromArticle277 TFEU.Furthermore,thelawmustbeeasilyaccessibleandsufficientlypreciselyformulated,seeECtHR, SundayTimesvUK(No.1),CE:ECtHR:1979: 0426JUD000653874,para.49.Inassessingaccessibilityandsufficientprecision,theelementofforeseeabilityisimportant,see regarding thisECtHR,OpenDoorandDublinWellWomanvIreland,CE:ECtHR:1992:1029JUD001423488,r.o.56-60. 85TheessenceofarightasdescribedinArticle51(1)oftheCharterisdefinedasitsabsoluteinalienablecore,seeforexamplejoinedcasesC-584/10P,C-593/10P&C-595/10P,Kadi,EU:C:2013:518,para.134.Accordingtotheopinion ofA-GSaugmandscardØe,therequirementformulatedinArticle52(1)oftheChartermeansthatanyrestrictionontheexerciseoftherightsandfreedomsrecognisedinthatinstrumentmustrespecttheessenceofthoserightsandfreedoms,thatameasurethatimpairsthatessentialcontentcannotbejustified.ThatmeasureisthenconsideredtobeinconsistentwiththeCharterandmustbeconsideredanactofthe Union, be declared null and void, without the need to examine the condition of compliance with the principle of proportionality, see for this the Opinion of A-GinC-401/19, Republic of Poland v European Parliament, ECLI:EU:C:2021:613, marginal 98-99. Furthermore, "[...] The "essential content" of a fundamental right constitutes an "inviolable core", which must remain free from interference. Consequently, certain exceptionally serious infringements of fundamental rights are not justified by any objective, however legitimate. In other words, the end does not justify all means." See also Opinion A-GinC311/18, SchremsII, ECLI:EU:C:2020:559, marginal 272. Thisviewisreiteratedagaininthe OpinionofAdvocateGeneralGuivanniPitruzzellainC-817/19,HumanRightsLeaguevCouncilofMinisters,EU:C:2022:65.Morespecifically,itisstated:"Moreover,itisevidentbothfromthewordingofArticle52(1)oftheCharterandfromthecaselawoftheCourt,andinparticularfromthejudgmentinSchremsI,thattheassessmentofwhethertheessentialcontentofthefundamentalrightinquestionhasbeenaffectedmustbemadepriortoandseparatelyfromtheassessmentoftheproportionalityofthecontestedmeasure.Inotherwords,itisanindependenttest." Ministersdeliveredon27January2022(theOpinionhasbeentranslatedfromFrenchbecausenoEnglishversionisavailable). 86SeeArticle52, paragraph 1 of the Charter and the case law of the CJEU, see, for example, C5/88, Wachauf, EU:C:1989:321, paragraph 18. Theprincipleofproportionality isageneralprincipleinEuropeanlawtowhichafour-parttestisapplied:1) doesthemeasurepursuealegitimateaim,2) isthemeasuresuitabletoachievethataim,3) isittheleastrestrictivemeasureavailablewithwhichtheaimcanbeachievedaswellaswiththemeasurechosen,and4) havetheconflictinginterestsbeencorrectlyweighedagainstoneanother. 87TheCJEUunderlinedthattheprotectionofthefundamentalrighttorespectforprivatelifeatEUlevelrequiresthatderogationsandrestrictionstotheprotectionofpersonaldataapplyonlytotheextentthatisstrictlynecessary,seejudgmentC73/07,Satakunnan MarkkinapörssianandSatamedia,ECLI:EU:C:2008:727,para.56;C92/09andC93/09,VolkerundMarkusScheckeandEifert,ECLI:EU:C:2010:662,para.77; C-293/12and C-594/12;DigitalRightsIreland, EU:C:2014:238,paragraph 52,C362/14,Schrems,ECLI:EU:C:2015:650,paragraph 92,C203/15,Tele2SverigeAB,ECLI:EU:C:2016:970,paragraph96. 88See, for example, C-362/14, Schrems, ECLI:EU:C:2015:650, paragraph 92, and C-293/12, and C-594/12, DigitalRightsIreland, ECLI:EU:C:2014:238, paragraph 52. 89 90Article 49, paragraph 2-4GDPR. C-362/14, Schrems, ECLI:EU:C:2015:650, r.o.92 and C-293/12 and C-594/12, DigitalRightsIreland, ECLI:EU:C:2014:238, r.o.52. 34/48 Date Our reference 22 July 2024 [confidential] article49GDPRgiventitlewhichstatesthatthederogationsmayonlybeusedforspecificsituations. 91 119. Furthermore, the AP notes that the use of Article 49 of the GDPR does not provide additional protection or guarantees for transfers of personal data that could lead to an increased risk with regard to the rights and freedoms of the data subjects concerned. Furthermore, the AP notes that when the transfer takes place on the basis of a derogation, the relevant provisions of the GDPR still apply. 92 Finally, Article 49 of the GDPR must be read in the light of the Charter. 93 120. Uber has indicated that if the AP concludes that processing is taking place that it should be regarded as transfers within the meaning of Chapter V of the GDPR, Uber could base the described situation 1 on Article 49, paragraph 1, sub b) of the GDPR. Theprevioussituation2 describedprocessingscouldbebasedonArticle49,paragraph1,subc)GDPRaccordingtoUber. 95 Below,theAPassesUber’srelianceonthesetwoexemptionsintheirrespectiveorder. Thetransfersarenotincidental 121. Basedonrecital111oftheGDPR,thisderogationmayonlybeusedifthetransferisincidental.AsindicatedintheEDPBguidelines,thisexcludestransfersthat“takeplaceregularlywithinastablerelationship”anditcannotapply“tomanytransferswithinthebusinessrelationship”. AnyotherinterpretationwouldnotbeinconsistentwithEUlaw,whichrequiresthataderogationfromafundamentalrightshouldnotbeinterpretedinsuchawayastocontradictitsexceptionalnature.97 122. TheAPnotesthatthederogationregardingcontractualnecessityinArticle49(1)(b)GDPRcannotbereliedontojustifytransferactivitiesasdescribedforsituation1. This is because the transfers of data of more than [confidential] Uber drivers between UBV and UTI are considered systematic, repetitive and continuous. In this respect, the AP notes in accordance with the EDPB Guidelines that, in the light of recital 111, only Article 49, paragraph 1, sub b, cen 9EDPB Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679, adopted on 25 May 2018, p. 4. 