In this latest episode of the PrivacyRules privacyespresso series, Stephan Mulders, lawyer at Van Diepen Van der Kroef Advocaten, PrivacyRules dutch law firm member, discusses the recent significant fines imposed by the Dutch Data Protection Authority (DPA) on Uber and Clearview. Uber faces a €290 million fine, primarily for insufficient transfer mechanisms between Uber USA and Uber Netherlands, marking the third time Uber has been fined by the DPA for GDPR violations. Meanwhile, Clearview received a €30 million fine for scraping internet data and violating various GDPR regulations. The discussion dives into the details of the fines, the implications of joint controllers under the GDPR, and how enforcement of such violations is intensifying.
Key points :
- The Dutch DPA is showing its teeth. First, the 10 million Uber fine earlier this year, now € 290 m for Uber and € 30 m for Clearview.
- Be careful with French taxi drivers. The three Uber fines originated from complaints from French taxi drivers and civil rights interest groups. It is thus essential to listen to your stakeholders very early and try to mitigate their grievances. Perhaps there is something to say about the Rhineland model.
- The time of “cry and pray” is over. The consensus after Schrems II was that it was almost impossible to comply with, so the only advice was to pray that no sanctions would follow. The Dutch DPA is, however, not afraid to fine for past behavior. So, it is not unlikely that more companies will face similar fines for their data transfers between 2020 and 2023
- Earlier, the DPA issued guidelines on web scraping for AI purposes. The Clearview fine shows that the DPA means to enforce those guidelines
- In the past, the DPA took a somewhat controversial standpoint that economic interests cannot be legitimate as these are not explicitly covered by positive EU law. Now, the DPA uses a more subtle version, stating that a business model solely collecting data is not legitimate.
- Personal liability will be a hard push for the DPA. In general, it is hard to pierce the corporate veil. This can only happen if the board acts seriously culpable in person. This is not likely as long as the board has convincing arguments to dispute the fine.
Tune in to hear Stephan’s analysis on these significant developments and what they mean for businesses handling personal data.