EU and UK Data Protection Regulatory Trends so far in 2024: a focus on international data transfers

2024 has seen behavioural advertising and cookies continue to dominate the agenda of data protection authorities (DPAs) in the EU and for the ICO in the UK. Alongside that, DPAs have started to consult about guidance on Artificial Intelligence (AI), particularly Generative AI and Large Language Models (LLMs). After the initial flush of AI enforcement actions in 2023, we have not yet seen clarifying precedent emerge from the DPAs in 2024. We have also seen an increasing focus from DPAs on employee surveillance, particularly use of biometric technologies. We have also seen a sting in the tail of enforcement related to EU-US data transfers, with a major fine issued for breaching GDPR.

This blog focuses on international data transfers.

The topic of international data transfers has been much less in the spotlight since the European Commission adopted its decision on the EU-US Data Privacy Framework in 2023. The decision has created greater confidence in EU-US transfers of personal data. There may have been an expectation that 2024 would be a quiet year for enforcement actions in this area. But there was a significant sting the tail from the Dutch DPA in 2024, who issued a 290m Euro fine to Uber, related to the transfer of Uber drivers’ personal data from the Netherlands to the US.

In 2021 Uber had stopped using standard contractual clauses (SCCs) and Uber’s position was founded on European Commission’s FAQ #24 that stated SCCs cannot be used for transfers to controllers/processors whose processing was directly subject to GDPR, and that the Commission would prepare separate SCCs for this scenario. From the end of 2023 Uber had used the successor to the Privacy Shield, the EU-US Data Privacy Framework as the safeguard for its transfers. The Dutch DPA therefore found the approach to these transfers between 2021 and 2023 was not compliant with GDPR.

The Dutch DPA’s finding therefore appears to contradict the Commission’s own FAQs. The decision was classed as a cross-border case and was agreed following the One-Stop-Shop cooperation procedure (OSS) under the GDPR. Therefore, the case is the supported view of the EDPB as well. Uber have indicated they will appeal. Following the decision the Commission have also indicated that they will consult on a new set of standard clauses covering this scenario.

Given this uncertain position companies often prefer to take a cautious approach when acting as a personal data exporter and always apply the SCC even where the importer is likely directly subject to GDPR e.g. the exporter is subject via establishment provisions under Article 3(1) and the importer is subject via the territorial scope provisions under Article 3(2). The UK ICO guidance is not explicit on this issue and companies often take the same approach in the UK, using the International Data Transfer Agreement (IDTA) as well.

Looking beyond the EU it is also interesting to see the Korea Personal Information Protection Commission fine AliExpress $1.43M for various violations related to personal data transfers made to sellers in China. This covered a range of issues, including transparency, consent and lack of contractual measures. Illustrating that transfers to China remain an important area of risk for companies to consider, with the EDPB yet to clarify its stance in this area.

Conclusion

2024 has seen EU DPAs act on a range of issues, with both familiar and new dimensions. Traditional cornerstone issues such as consent and international data transfers continue to present challenges, while the EDPB has also prioritised data subject access rights as a topic for coordinated action and we can expect to see more action in this area later this year and into 2025 (EU DPAs have already started to send out questionnaires to controllers).  Meanwhile emerging technologies continue to expand the key areas of risk that that DPAs are prioritising, and AI and biometric technologies are clearly now key topics to monitor in the coming months.