92 Article 44 of the GDPR states that transfers of personal data under Chapter V may only take place “without prejudice to the other provisions of this Regulation”. 9C-617/10, Akerberg Fransson, ECLI:EU:C:2013:280, r.o. 21. 9See‘Uberopiniononinvestigationreportsintentiontoenforcement’of9June2023,r.236,pp.58-59andpp.71-73(paragraph7.3.4.). 9See‘Uberopiniononinvestigationreportsintentiontoenforcement’of9June2023,r.236,pp.58-59andpp.67-71(paragraph7.3.3). 9EDPBGuidelines2/2018onderogationsbasedonArticle49ofRegulation2016/679,p.11:Datatransfersthatoccurregularlyinastablerelationshipareconsideredsystematicandrepetitiveandarethereforenolonger‘incidental’incharacter.Consequently,manydatatransferswithinabusinessrelationshipcannotinthiscasebebasedonArticle49,paragraph1,subb). 9C623/17,PrivacyInternationalvSecretaryofStateforForeignandCommonwealthAffairsandOthers,ECLI:EU:C:2020:790,r.o.69.Furthermore,where aprovision“providesanexceptiontothegeneralrule,itmustbeinterpretedstrictlyaccordingtosettledcaselaw.Thatprovisionmaythereforenotallowtheexceptiontotheprincipleofobligation...tobecometherule,sinceinthatcasethelatterprovisionwould largelyloseitscontent.”,seeC-140/20,DwyervCommissionforAnGardaSíochána,ECLI:EU:C:2022:258,r.o.40.See,forexample,C-203/15and C-698/15,Tele2SverigeAB,EU:C:2016:970,r.o.89,C-511/18,C-512/18andC-520/18,LaQuadratureduNetandOthers,EU:C:2020:791,r.o.111. 35/48 Date Our reference 22July2024 [confidential] The GDPR can be invoked to justify incidental transfers. This view is supported by the common view within Union law, where it is established practice to interpret derogations restrictively, and that any restrictions or derogations from Articles 7 and 8 of the Charter 99 are only permissible to the extent that they are considered strictly necessary. TheCJEUhastakenthispositiononceinanumberoftimes,statingthatasituationinwhichtheexceptionbecomestherulemustbeavoided. 123. UberhasindicatedthattheAP'sinterpretationisincorrectandincompatiblewithArticle49GDPR.Uber substantiatesitsargumentsbyclearlyinvokingthenon-bindingcharacteristicsoftheGDPR'sconsiderations.Uberstatesthatthecriterion'incidental'isnotincludedinArticle49GDPR.AccordingtoUber,thewordingofArticle49(1)GDPR,whichprovidesthatthederogationsmaybeusedinspecificsituationsfora'transfer'or'seriesoftransfers',doesnotimplythattheprovisioncanbeinterpretedinsuchawaythat'incidental'ispartofthecriteriathatmustbemet. 124. The AP agrees with U that the recital has no binding legal force and that it cannot be relied upon as a basis for deviating from actual provisions of the law or in the event that provisions are interpreted in a manner that clearly conflicts with the wording of the provision. However, the AP notes that the recitals to the GDPR “may explain the content of the provisions of that law” and that it “contains important elements for interpretation, with which the intentions of the person who drafted the law can be clarified.” More importantly, the CJEU supports this interpretation in its case law, where it provided an explanation in the light of the recitals bordering on the scope of the derogation. More specifically, the CJEU considers that, in interpreting a provision of EU law, it is necessary not only to consider its wording but also “the context in which it takes place and the objective pursued by the rules of which it forms part” 102 and that “the scope of the derogation… must be determined in the light of the interpretation thus given by the EU legislature.” 103 The CJEU also held that an interpretation of the derogation without taking into account the intention of the EU legislature as reflected in the considerations would undermine the purpose of the legislation. 104TheAPthereforeestablishesthatrecital111totheGDPRprovidesthenecessaryclarificationintheinterpretationofArticle49,paragraph1,subb)GDPRinaccordancewiththeobjectivesthattheEUlegislatorwaspursuingandfurthermoreestablishesthattherecitaldoesnotcontradictthewordingoftheabovementionedarticle.AnotherinterpretationofthisarticlewoulddisregardtheintentionofthelegislatorandcontradicttheapproachadoptedbytheCJEU.TheAPthereforearrivesatthe 98EDPBGuidelines2/2018onderogationsunderArticle49ofRegulation2016/679. 9C623/17,PrivacyInternationalvSecretaryofStateforForeignandCommonwealthAffairsandOthers,ECLI:EU:C:2020:790,r.o.81;C-203/15and C-698/15,Tele2SverigeAB,EU:C:2016:970;C-511/18,C-512/ 18enC-520/18,LaQuadratureduNetandOthers,EU:C:2020:791,r.o.130;C-311/18,Data ProtectionCommissionervFacebookIrelandLtd, ECLI:EU:C:2020:559,r.o.176;Joined casesC-293/12andC-594/12,DigitalRightsIrelandLtdv 100isterforCommunications,ECLI:EU:C:2014:238,r.o.52;C-362/14,Schrems,ECLI:EU :C:2015:650,par.96. See e.g.C-140/20,DwyervCommissionforAnGardaSíochána,ECLI:EU:C:2022:258,paragraph 40;C-817/19,Liguedesdroitshumains,ECLI:EU:C:2022:491,paragraph 114;C-401/19, RepublicofPolandvEuropeanParliamentandtheCounciloftheEuropeanUnion,EU:C:2022:297,r.o.64and74. 10C-418/18,PPuppinckandothersvCommissionoftheEuropeanCommunities,ECLI:EU:C:2019:1113,r.o.75. 10C-528/16,ConfédérationpaysanneandOthers,EU:C:2018:583,r.o.42. 10Ibid,r.o.44-46. 10Ibid,r.o.51-53. 105 Ibid,see also,for example,C424/10andC425/10,ZiolkowskivLandBerlin,ECLI:EU: C:2011:866,r.o.42-43. 36/48 Date Our reference 22 July 2024 [confidential] conclusionthatonlyarticle49,paragraph1,subbAVGcanbereliedontojustify'incidental'transfers. 125. With regard to the processing described in the previous situation1, UBV cannot rely on the derogation in Article 49, paragraph 1, sub b GDPR in the present case to justify the transfers to the United States. The AP qualifies this transfer as systematic, repetitive and continuous in a stable, permanent business relationship between UBV and UTI. 126. As regards the processing in situation 2, Uber states that these can be based on Article 49, paragraph 1, sub c GDPR. Under this derogation, a transfer or a series of transfers may take place when “the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.” The condition that the transfer must be necessary and occasional also applies to this provision. In the present case, UBV cannot use the derogation as a basis for a transfer, because this transfer is also considered to be systematic and repetitive in nature within a stable, permanent business relationship between UBV and UTI. Furthermore, Uber has a legal obligation to facilitate the rights of data subjects not on the basis of the contract, but on the basis of the GDPR. Thetransfersarenotnecessary 127. In addition to the fact that there is no incidental transfer, Uber cannot successfully rely on Article 49(1)(c) of the GDPR, because the transfer is not necessary for the performance of a contract between Uber and the data subject or between Uber and a third party (a contract in the interest of the data subject). 128. In this context, the AP points out that the necessity requirement, as an autonomous Union concept, requires that the processing must be objectively indispensable for the conclusion of the contract. 106 It is irrelevant whether the processing is useful for the contract or is mentioned in it, 10 the controller must, on the other hand, demonstrate that the main purpose of the contract could not be achieved without the processing. 108Thenecessityconnectionmust,asUberrightlyindicates,benarrowlysubstantialinrelationtothepurposeofthe agreement. 129. Anexampleofnecessityiswhenadataistransferredfromatravelagencytoahotelinathirdcountryinordertoestablishanagreementbetweenthecustomersandthetravelagency.Inthiscase,theconnectionbetweenthetransferandthepurposeisnarrowlysubstantialandthereisnorealisticalternativeavailable(hotelsareoftenlocatedinothercountries).Anexampleofalackofnecessityiswhenagroupofcompaniesareincorporatedforbusinesspurposes. 1JudgmentoftheCJEUof4July2023Meta(ECLI:EU:C:2023:537),para.98. 1JudgmentoftheCJEUof4July2023Meta(ECLI:EU:C:2023:537),para.99andconclusionA-G,para.54. 1JudgmentoftheCJEUof4July2023Meta(ECLI:EU:C:2023:537),para.98. 37/48 Date Our reference 22July2024 [confidential] hascentralisedpaymentfunctionsandpersonnelpolicyforitspersonnelinparticularlyinthirdcountry , 109 since there is no objective link between the execution of contracts and the transfer. 130. Uber has explained the necessity in the present case by first pointing out that the transfer takes place within the framework of the agreements (Data Sharing Agreement) between UBV in the EU and UTI in the US. In the opinion of the AP, this does not make the transfer necessary, precisely because the Court has ruled that the mere existence of the agreement itself (the ‘mention’) cannot constitute necessity. According to the Court, for the assumption of necessity, there must be ‘no usable, less intrusive alternatives’ and the controller must be able to demonstrate this. 110 131. Secondly,UberconsidersthatcentraliseddataprocessingintheUSiscrucialforbeingabletoprovideUberservicesandforensuringtherightofEUdriverstoprotecttheirpersonaldata:‘onlybyprocessingpersonaldatainacentralised mannercanUberapplyitsextensivetechnicalandorganisationalmeasuresworldwideandprovidedriverswiththehighestlevelofprotection’.UberhasnotbeenabletomakeitsufficientlycleartotheAPwhythetransferofpersonaldatatotheUSiscrucialforprovidingahighlevelofprotectionofservices.Asmentionedinparagraph128,firstly,thereisalackofnecessityifagroupofcompaniescentralisespersonaldatainathirdcountryforbusinesspurposes.Inthiscase,thepersonaldatacouldalsohavebeenprocessedonaserverintheEUifathirdcountrydoesnotprovideanadequatelevelofprotection.Secondly,inalmostevery conceivablecase,thatatransfertoacountrywithoutanadequatelevelofprotectionactuallyunderminesthelevelofprotectionprovidedbytheGDPR. 132. Perhapsunnecessarily,althoughUberindicatedinitswrittenopinionthatthetransferiscrucialforbothofferingtheservicesandprovidingahigherlevelofdataprotection,Uber’sexplanationduringtheopinionhearingsuggeststhatothermotivesplayed.UberstatedthatthechoiceforcentralisedprocessingintheUSwasgivenbecausetheservicecanbeprovidedmorequicklyandefficientlyinthatway. 111 ThisseemstomakethecentralisedprocessingintheUSpreciselymotivatedforreasonsthataremuchmoreliketheirefficiency. 133. In summary, the AP is of the opinion that Uber has not demonstrated why the transfer is objectively necessary for the implementation of the agreements and that there are no usable, less intrusive alternatives available. An appeal to Article 49, paragraph 1, subparagraph of the GDPR is therefore also unsuccessful for this reason. 