Saturday

16th Dec 2017

Focus

Uber may face fines in EU for keeping data breach secret

  • Uber promotional photo. Personal information from some 57 million users have been accessed by hackers (Photo: Uber)

US technology company Uber may face fines in the EU over its cover-up of a large-scale data breach, in a case which highlights new rules to come into force in the EU next year.

On Tuesday (21 November) the company's CEO Dara Khosrowshahi announced in a statement that "personal information of 57 million Uber users around the world" was acquired by two hackers in "late 2016".

Additionally, the names and driver's licence numbers of around 600,000 Uber drivers from the US were hacked.

The breach had been kept secret, and Uber did not notify the affected consumers or regulators. Moreover, according to Bloomberg, the company paid the hackers a sum of $100,000 (€85,000) to keep quiet.

Khosrowshahi did not specify whether data from European customers were also involved.

When approached by this website, Uber did not want to comment on the record.

An Uber source told EUobserver that the company was in the process of notifying government authorities, and was not able to give more details until that was over.

However, given that the company last year said it had some 40 million monthly active users, it can be expected that European consumers will be affected.

If that is the case, then the company could face fines under the Dutch Data Protection Act, because it is registered in Amsterdam.

Since 1 January 2016, the Dutch legislation includes a data breach notification obligation.

A spokeswoman for the Dutch Data Protection Authority told this website that companies are obliged to report data breaches to the authority "without delay".

She could not comment on the Uber case and said that whether a company is fined for not reporting a data breach depended "on the context".

In cases where sensitive personal data is involved, companies are also required to inform the affected consumers.

Uber said that the information to which hackers acquired access, "included names, email addresses and mobile phone numbers", which may not be seen as 'sensitive'.

If the Dutch Data Protection Authority determines that Uber has broken the Dutch law, the company could face a fine of up to €820,000 – almost ten times what it reportedly paid the hackers.

General data protection regulation

But the bill could have been much higher had the incident happened after 25 May 2018, when new EU data protection legislation comes into force.

The general data protection regulation (GDPR) will make it much more expensive for companies to act like Uber did.

From then on all companies and organisations which collect data from EU citizens, should inform the responsible data protection authority in case of a data breach.

If such a breach is "likely to result in a high risk to the rights and freedoms" of those citizens, they must also be informed.

Names, e-mail addresses, and phone numbers may not fall in that category, but driver's licence numbers almost certainly will.

Failing to report breaches of sensitive personal data after 25 May 2018, could lead to a fine of up to €10 million, or two percent of the company's annual turnover, whichever is higher.

In Uber's case, the latter would have amounted to around €110 million.

Beyond that, the case is likely to do damage to Uber's reputation in Europe.

The company was recently labelled as transport company by one of the EU's highest lawyers, and it has been the subject of many controversies over the past few years.

EU gives thumbs up to US data pact

Commission gives 'thumbs-up' to controversial Privacy Shield deal with US on data sharing after a year's operation - but notes room for improvement.

EU to force firms to report major cyber attacks

Negotiators from the European Parliament and national governments have reached an agreement on new cyber-security rules. Amazon, Ebay and Google are expected to be affected.

Analysis

Suddenly, digital single market doesn't 'need' EU agency

EU digital commissioner Gabriel downplayed the rejection of the commission's plan for a strong EU telecommunications watchdog, highlighting that the elements of the digital single market are not set in stone.

Watchdogs concerned by EU-US data pact

European data protection authorities tell US to improve oversight on 'Privacy Shield' scheme, otherwise they would go to the EU's highest court.

Analysis

Suddenly, digital single market doesn't 'need' EU agency

EU digital commissioner Gabriel downplayed the rejection of the commission's plan for a strong EU telecommunications watchdog, highlighting that the elements of the digital single market are not set in stone.

News in Brief

  1. EU adopts 'track-and-trace' tobacco system
  2. Luxembourg appeals Amazon tax decision
  3. EU leaders agree to open phase 2 of Brexit talks
  4. Juncker: May made 'big efforts' on Brexit
  5. Merkel took 'tough' line on Russia at EU summit
  6. EU leaders added line supporting 'two-state' solution
  7. EU leaders agree to 20 European Universities by 2024
  8. Belgian courts end legal proceedings against Puigdemont

Stakeholders' Highlights

  1. Dialogue PlatformThe Gülen Community: Who to Believe - Politicians or Actions?" by Thomas Michel
  2. Plastics Recyclers Europe65% plastics recycling rate attainable by 2025 new study shows
  3. European Heart NetworkCommissioner Andriukaitis' Address to EHN on the Occasion of Its 25th Anniversary
  4. ACCACFOs Risk Losing Relevance If They Do Not Embrace Technology
  5. UNICEFMake the Digital World Safer for Children & Increase Access for the Most Disadvantaged
  6. European Jewish CongressWelcomes Recognition of Jerusalem as the Capital of Israel and Calls on EU States to Follow Suit
  7. Mission of China to the EUChina and EU Boost Innovation Cooperation Under Horizon 2020
  8. European Gaming & Betting AssociationJuncker’s "Political" Commission Leaves Gambling Reforms to the Court
  9. AJC Transatlantic InstituteAJC Applauds U.S. Recognition of Jerusalem as Israel’s Capital City
  10. EU2017EEEU Telecom Ministers Reached an Agreement on the 5G Roadmap
  11. European Friends of ArmeniaEU-Armenia Relations in the CEPA Era: What's Next?
  12. Mission of China to the EU16+1 Cooperation Injects New Vigour Into China-EU Ties

Latest News

  1. Catalonia, Brexit, and Uber on EU agenda This WEEK
  2. Macron and Merkel take tough line on Poland
  3. Eurozone future needs structural reforms, EU leaders told
  4. Showdown EU vote on asylum looking likely for next June
  5. EU stresses unity as it launches next phase of Brexit talks
  6. Polish PM ready for EU sanctions scrap
  7. Dutchman to lead powerful euro working group
  8. EU mulls post-Brexit balance of euro and non-eurozone states

Stakeholders' Highlights

  1. EPSUEU Blacklist of Tax Havens Is a Sham
  2. EU2017EERole of Culture in Building Cohesive Societies in Europe
  3. ILGA EuropeCongratulations to Austria - Court Overturns Barriers to Equal Marriage
  4. Centre Maurits CoppietersCelebrating Diversity, Citizenship and the European Project With Fundació Josep Irla
  5. European Healthy Lifestyle AllianceUnderstanding the Social Consequences of Obesity
  6. Union for the MediterraneanMediterranean Countries Commit to Strengthening Women's Role in Region
  7. Bio-Based IndustriesRegistration for BBI JU Stakeholder Forum about to close. Last chance to register!
  8. European Heart NetworkThe Time Is Ripe for Simplified Front-Of-Pack Nutrition Labelling
  9. Counter BalanceNew EU External Investment Plan Risks Sidelining Development Objectives
  10. EU2017EEEAS Calls for Eastern Partnership Countries to Enter EU Market Through Estonia
  11. Dialogue PlatformThe Turkey I No Longer Know
  12. World Vision7 Million Children at Risk in the DRC: Donor Meeting to Focus on Saving More Lives