What can U.S.-based and multi-national companies learn from the 290 million euro fine Autoriteit Persoonsgegevens, the Dutch Data Protection Authority, issued against Uber in connection with the processing of Dutch driver data in the United States?
- If you are a user located in the European Union who is entering information directly into a U.S.-based platform run by a U.S.-based company, that can still be a cross border transfer (as opposed to a direct data collection) if you are employed/under contract with an EU company and the data in question is in connection with that employment/contract and/or the EU company and the US company are joint controllers. In such case, the EU company is the exporter and the US is the importer.
- Article 3 (scope) and Chapter V (cross border transfers) of GDPR coexist and can apply together. Onward transfers between joint controllers subject to Article 3 can also take place and are not excluded from the GDPR onward transfer provisions.
- If you are a Non-EU data controller that is directly subject to GDPR and import information, it may be “better safe than sorry” to execute the Standard Contractual Clauses approved by the European Commission (or adopt another transfer instrument, if applicable) even though the EC said that these particular SCCs do not apply to such cases and on-point SCCs are forthcoming.
- You may not be able to use Art 49 derogations to centralize your HR function with your US parent because this may not be deemed “necessary.”
- A US based parent company may not be able to rely on Art 49 cross border transfer derogations of “necessity for contract” or “necessity for conclusion of contract in best interest of the individual” to centralize payment functions and personnel management by US parent for all its personnel in all of its subsidiaries because:
- The processing of HR data is too systematic and repetitive.
- Even processing relating to DSARS (25x/yr) is too systematic, repetitive and part of an ongoing stable relationship. (Also, a DSAR is not part of a contract. It is a legal duty.)
- It is NOT necessary because: (a) there is no objective link between the execution of agreement and the transfer; (b) storage in a third country without adequacy, in almost every conceivable case, actually compromises the level of protection provided by GDPR and (c) the justification that such centralization will accomplish this faster and more efficiently are not enough for necessity.