10 EDP Guidelines 2/2018 on derogations under Article 49 of Regulation 2016/679, p. 10. 11 Judgment of the CJEU of 4 July 2023 Meta (ECLI:EU:C:2023:537), paragraph 99. 11 See the minutes of the consultation hearing held on 5 July 2023, p. 6. 11Cf.JudgmentoftheCJEUof4July2023Meta(ECLI:EU:C:2023:537),para.99:theCourtexplicitlystatesthatbeing'useful'doesnotconstitutenecessity. 38/48 Date Our reference 22July2024 [confidential] 4.6.3 Conclusion 134. TheAPconcludesthatUbercannotsuccessfullyapplytothederogations(exceptions)forspecificsituationsinrelationtointernationaltransfersasreferredtoinArticle49, member1,subcGDPR. 4.7 Final conclusion 135. The AP is of the opinion that there is processing in which personal data of Uber drivers from the EEA are processed by Uber. In addition, there is a transfer of personal data as referred to in the GDPR. In the absence of an adequacy decision within the meaning of Article 45 of the GDPR, the transfer of personal data to the United States between 16 July 2020 and 10 July 2023 could only take place if appropriate safeguards were provided and data subjects had enforceable rights and effective legal remedies. The AP has determined that UVB did not provide the necessary appropriate safeguards described in Article 46, paragraph 2 of the GDPR at least between 6 August 2021 and 27 November 2023. hasoffered. Furthermore,UBV (giventhenon-necessaryandstructuralnatureoftheprocessing) cannotsuccessfullyrelyontheexceptionsdescribedinArticle49,paragraph1,subsectioncGDPR.TheAP thereforedeterminesthatUberwasinviolationofArticle44GDPRduringtheaforementionedperiod. 5. The fine 5.1 Fine authority and Uber's point of view 136. Uber has put forward various grounds relating to the lack of justification for the imposition by the AP of an administrative fine or corrective measure. Uber firstly argues that the investigation report was drafted incorrectly and carelessly. Secondly, Uber opposes the lex certa principle and the fact that concrete legalisation (by the EU-USDPF) is in sight against enforcement by the AP. Thirdly, according to Uber, referring to case C-807/21 of the CJEU, an administrative fine can only be imposed if there is intent or negligence and a corrective measure is not appropriate. Lastly, Uber argues that a measure consequences and that Uber should therefore be given the opportunity to submit a separate opinion on the possible sanction decision when more clarity is available. 137. The AP does not follow Uber's argument. The AP is of the opinion that, based on the facts and the assessments based on them, it is beyond reasonable doubt that the transfer of personal data takes place and that the violation was committed by Uber. Where necessary, the AP has supplemented the facts and assessments in response to Uber's view. With regard to Uber's appeal to the lex certa principle, which is contained in Article 49 of the Charter, the AP considers the following. As the Administrative Jurisdiction Division of the Council of State has considered several times, 11 See, among other things, the judgments of 9 July 2014, ECLI:NL:RVS:2014:2493, 16 January 2019, ECLI:NL:RVS:2019:109. 39/48 Date Our reference 22 July 2024 [confidential] the lex certa principle requires the legislator to define prohibited conduct as clearly as possible with a view to legal certainty. It should not be forgotten that the legislator sometimes describes prohibited conduct with a certain vagueness, consisting of the use of general terms, in order to prevent conduct that is punishable from falling outside the scope of that description. This vagueness may be unavoidable, because it is not always possible to foresee how the interests to be protected will be violated in the future and because, if this is foreseen, the descriptions of prohibited conduct will be refined, with the result that clarity is lost and thus the importance of the general clarity of legislation damage suffers. In other words, the lexcerta principle requires the legislator, with a view to legal certainty, to define prohibited conduct as clearly as possible. 114 138. The AP concludes that this is the case in this case. According to the AP, the provisions against which it has tested are sufficiently clear. Based on Chapter V GDPR, the considerations in the GDPR, the case law on transfers of the ECJ and also earlier decisions of other European privacy supervisors, it was foreseeable for Uber that a transfer instrument is necessary for the transfer of personal data to the United States (as a third country). The fact that Uber had itself certified under the new adequacy decision on 27 November 2023 does not affect the AP's authority to enforce for the period of two years and three months during which Uber had no transfer instrument. Based on the facts and reviewstherefore,thereisbeyondreasonabledoubtthattheviolationwascommittedbyUber. 139. The APhastheauthoritytoimposeanadministrativefineonthebasisofArticle58,secondparagraph,introductionandsubsectioni,inconjunctionwithArticle83oftheGDPRandreadinconjunctionwithArticle14,thirdparagraph,oftheGDPRImplementationAct.Inthiscontext,theCJEUfirstspecifiedthattheimpositionofsuchafineisrequiredthattheinfringementwasculpablebytheinfringer.Thisincludesintentionalornegligentaction.Acontrollerhascommittedaninfringementintentionallyorthroughnegligentactionifhecouldnothavebeenunawareofthefactthathisconductconstitutedaninfringement,regardlessofwhetherhewasawarethathewasinfringingtheprovisionsoftheGDPR,asfollowsfromthecaselawoftheCJEU. 