Skip to content
LegalVision UK

Lessons from Uber and Facebook in Transferring Personal Data Overseas

Avatar photo

By Lauren McKee
Practice Leader

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

In Short

  • UK businesses transferring personal data overseas must comply with data protection laws or face significant fines.
  • The EU and select others are approved countries for data transfers; proper safeguards are required for non-approved countries.
  • Uber and Facebook were fined for failing to ensure compliance with data protection laws when transferring data overseas.

Tips for Businesses

When transferring data abroad, ensure your destination is an approved jurisdiction or put safeguards in place. Always review contracts and data policies with legal advice to prevent non-compliance, which can lead to costly penalties.

If your business sends personal data overseas, you must ensure that you are complying with data protection laws. Recent cases found that Uber and Facebook owner, Meta, have breached data protection laws by unlawfully sending user data overseas from the EU to the US. In this article, we unpack the data protection laws concerning sending personal data overseas, how Uber and Facebook have breached data protection laws and how you can avoid the same mistakes.

Transferring Personal Data Outside of the United Kingdom

All UK businesses that process personal data must comply with data protection laws. Examples of situations where you may transfer personal data outside of the UK include where:

  • you input personal data into software, such as your CRM, that is operated out of another country;
  • your IT support or customer service centre operates out of another country; and
  • you have a related entity based in another country.

Generally, transferring personal data outside the UK is prohibited unless you can rely on an exemption. This is because some countries do not have adequate data protection laws in place, and it is essential to ensure that all personal data you process is well looked after and protected.

The key exceptions you may rely on are:

  • where you are transferring personal data to an approved jurisdiction;
  • where appropriate safeguards have been put in place to protect the transfer (most commonly through approved contractual clauses); or
  • where you have consent.

Let us explore these exceptions in further detail.

Transferring Personal Data to an Approved Jurisdiction

You may transfer data to an approved jurisdiction, provided you comply with the standard rules of transferring personal data. The UK has currently approved the following countries as locations that provide an adequate level of data protection: 

  • Andorra;
  • Argentina;
  • Canada (commercial organisations);
  • the EU member states and European Economic Area Members;
  • Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • Japan;
  • Jersey;
  • New Zealand;
  • Gibraltar;
  • Switzerland; and 
  • Uruguay.

You may also be able to transfer personal data to some organisations in the US that meet certain certification requirements under the UK-US Data Bridge. Under this framework, certified US companies must follow specific privacy principles. If you transfer personal data to such companies, UK individuals can access a redress mechanism if they believe their data has been misused. 

Appropriate Safeguards 

If the location you are sending personal data to is not an approved country, you can implement safeguards to protect the transfer and receipt of personal data. The most common way to do this is to implement contractual provisions approved by the UK’s Information Commissioner’s Office (ICO) to protect the transfer

Before relying on an appropriate safeguard to make a restricted transfer, make sure the people whose data is being transferred have an essentially equal level of protection as they would in the UK.

Consent

You can obtain explicit consent from individuals to transfer their personal data outside of the UK after informing them of the possible risks of such transfers. A general consent to transfer data to third parties or general notification of the third parties you disclose to in your privacy policy is not sufficient consent. The consent has to be very specific and voluntary. However, this is usually impractical for most situations.

Uber and Facebook’s Breach of Data Protection Laws

What Uber Did Wrong

The Dutch Data Protection Authority (DPA) recently fined Uber, the world’s largest rideshare company, €290 million for transferring European Uber drivers’ personal data to the US without adequate safeguards. This violated the European data protection laws, which are very similar to UK data protection laws. 

The personal data shared by Uber included sensitive information such as:

  • account details;
  • taxi licences;
  • location data; and
  • criminal and medical records. 

For over two years, Uber transferred this data without proper transfer tools, compromising the privacy rights of many individuals. Much like in the UK, the fine was calculated based on Uber’s worldwide annual turnover, with a maximum limit of 4%. Although the fine was issued in the EU, the UK’s data protection regime is very similar to that of the EU, and this case serves as a stark reminder that regulatory authorities are actively overseeing transfer practices to ensure compliance.

What Facebook Did Wrong

Facebook owner Meta is one of the world’s most valuable companies and processes the personal data of millions of users. In May 2023, Meta was fined £1 billion by Ireland’s Data Protection Commission and ordered to suspend the transfer of user data from the EU to the US. 

This is because Meta was transferring personal data from the EU to the US without ensuring proper safeguards were in place. Facebook used approved terms in their contracts to cover the transfer of personal data overseas. However, these terms were insufficient to address the risks to the fundamental rights and freedoms of data subjects.

The key reason for this is that the US Government has laws based on national security allowing it to access the personal data of individuals (including overseas individuals) held by US corporations without any effective safeguards or checks.

Consequently, the judgement will seriously affect all businesses that transfer personal data to the US. It is worth noting that since this case took place, the UK has now implemented the UK-US Data Bridge, which gives businesses another avenue to safely share personal data with the US. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What We Can Learn from Uber and Facebook

The Uber and Facebook decisions are a solid reminder to all businesses that data protection authorities continue to monitor data and privacy compliance. Failure to comply with the law can incur costly fines for businesses. 

To ensure your business is compliant with data protection laws, you should:

  1. Consider whether you can achieve your aims without sending personal data overseas. For example, determine whether you can anonymise the data.
  2. Assess whether the ‘adequacy regulations’ cover the transfer, that is, whether the transfer is to an approved country.
  3. If the transfer is not to an approved country, ensure you have an alternative mechanism to transfer personal data overseas, such as having ‘appropriate safeguards’ in place, including the approved contractual clauses.
  4. Before relying on ‘appropriate safeguards’, ensure you are satisfied that the relevant protections under UK data protection laws are not undermined for people whose data is transferred.
  5. Where you have a contract with the recipient of personal data, contact a privacy lawyer to help ensure it is compliant.
Front page of publication
Personal Data Breach Notification Factsheet

This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.

Download Now

Key Takeaways

In summary, the Uber and Facebook cases show that businesses must comply with data protection laws and think twice before sending personal data to overseas countries. To avoid making the same mistakes, thoroughly audit your business’ privacy practices and comply with the UK General Data Protection Regulations. In addition, consider which countries you send personal data to, and make risk assessments to ensure such transfers are compliant.

If you are concerned about how data protection laws may impact your business, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What is personal data?

Personal data is information about a specific identifiable individual that relates to them. For example, this may include a person’s name, an identification number like a National Insurance number, location information or a person’s IP address.

What should I do when sending personal data to a location that is not approved?

If the location you are sending personal data to is not an approved country, you can implement safeguards to protect the transfer and receipt of personal data. You may also obtain the consent of the data subject.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Lauren McKee

Lauren McKee

Practice Leader | View profile

Lauren is a Practice Leader in LegalVision’s Corporate and Commercial team and works across a broad range of commercial contracts matters. Lauren works with SMEs, startups and enterprise clients to understand their business and assist them with their contracts needs.

Qualifications: Bachelor of Laws (Hons), Bachelor of Arts, Macquarie University.

Read all articles by Lauren

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Can My Small Business Send Personal Data Outside Of The UK?

Does My Overseas Business Need to Comply With UK GDPR?

How to Handle Personal Data When Expanding Your Business to the UK

Should My Company in the UK Create a Data Breach Action Plan?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards