UK: Uber’s data privacy breach – the consequences

We are now less than six months away from the implementation of the General Data Protection Regulation (GDPR), which is expected to produce massive changes to be implemented by businesses when handling the data of third parties.

Among the GDPR’s most headline-grabbing provisions are the significantly increased administrative fines. There is also the requirement that the relevant supervisory authority must be advised of personal data breaches by data controllers “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (GDPR article 33 sec. 1).

The Bloomberg news agency recently published the fact that the controversial ride-sharing company Uber was aware of a significant breach of data in 2016 when it is alleged to have paid hackers US $100,000 to delete the personal data it had acquired of some 57 million customers (and self-employed drivers). The information was obtained by the hackers when they penetrated Uber’s cyber-defences, but Uber cannot avoid blame if it failed to take adequate steps to ensure that the data was protected from exposure in the first place. It is a possible indicator of perceived liability that Uber’s chief security officer has now resigned from the company.

The GDPR does not always receive good publicity from businesses on account of the perceived need to deploy significant resources to achieve compliance. However, Uber’s breach underlines the fact that article 33 is needed. The tougher regime on data breaches will be welcomed by the public at large.

Uber’s conduct is understood to be presently under discussion by the EU data protection authorities.

Under current data protection legislation, the relevant supervisory authority should be notified of any significant breach of data . Uber has already been fined for failing to disclose another breach of data that took place in 2014 (the €20,000 penalty for that was derisory). Further action is likely before the GDPR becomes law in connection with the 2016 breach.

When the GDPR is in force, it is likely that the cover-up of a serious breach of data of this nature will incur a heavy administrative fine. The potential maximum could be £10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR article 83 sec. 4(a)).

The global affect of the EU’s General Data Protection Regulation (GDPR)

The GDPR comes into effect on 25th May, 2018, and is binding on all EU Member States. However, the opening clauses provide some flexibility in the conditions of individual countries.
In cases where data is transmitted to non-EU countries (termed “third countries”), art. 45 of the GDPR requires there to be an “appropriate degree of protection” in the respective region, which is scrutinised and determined by the European Commission.

Supervisory authorities may want to demonstrate the impact of the GDPR by levying significant fines on prominent organisations such as Uber. If Uber once again exposes itself to a significant breach of data after 24th May, 2018 (the GDPR implementation date), and fails to disclose it quickly enough, it may be fined for both the lack of adequate data security measures as well as for any cover up. It would also have to disclose the breach to any of its customers who are affected. In addition to the other controversies Uber has recently faced, the combined effect of a serious monetary penalty as well as the bad public relations that would follow anyway may have a significant impact on the company’s viability.

Author:
Laurie Heizler, Of Councel,
Barlow Robbins LLP
LaurieHeizler@barlowrobbins.com