140. TheAPhasestablishedthatUberhascommittedaviolationofArticle44GDPR.UbercouldhaveknownfromtheGDPRandthecaselawoftheCJEUthatatransferinstrumentisnecessaryforthetransferofpersonaldatatotheUnitedStates.Becauseoftheseviolationsandtheirseriousness,theAPseesreasontouseitsauthoritytoimposeanadministrativefine. 141. With regard to Uber's position that it was wrongly denied the opportunity to submit its views on the amount of the fine, the seriousness and extent of the violations found and the ultimate substantiation, the AP finally considers the following. Neither Article 4:8 nor Article 5:50 of the General Administrative Law Act (read in conjunction with Articles 5:48 and 5:53 of the General Administrative Law Act) oblige the AP to 114 115judgment of 26 October 2022, ECLI:NL:RVS:2022:3077. See also ECHR, 11 November 1996, no. 17862/91, ECLI:CE:ECHR:1996:1115JUD001786291. CJEU,caseC-807/21,5December2023,ECLI:EU:C:2023:950,paragraphs75and76. 40/48 Date Our reference 22July2024 [confidential] 116 to comment on these aspects when intending to impose an administrative fine. An intention to impose a fine and the investigation report based on it are sufficient on the basis of which an opinion can be requested. The AP reminds Uber of the ongoing objection phase, where Uber can still object (and must be heard) to the amount of the fine and its substantiation. Furthermore, the AP has included the submitted opinion in its assessment. The information provided in the opinion may contribute to the AP's decision to impose an administrative fine, after which the AP will determine the amount of the fine based on all relevant facts and circumstances known to it at that time. For this reason, the AP did not comment on the aspects mentioned by Uber in its intention to enforce. 5.2 Systematic determination of the amount of the fine 142. In its plenary meeting of 24 May 2023, the EDPB approved the final text of the Guidelines04/2022 on the calculation of administrative fines under the GDPR (hereinafter: the Guidelines). The AP will apply these Guidelines to this case. The (national) policy rules of the AP on determining the amount of administrative fines have been withdrawn, insofar as they are currently relevant. 118 143. The Guidelines describe a methodology in which the following is considered in succession: 1. Mapping the processing activities in the case in question and evaluating the application of Article 83, paragraph 3, GDPR; 2. Determining the starting amount for the further calculation; 3. whether there are any mitigating or aggravating circumstances that open the amount in step 2 to adjustment; 4. what maximum amounts apply to the infringements and whether any increases from the previous step do not exceed this amount; 5. whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, and is adjusted accordingly if necessary. 144. These steps are followed in succession below. 5.3 Calculation of the fine amount 5.3.1 Step 1: Determining acts and infringements 145. In order to determine the starting amount of the fine, as described in the Guidelines, it must first be determined whether one or more acts are punishable. 116 117Bb7mei2019,ECLI:NL:CBB:2019:177 11Seehttps://www.autoriteitpersoonsgegevens.nl/documenten/boetebeleidsregels-autoriteit-persoonsgegevens-2023 41/48 Date Our reference 22july2024 [confidential] 146. TheAPhasfoundthatthereisadefectinoneofthetransferinstrumentsas setoutinChapterVAG.UberhastherebycommittedabreachoftheobligationunderArticle44 GDPRtouseatransferinstrumentforinternationaltransfers.Thecalculationofthestartingamountinthiscaserelatestotwoprocessingactivitiesthatfallinthecontextofonesanctionableconduct. 5.3.2 Step 2: Determining the starting amount 147. As described in the Guidelines, the starting amount of the fine should then be determined. This starting amount forms the starting point for the further calculation in later steps, whereby all relevant facts and circumstances are taken into account. The Guidelines state that the starting amount is determined on the basis of three elements: i) the classification of the infringements according to Article 83, paragraphs 4 to 6 of the GDPR; ii) the seriousness of the infringements and iii) the turnover of the company. All three elements are discussed below. Adi)ClassificationoftheinfringementsaccordingtoArticle83,paragraphs4to6,oftheGDPR 148. AsmentionedintheGuidelines,almostalltheobligationsofthecontrollerare categorizedintheprovisionsofArticle83,paragraphs4to6,oftheGDPR.TheGDPRdistinguishesbetween twotypesofinfringements.Ontheonehand,infringementsthataresanctionableunderArticle83,paragraph4oftheGDPR,andforwhichamaximumfineof€10millionapplies(orinthecaseofanundertaking,2%oftheannualturnover,ifthatishigher),ontheotherhand,infringementsthataresanctionableunderArticle83,paragraphs5 and6oftheGDPR,andforwhichamaximumfineof€20millionapplies(orinthecaseofanundertaking,4% oftheannualturnover,ifthatishigher).Withthisdistinction,thelegislatorhasprovidedforafirst indicationoftheseriousnessoftheinfringement:theserioustheinfringement,thehigherthefine. 149. Forthecurrentinfringementofart.44GDPR,anadministrativefinemaybeimposedof amaximumof€20,000,000.00(orinthecaseofacompany,4%oftheworldwideannualturnover,whicheverishigher).Fromthiscategorisationitfollowsthattheinfringementoftheseprovisionsareconsideredseriousbythelegislator(inabstracto). Adii)Seriousnessoftheinfringement 150. Whendeterminingtheseriousnessoftheinfringement,accountmustbetakenofthe1)nature,2)seriousnessand3)durationoftheinfringement,aswellastheintentionalornegligentnatureoftheinfringementandthecategoriesofpersonaldatainvolved. 151. The nature of the infringement should be considered in terms of the interest that the infringed provision was intended to protect. The AP finds that the intended interest of Article 44 of the GDPR, namely the continuity of the high level of protection of the GDPR when transferring personal data to third countries, has not been guaranteed by Uber. Due to the absence of an adequacy decision or appropriate safeguards during the period of the infringement, Uber has unlawfully transferred personal data to a third country, while that third country has an inadequate level of protection. Specifically, this concerns transfers to the United States, where intelligence services have access to the personal data of EU citizens under local legislation. This infringement poses a direct threat to the right to privacy. and the right to the protection of personal data as laid down in Articles 7 and 8 of the Charter respectively. 152. In assessing the seriousness of the violation, the AP considers the following. With regard to the nature of the processing, it is first of all important to determine the relationship between the controller and the data subjects. The AP notes that in this case there is a 119 hierarchical working relationship between Uber and the drivers. The AP notes, as described in paragraph 4.3.2, that Uber's actual working method also assumes a great deal of dependence on its drivers. Uber itself also confirms this in its written opinion by stating that the drivers 'are dependent on the income they receive via the UberRides driver app for their daily livelihood'. 12Secondly, the nature of the processing entails higher risks, because Uber evaluates and makes decisions about personal aspects of drivers. 153. With regard to the scope of the processing, the AP notes that there is a cross-border processing within the meaning of Article 4, section 23, GDPR. Uber processes personal data of drivers from different EU countries. This makes Uber's processing extensive. 154. With regard to the purpose of the processing, the AP notes that the more central the place of the processing within the core activities of the controller, the more serious the irregularities in that processing will be. Inthisassessment,processinginthecontextofgeneratingtripsmustbedistinguishedfromhandlingrequestsforaccess.Withregardtoprocessingpersonaldatainthecontextofgeneratingtrips,theAPnotesthatthisisanessentialpartofUber’scoreactivity,namelymediatingasaplatformbetweendriverswhooffertripsandcustomerswhorequesttrips.Withoutgeneratingtrips,itisnotpossibletosuggesttripstodrivers,andforthemtoacceptandofferthemtocustomers.Withregardingtheprocessingofpersonaldataforthepurposeofhandlingrequestsforaccess,theAPnotesthatthisisnotpartofUber’scoreactivity,becauseUberismerelytryingtocomplywithalegalobligationfollowingfromtheGDPR.Itdoesnotrelyonindependent waytoUber'sbusinessmodelasacommercialenterprise. 155. Regardingthenumberofaffecteddatasubjects,theAPfoundthatfrom6August2021tomid-February2023,anaverageof[confidential]driverswereactiveforUberinFranceand anaverageof[confidential]driversintheentireEU.On17February2023,therewere[confidential] activedriversintheEUaccordingtoUber.Asfortransfersinthecontextofaccessrequests, Uberhascarriedout[confidential]accessrequestsbetweenAugust2021andFebruary2023withthe 11See also French Court of Cassation, 4 March 2020 (Sentencian ° 374); District Court of Amsterdam, 13 September 2021 (ECLI:NL:RBAMS:2021:5029), r.o. 27 to 32. 12 ‘Uber’s opinion on investigation reports for intention to enforce’ of 9 June 2023, p. 83. 12 Guidelines 04/2022 for the calculation of administrative fines under the GDPR, marginal number 54. 43/48 Date Our reference 22 July 2024 [confidential] automaticdownloadtoolfordriversfromtheEU.Uberhasalsoexecuted[confidential]removalrequestsfor(former)driversfromtheEU.Finally,UberindicatesthatinadditiontothedownloadtoolUber processed[confidential]requestsfromFrench(former)driversforanextensiverequestforaccess between6August2021and1February2023.Uberalsostatesinitswrittenopinionthatinthecontextofhandlingrequestsforaccessbytelephoneandletterperyear,fewerthantenrequestsarehandled.SomerequestsaretoocomplexandmustbehandledbyanemployeeofUberB.V. prepared manually, it concerns approximately 100 requests in the first four months of 2023. 