We are now less than six months away from the implementation of the General Data Protection Regulation (GDPR), which is expected to produce massive changes to be implemented by businesses when handling the data of third parties.
Among the GDPR’s most headline-grabbing provisions are the significantly increased administrative fines. There is also the requirement that the relevant supervisory authority must be advised of personal data breaches by data controllers “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (GDPR article 33 sec. 1).
The Bloomberg news agency recently published the fact that the controversial ride-sharing company Uber was aware of a significant breach of data in 2016 when it is alleged to have paid hackers US $100,000 to delete the personal data it had acquired of some 57 million customers (and self-employed drivers). The information was obtained by the hackers when they penetrated Uber’s cyber-defences, but Uber cannot avoid blame if it failed to take adequate steps to ensure that the data was protected from exposure in the first place. It is a possible indicator of perceived liability that Uber’s chief security officer has now resigned from the company.
The GDPR does not always receive good publicity from businesses on account of the perceived need to deploy significant resources to achieve compliance. However, Uber’s breach underlines the fact that article 33 is needed. The tougher regime on data breaches will be welcomed by the public at large.
Uber’s conduct is understood to be presently under discussion by the EU data protection authorities.
When the GDPR is in force, it is likely that the cover-up of a serious breach of data of this nature will incur a heavy administrative fine. The potential maximum could be £10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR article 83 sec. 4(a)).
Supervisory authorities may want to demonstrate the impact of the GDPR by levying significant fines on prominent organisations such as Uber. If Uber once again exposes itself to a significant breach of data after 24th May, 2018 (the GDPR implementation date), and fails to disclose it quickly enough, it may be fined for both the lack of adequate data security measures as well as for any cover up. It would also have to disclose the breach to any of its customers who are affected. In addition to the other controversies Uber has recently faced, the combined effect of a serious monetary penalty as well as the bad public relations that would follow anyway may have a significant impact on the company’s viability.
Laurie Heizler, Of Councel,
Barlow Robbins LLP