Key Takeaways
The signing of a new EU-US data bridge agreement in 2023 ended three years of intense uncertainty for transatlantic businesses. However, sending personal data from the EU to the US remains contentious.
For example, on Monday, Aug. 26, Uber was fined €290 million ($324 million) for violating the EU’s data protection regulation by sending drivers’ data to the US.
The fine was issued after an investigation revealed that Uber had transferred thousands of European drivers’ personal data to its US servers without proper safeguards or obtaining the necessary consent.
A French human rights organization initially lodged a complaint on behalf of more than 170 taxi drivers. However, the French privacy watchdog forwarded the case to its counterpart in the Netherlands, where Uber has its European headquarters.
Responding to the penalty, an Uber spokesperson said the company’s cross-border data transfer process “was compliant with GDPR during three years of immense uncertainty between the EU and US.”
The comment appears to be a reference to the period after the EU–US Privacy Shield was invalidated by the European Court of Justice but before its replacement was agreed upon last year.
Privacy Shield was struck down because the court found that US surveillance practices were incompatible with EU citizens’ rights to data privacy. Its collapse left companies like Uber in a precarious position as they sought to navigate the legal complexities of cross-border data transfers.
The new EU–US data bridge agreement was intended to address these concerns by providing a more robust legal framework. However, it remains controversial, with critics arguing that it still does not fully protect European citizens’ data from US government access.
This lingering uncertainty has led to ongoing legal challenges and significant compliance risks for companies operating across both regions.
For Uber, the financial penalty could signal further trouble on the horizon.
The company may also face increased scrutiny from regulators and could be required to implement more stringent data protection measures to prevent future violations.
Moreover, this case could set a precedent for how other companies are held accountable under the EU-US data bridge agreement, potentially leading to further fines and regulatory actions.