156. The AP further established in paragraph 2.5 that the infringement took place from 6 August 2021 to 27 November 2023. That is two years and more than three months. This concerns a considerable period. In the opinion of the AP, Uber committed the conduct in a reprehensible manner. The infringement ceased to exist as of 27 November 2023, because Uber certified itself under the EU-US DPF on that date. 157. Finally, it must be determined whether Uber has processed personal data that deserve special protection and therefore lead to a higher severity of the breach. The amount of data collected about each data subject must also be taken into account. As the AP has established in paragraph 2.3, Uber processes a large amount of data about Uber drivers. In addition to account data, location data, photos, proof of payment and ratings, Uber also processes (depending on the legal rules in a country) other data, such as identity documents, criminal and health data. Much of this data is sensitive by nature. In addition, criminal and health data are special personal data that enjoy extra protection under Article 9 and Article 10 of the GDPR. In particular, the transfer of criminal data to the United States, of which at the time it was established that this country could not offer an adequate level of protection, and that it was known that government agencies could gain access to all personal data stored there, the AP charges. For the above reason, the AP considers the influence of this aspect to increase the overall seriousness of the infringement. Adiii)Turnoverofthecompany 158. TheGuidelinesprescribethatforreasonsoffairnessthestartingamountofthefinemustberelatedtothesizeofthecompany.Thesizeofthecompanyisdeterminedonthebasisoftheturnover.Forasmallcompany,withaturnoverofmaximum€2million,thestartingamountisgenerallylimitedto0.2to0.4%oftheactualstartingamount,andthestartingamountincreasesasthecompany’sturnoverincreases.Ifacompanyhasaturnoverofmorethan€500million,thefineisdeterminedasapercentageofthecompany’sannualturnover. 12Asaresult,thesizeandturnoverofthecompanyhasalreadybeendiscountedintheamountofthefine,sothatthestartingamountdoesnotneedtobeadjustedonthatground. 12From an annual turnover of €500 million, 4% of the annual turnover is higher than €20 million, so that this percentage must be taken into account as a maximum fine (Article 83, fifth paragraph, introductory phrase, of the GDPR). 44/48 Date Our reference 22 July 2024 [confidential] 159. As stated in recital 150 of the GDPR, when imposing a fine on an undertaking, the “undertaking” must be regarded as an undertaking in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. It follows from established case law of the Court of Justice that an undertaking is any entity that carries out an economic activity, regardless of the legal form in which it is financed. It is therefore the economic unit of the undertakings and not the legal entities within them that are at issue. Several companies or entities within the same economic unit may therefore together be an undertaking within the meaning of the aforementioned provisions. 160. UberB.V.isindirectlyawhollyownedsubsidiaryofUberTechnologiesInc.TheymustthereforebeconsideredtobethesameundertakingfortheapplicationofArticle83oftheGDPR. 161. AsmentionedintheGuidelines,turnovercanbedeterminedonthebasisofthecompany'sannualstatementsforthepreviousfinancialyear.PursuanttoArticle83,paragraphs4to6,oftheGDPR,theworldwideturnoverinthepreviousfinancialyearistakenintoaccount. 123 162. UberTechnologiesInc.haspublishedits2023annualstatementsonitswebsite.Aconsolidatedstatementofthecompanyisincludedonpage75.Itcanbededucedthatthecompany'sworldwideturnoverin2023amountsto$37.281billion.Thisequivalentto€34.235billion. 124 Determiningthestartingamount 163. Accordingtoarticle83,paragraph5,oftheGDPR,themaximumfineis4%oftheannualturnover.Theannualturnoveramountsto€34.235billion,sothatthemaximumfinefortheviolationis€1.369billion. 164. TheassessmentoftheabovecircumstancesandfactorsdeterminestheentireseriousnessoftheinfringementcommittedbyUber.Thisinvolvesatthoroughassessmentofthespecificcircumstancesofthecaseinwhichallthecircumstancesmustbeconsideredincoherently. 165. In view of the considerations under (i) and (ii), the AP takes the position that the level of gravity of the infringement should be qualified as "high". According to the Guidelines, for infringements with a high level of seriousness, the starting amount should be set at a point between 20% and 100% of the maximum fine of €1.369 billion in this case. This corresponds to an amount between €273.881 million and €1.369 billion. In addition, the general rule is that the more serious the infringement within its own category, the higher the starting amount will be. 123 124consulthttps://investor.uber.com/financials/default.aspx €34,235,142,300.ver2023was$37,281,000,000,whichconvertstoaturnoverof1dollarto0.9183euroatanexchangerateasof19July2024 45/48 Date Ourreference 22July2024 [confidential] 166. TheAPisoftheconsiderationthat,giventhecircumstancesdescribed,theinfringementisserious.However,theAPdoesnotconsiderallthecircumstancestobesoseriousornegativethatthestartingamountshouldbesetattheupperlimitofthemaximumfine.TheAPhastakenintoaccount,amongotherthings,thesizeofthenumberofpeopleaffectedandthecircumstancethattheinfringementhasended. 167. Based on the categorisation of the infringement, the seriousness of the infringements and the turnover of the company, the AP sets the starting amount for the infringement of Article 44 GDPR in this case at €290 million. 