Nice article @jonklinger! Especially the intro to and explanation of the GDPR and Data Processing Agreements.

There is clearly a gap between the rights of data subjects under the GDPR and their ability to catch all breaches. However, the idea is that data subjects only must interact with the controller or processor collecting their info and give them informed consent (was also required prior to the GDPR, but has become more stringent, e.g. marketing consent must be separate). Under the GDPR the data subject then can sue any of the controller or processor within the processor chain, following a breach by either. That is one of the reasons it is important to execute a DPA as a processor/controller, so that one can get indemnified if one gets sued by a data subject due to a breach by another processor (or controller) within the chain.

Another thing to be aware of with respect to DPA's, is that their content, including as regards consent for sub-processing differs if the personal information is leaving the EEA. If it is, and there has not been an adequacy decision by the Commission that the third country has adequate privacy laws, usually the model clauses approved at EU level will be used. Under such provisions specific consent is required, and general consent is not enough.

With respect to the Uber terms, it looks like they are just obtaining general consent by listing the types of entities. That is only allowable if the personal information is not being transferred outside the EEA. In fact, to me it looks like Ubers PP Policy could be in breach, unless the data obtained from EEA persons does not leave the EEA. If it does, more than likely (there are some other avenues) specific consent is required.

However yes, you are correct that if the service provider does not list all sub-processors, you will not know without asking (which you can) which entity is processing your information, and therefore which additional companies to try to 'monitor', chase or sue. Due to the GDPR at least, everyone in the data supply chain can be sued by the data subject, even if not at fault.

I would not say the DPA is the problem, but the law for EEA internal transfers which does not require specific consent, as the law does for outside EEA transfers - are you advocating for that? It would result in longer pages of documents for lawyers to draft :).

I am a recent co-founder of Owki Ltd, we plan to automate as many business contracts as possible and provide high-quality contracts at a very low cost. Our first contract is a data processing agreement (funnily enough). Check dpabot.com. You can use this gift token (20 free downloads available) for a free high-quality DPA: dpabot20.