There has been a collective intake of breath in the Paris Smith office as news about Uber’s data breach broke, stating that the breach had exposed the details of 57 million customers and drivers worldwide. In the UK, the figures are believed to be in the region of 2.3 million data subjects affected. Even our non-data protection specialists are aware that a breach of this nature should have been reported to the ICO and yet Uber did not do so. The Information Commissioner, our UK data protection regulator, is clearly not impressed and has said that it has “huge concerns” about Uber’s data protection policies and ethics. It will be interesting to see what level of penalty fine is levied at Uber in respect of the breach and Uber’s failure to notify the breach to the ICO.
This lead us to consider how the GDPR would impact on Uber, had the breach occurred after 25 May 2018 rather than last year.
A data breach is any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. Under the GDPR, any data breach should be recorded on an internal register. If the breach is likely to result in a ‘high risk’ to the rights and freedoms of data subjects, including in respect of financial loss, discrimination, loss of confidentiality or other economic or social disadvantage, then the breach should be notified to the ICO without undue delay and within 72 hours. A breach of the magnitude of the Uber breach, would without question, be notifiable. Under GDPR this would be a failure to comply with data protection obligations, specifically Article 33.
GDPR further requires that where a breach is ‘high risk’, then in addition to notifying the regulator, data subjects should be notified personally so that they have an opportunity to mitigate any loss arising from the breach. Uber has not yet confirmed details of the breach, but we have had no guarantee that the hackers haven’t cloned the stolen data and that data subjects won’t suffer loss further down the line. Raj Samani, chief scientist at security company McAfee said, “Uber has treated its customers with a complete lack of respect,” he said. “Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this.” Under GDPR, this would be another failure to comply with data protection obligations, specifically Article 34.
Given the current climate around data security and breaches, it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year. It will be interesting to see whether Uber had failed to comply with another data protection obligation to keep data secure – it may be that (as with the NHS last month) they failed to update a security patch thereby exposing well known vulnerabilities in their security system. Under GDPR, this is yet another failure to comply with data protection obligations, specifically Article 32. It’s almost like an exam question “identify with specific reference to the appropriate Article under GDPR, the numerous breaches committed by Uber in respect of this data breach”.
Luckily for Uber, the increased penalties to be levied under GDPR which amount to 20m Euro or 4% of an undertaking’s worldwide turnover, do not become enforceable until 25 May 2018. Until that time, the maximum penalty that the ICO can issue is £500,000. It will be interesting to see what figure the ICO decides upon as an appropriate financial penalty. In addition, we will no doubt see the ICO taking the lead in ‘helping’ Uber become compliant in their data protection practices.
If you would like any further information on your obligations under GDPR please contact me.