5.3.3 Step 3: Assessingotherrelevantcircumstances 168. AsmentionedintheGuidelines,itmustbeconsideredwhetherthecircumstancesofthecaseprovidereasontosetthefinehigherorlowerthanthestartingamountdeterminedabove.ThecircumstancestobetakenintoaccountarelistedinArticle83,secondparagraph,introductionandsubparagraphk,oftheGDPR.Eachofthecircumstancesmentionedinthatprovisionmustonlybeconsideredonce.Thepreviousstepalreadytookintoaccountthenature,seriousnessanddurationoftheviolation(subparagrapha),theintentionalornegligentnatureoftheinfringement(subparagraphb)andcategoriesofpersonaldata(subparagraphg).Thisleavessubparagraphsctoandwithfhtoandwithk. 169. The only applicable circumstance is the manner in which the AP became aware of the breach, in particular whether, and if so to what extent, the controller reported the breach (section h). In this case, Uber did not report the breaches itself, but they came to the AP's attention through complaints. However, according to the Guidelines, this is assessed as "neutral" and therefore has no consequences for the amount of the fine to be imposed. 5.3.4 Step 4: Exceeding the control for the infringements and the maximum amounts applicable 170. As mentioned, a maximum fine of 4% of the company's worldwide annual turnover applies to the infringement found, also in view of Uber's turnover. The annual turnover amounts to €34.235 billion, so that the maximum fine for the infringement amounts to €1.369 billion. 171. Based on the above considerations, the AP sets the fine amount for the infringement found at €290 million. This is below the statutory maximum, so that no excess of it occurs. 5.3.5 Step 5: Assessment of requirements of effectiveness, proportionality and deterrence 172. Finally, it must be assessed whether the fine is effective, proportionate and deterrent. In addition, the administrative fine may not, given the circumstances of the case, lead to a disproportionate outcome. 173. The Guidelines stipulate that the imposition of an administrative fine can be considered effective if it achieves the purpose for which it was imposed. The purpose may be to punish unlawful conduct, as well as to promote compliance with applicable regulations. In view of the above considerations regarding the nature, seriousness and duration of the infringement, as well as the aggravating and mitigating circumstances of Article 83, paragraph 2, of the GDPR, the AP is of the opinion that the administrative fine in question achieves both purposes and is therefore effective and deterrent. 174. The AP is further of the opinion that the imposition of the fine and its amount are not disproportionate, given the seriousness of the violation and the size of the company. In its opinion, Uber indicated that the imposition of an administrative fine would lead to disproportionate consequences for Uber, because a possible notification of the fine to the New York Stock Exchange could have significant consequences for the price of Uber's shares. However, the AP sees no reason to consider the fine to be disproportionate. Although it is not excluded that the fine could have some influence on the price of Uber's shares, it has not been made plausible that this would be of such an influence that the fine should be considered disproportionate. It is also important that the amount of the fine is sufficiently deterrent and does justice to the seriousness of the violation. In the opinion of the AP, no other special circumstances have occurred in this context that would prevent the fine from being proportionate. 175. The AP also made the following observations with regard to the AP 2019 Fine Policy Rules. If the AP had to impose a fine on the basis of this policy, the AP, given Uber's global turnover and therefore its large size as an offender, would have had reason to apply Article 8.4 of the AP 2019 Fine Policy Rules. In that case, determining fine amounts within the fine range of the AP 2019 Fine Policy Rules would not lead to an appropriate punishment that would be effective, proportionate and dissuasive. The conclusion is that the AP would have imposed a fine of the same amount under the 2019 Fine Policy Rules. 47/48 Date Our reference 22 July 2024 [confidential] 6. Decision Fine The AP imposes an administrative fine of €290,000,000 (in words: two hundred and ninety million euros) on Uber B.V. and Uber Technologies Inc. jointly for violating art. 44. AVNo. 125 Yours sincerely, AutoriteitPersoonsgegevens, w.g. mr.A.Wolfsen Chairman Legal remedies clause Ifyoudonotagreewiththisdecision,youcansubmitanobjectiontotheDutchDataPersonalDataAuthoritywithinsixweeksafterthedateofsendingthedecision,digitallyoronpaper.Inaccordancewith Article38oftheUAVG,submittinganobjectionsuspendstheeffectofthedecisiontoimposeanadministrativefine.Tosubmitadigitalobjection,see www.autoriteitpersoonsgegevens.nl,undertheheadingContact,item“ObjectionorcomplaintabouttheAP”. 126 Theaddressforsubmittingonpaperis: AutoriteitPersoonsgegevens Postbus93374 2509AJDenHaag. State“Awb-bezwaar”ontheenvelopeandput“objection”inthetitleofyourletter. Inyourobjection,atleastwrite: -yournameandaddress; -thedateofyourobjection; -thereference(casenumber)mentionedinthisletter,orencloseacopyofthisdecision; -thereason(s)whyyoudisagreewiththisdecision; -yoursignature. 12TheAPwillhandovertheclaimtotheCentralJudicialCollectionAgency(CJIB).TheAPwillcontinuetocollectthefineafter 126anylegal(follow-up)proceduresregardingthisdecisionhavebeencompleted. ThedirectURLis<https://www.autoriteitpersoonsgegevens.nl/over-de-autoriteit-persoonsgegevens/bezwaar-maken>. 48/48