Data Transfer: Why is GDPR Rule Still Tripping Up Companies?

Uber has been hit with a record-breaking €290m (US$323m) fine for alleged violations of the General Data Protection Regulation (GDPR) regarding the transfer of personal data from the EU to the US. 

This hefty penalty underscores the robust nature of GDPR for protecting citizens and the growing scrutiny and enforcement of data protection laws across the EU, particularly concerning the transfer of sensitive information to countries with differing privacy standards.

But why is the transfer of data still such a contentious issue for the EU and the GDPR legislation?

A closer look at the Uber case

The Dutch Data Protection Authority’s (DPA) investigation alleged that Uber had collected and retained drivers' personal information on US-based servers for more than two years. 

This data trove included account details, taxi licences, location data, photographs, payment information, and identity documents. In some instances, even criminal and medical records were part of this transatlantic data migration.

It is from this that the DPA states the infraction happened, saying Uber failed to implement appropriate safeguards when transferring this sensitive information across the pond. 

This is because the EU maintains that personal data originating from the EU remains subject to EU data protection rules even when transferred outside of its jurisdiction.

This is a key aspect of the EU's approach to international data transfers under the General Data Protection Regulation (GDPR), and means that companies with multinational footprints may sometimes fall afoul of the law.

The situation was exacerbated by the invalidation of the EU-US Privacy Shield in 2020, which had previously provided a framework for such data transfers. Although a replacement, known as the EU-US Data Privacy Framework, was announced in July 2023, Uber's practices during the interim period have come under intense scrutiny.

Data protection as a vector for fines

Uber is far from alone in facing the wrath of EU data protection authorities. In May 2023, Meta, the parent company of Facebook, Instagram, and WhatsApp, was hit with a record-breaking £1.2bn (US$1.58bn) fine by the Irish Data Protection Commission. 

This unprecedented penalty was imposed for Meta's mishandling of data transfers between the EU and the US.

Like Uber, Meta relied on standard contractual clauses to facilitate these transfers. However, EU regulators deemed these safeguards insufficient to protect European data from the comparatively lax privacy laws in the US. 

The Meta decision sent shockwaves through the tech industry, challenging long-standing practices and forcing companies to reassess their data transfer mechanisms.

Industries tactics to keep on the right track

In response to this shifting regulatory landscape, some tech giants are taking proactive measures to ensure compliance and mitigate risks. Microsoft, for instance, has announced a bold new strategy to keep all European cloud customers' personal data within the EU.

This "EU data boundary" initiative encompasses Microsoft's entire suite of cloud services, including Azure, Microsoft 365, Power Platform, and Dynamics 365. 

Notably, the company claims to be "the first large-scale cloud provider to deliver this level of data residency to European customers," even including pseudonymised personal data found in system-generated logs.

Similarly, Amazon has unveiled plans for a separate "European Sovereign Cloud" service, which aims to keep customers' metadata within the bloc. 

As the dust settles on Uber's record fine and companies scramble to align their practices with evolving regulations, one thing is clear: EU data transfer infractions can be costly, and companies need to adapt six years on.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand