Thursday

18th Apr 2019

Focus

Uber may face fines in EU for keeping data breach secret

  • Uber promotional photo. Personal information from some 57 million users have been accessed by hackers (Photo: Uber)

US technology company Uber may face fines in the EU over its cover-up of a large-scale data breach, in a case which highlights new rules to come into force in the EU next year.

On Tuesday (21 November) the company's CEO Dara Khosrowshahi announced in a statement that "personal information of 57 million Uber users around the world" was acquired by two hackers in "late 2016".

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 18 year's of archives. 30 days free trial.

... or join as a group

Additionally, the names and driver's licence numbers of around 600,000 Uber drivers from the US were hacked.

The breach had been kept secret, and Uber did not notify the affected consumers or regulators. Moreover, according to Bloomberg, the company paid the hackers a sum of $100,000 (€85,000) to keep quiet.

Khosrowshahi did not specify whether data from European customers were also involved.

When approached by this website, Uber did not want to comment on the record.

An Uber source told EUobserver that the company was in the process of notifying government authorities, and was not able to give more details until that was over.

However, given that the company last year said it had some 40 million monthly active users, it can be expected that European consumers will be affected.

If that is the case, then the company could face fines under the Dutch Data Protection Act, because it is registered in Amsterdam.

Since 1 January 2016, the Dutch legislation includes a data breach notification obligation.

A spokeswoman for the Dutch Data Protection Authority told this website that companies are obliged to report data breaches to the authority "without delay".

She could not comment on the Uber case and said that whether a company is fined for not reporting a data breach depended "on the context".

In cases where sensitive personal data is involved, companies are also required to inform the affected consumers.

Uber said that the information to which hackers acquired access, "included names, email addresses and mobile phone numbers", which may not be seen as 'sensitive'.

If the Dutch Data Protection Authority determines that Uber has broken the Dutch law, the company could face a fine of up to €820,000 – almost ten times what it reportedly paid the hackers.

General data protection regulation

But the bill could have been much higher had the incident happened after 25 May 2018, when new EU data protection legislation comes into force.

The general data protection regulation (GDPR) will make it much more expensive for companies to act like Uber did.

From then on all companies and organisations which collect data from EU citizens, should inform the responsible data protection authority in case of a data breach.

If such a breach is "likely to result in a high risk to the rights and freedoms" of those citizens, they must also be informed.

Names, e-mail addresses, and phone numbers may not fall in that category, but driver's licence numbers almost certainly will.

Failing to report breaches of sensitive personal data after 25 May 2018, could lead to a fine of up to €10 million, or two percent of the company's annual turnover, whichever is higher.

In Uber's case, the latter would have amounted to around €110 million.

Beyond that, the case is likely to do damage to Uber's reputation in Europe.

The company was recently labelled as transport company by one of the EU's highest lawyers, and it has been the subject of many controversies over the past few years.

EU gives thumbs up to US data pact

Commission gives 'thumbs-up' to controversial Privacy Shield deal with US on data sharing after a year's operation - but notes room for improvement.

EU to force firms to report major cyber attacks

Negotiators from the European Parliament and national governments have reached an agreement on new cyber-security rules. Amazon, Ebay and Google are expected to be affected.

Uber is a transport service, EU court rules

Ruling means that national governments have the right to demand that Uber drivers request the same permits and authorisations required of taxi drivers.

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. Counter BalanceSign the petition to help reform the EU’s Bank
  2. UNICEFChild rights organisations encourage candidates for EU elections to become Child Rights Champions
  3. UNESDAUNESDA Outlines 2019-2024 Aspirations: Sustainability, Responsibility, Competitiveness
  4. Counter BalanceRecord citizens’ input to EU bank’s consultation calls on EIB to abandon fossil fuels
  5. International Partnership for Human RightsAnnual EU-Turkmenistan Human Rights Dialogue takes place in Ashgabat
  6. Nordic Council of MinistersNew campaign: spot, capture and share Traces of North
  7. Nordic Council of MinistersLeading Nordic candidates go head-to-head in EU election debate
  8. Nordic Council of MinistersNew Secretary General: Nordic co-operation must benefit everybody
  9. Platform for Peace and JusticeMEP Kati Piri: “Our red line on Turkey has been crossed”
  10. UNICEF2018 deadliest year yet for children in Syria as war enters 9th year
  11. Nordic Council of MinistersNordic commitment to driving global gender equality
  12. International Partnership for Human RightsMeet your defender: Rasul Jafarov leading human rights defender from Azerbaijan

Latest News

  1. Romania drafts EU code on NGO migrant rescues
  2. Bulgaria, Hungary, and Malta shamed on press unfreedom
  3. EU drafts $20bn US sanctions list in aviation dispute
  4. Brunei defends stoning to death of gay men in EU letter
  5. US Democrats side with Ireland on Brexit
  6. Wifi or 5G to connect EU cars? MEPs weigh in
  7. How Brexit may harm the new EU parliament
  8. EU parliament backs whistleblower law

Stakeholders' Highlights

  1. UNICEFUNICEF Hosts MEPs in Jordan Ahead of Brussels Conference on the Future of Syria
  2. Nordic Council of MinistersNordic talks on parental leave at the UN
  3. International Partnership for Human RightsTrial of Chechen prisoner of conscience and human rights activist Oyub Titiev continues.
  4. Nordic Council of MinistersNordic food policy inspires India to be a sustainable superpower
  5. Nordic Council of MinistersMilestone for Nordic-Baltic e-ID
  6. Counter BalanceEU bank urged to free itself from fossil fuels and take climate leadership
  7. Intercultural Dialogue PlatformRoundtable: Muslim Heresy and the Politics of Human Rights, Dr. Matthew J. Nelson
  8. Platform for Peace and JusticeTurkey suffering from the lack of the rule of law
  9. UNESDASoft Drinks Europe welcomes Tim Brett as its new president
  10. Nordic Council of MinistersNordic ministers take the lead in combatting climate change
  11. Counter BalanceEuropean Parliament takes incoherent steps on climate in future EU investments
  12. International Partnership For Human RightsKyrgyz authorities have to immediately release human rights defender Azimjon Askarov

Join EUobserver

Support quality EU news

Join us