Thursday

22nd Nov 2018

Focus

Uber may face fines in EU for keeping data breach secret

  • Uber promotional photo. Personal information from some 57 million users have been accessed by hackers (Photo: Uber)

US technology company Uber may face fines in the EU over its cover-up of a large-scale data breach, in a case which highlights new rules to come into force in the EU next year.

On Tuesday (21 November) the company's CEO Dara Khosrowshahi announced in a statement that "personal information of 57 million Uber users around the world" was acquired by two hackers in "late 2016".

Read and decide

Join EUobserver today

Support quality EU news

Get instant access to all articles — and 18 year's of archives. 30 days free trial.

... or join as a group

Additionally, the names and driver's licence numbers of around 600,000 Uber drivers from the US were hacked.

The breach had been kept secret, and Uber did not notify the affected consumers or regulators. Moreover, according to Bloomberg, the company paid the hackers a sum of $100,000 (€85,000) to keep quiet.

Khosrowshahi did not specify whether data from European customers were also involved.

When approached by this website, Uber did not want to comment on the record.

An Uber source told EUobserver that the company was in the process of notifying government authorities, and was not able to give more details until that was over.

However, given that the company last year said it had some 40 million monthly active users, it can be expected that European consumers will be affected.

If that is the case, then the company could face fines under the Dutch Data Protection Act, because it is registered in Amsterdam.

Since 1 January 2016, the Dutch legislation includes a data breach notification obligation.

A spokeswoman for the Dutch Data Protection Authority told this website that companies are obliged to report data breaches to the authority "without delay".

She could not comment on the Uber case and said that whether a company is fined for not reporting a data breach depended "on the context".

In cases where sensitive personal data is involved, companies are also required to inform the affected consumers.

Uber said that the information to which hackers acquired access, "included names, email addresses and mobile phone numbers", which may not be seen as 'sensitive'.

If the Dutch Data Protection Authority determines that Uber has broken the Dutch law, the company could face a fine of up to €820,000 – almost ten times what it reportedly paid the hackers.

General data protection regulation

But the bill could have been much higher had the incident happened after 25 May 2018, when new EU data protection legislation comes into force.

The general data protection regulation (GDPR) will make it much more expensive for companies to act like Uber did.

From then on all companies and organisations which collect data from EU citizens, should inform the responsible data protection authority in case of a data breach.

If such a breach is "likely to result in a high risk to the rights and freedoms" of those citizens, they must also be informed.

Names, e-mail addresses, and phone numbers may not fall in that category, but driver's licence numbers almost certainly will.

Failing to report breaches of sensitive personal data after 25 May 2018, could lead to a fine of up to €10 million, or two percent of the company's annual turnover, whichever is higher.

In Uber's case, the latter would have amounted to around €110 million.

Beyond that, the case is likely to do damage to Uber's reputation in Europe.

The company was recently labelled as transport company by one of the EU's highest lawyers, and it has been the subject of many controversies over the past few years.

EU gives thumbs up to US data pact

Commission gives 'thumbs-up' to controversial Privacy Shield deal with US on data sharing after a year's operation - but notes room for improvement.

EU to force firms to report major cyber attacks

Negotiators from the European Parliament and national governments have reached an agreement on new cyber-security rules. Amazon, Ebay and Google are expected to be affected.

Uber is a transport service, EU court rules

Ruling means that national governments have the right to demand that Uber drivers request the same permits and authorisations required of taxi drivers.

New EU fines will apply to 'old' data breaches

On 25 May, a new general data protection regulation will apply. Data breaches that happened before that date, but were covered up, can be fined under the new regulation.

News in Brief

  1. UK shell firms at heart of Danske Bank scandal: whistleblower
  2. Google pledges transparency on EU political ads
  3. EU urges Hungary to respect law on Macedonia PM 'asylum'
  4. Bannon's EU campaign illegal in nine countries: report
  5. EU court overturns Austria's anti-migrant law
  6. Kosovo punishes Serbia with trade tariffs in Interpol row
  7. Italy happy to 'confront' EU on budget
  8. Spain threatens Brexit deal over Gibraltar

Are EU data watchdogs staffed for GDPR?

The success of the new general data protection regulation (GDPR) will depend on whether data protection authorities enforce the new rules - which, in turn, will be at least partly determined by how many people they employ.

Eight countries to miss EU data protection deadline

The EU starts enforcing its general data protection regulation on 25 May - but Belgium, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Lithuania and Slovenia won't be ready. The delay will cause legal uncertainty.

Stakeholders' Highlights

  1. NORDIC COUNCIL OF MINISTERSNordic Region has chance to become world leader when it comes to start-ups
  2. NORDIC COUNCIL OF MINISTERSTheresa May: “We will not be turning our backs on the Nordic region”
  3. International Partnership for Human RightsOpen letter to Emmanuel Macron ahead of Uzbek president's visit
  4. International Partnership for Human RightsRaising key human rights concerns during visit of Turkmenistan's foreign minister
  5. NORDIC COUNCIL OF MINISTERSState of the Nordic Region presented in Brussels
  6. NORDIC COUNCIL OF MINISTERSThe vital bioeconomy. New issue of “Sustainable Growth the Nordic Way” out now
  7. NORDIC COUNCIL OF MINISTERSThe Nordic gender effect goes international
  8. NORDIC COUNCIL OF MINISTERSPaula Lehtomaki from Finland elected as the Council's first female Secretary General
  9. NORDIC COUNCIL OF MINISTERSNordic design sets the stage at COP24, running a competition for sustainable chairs.
  10. Counter BalanceIn Kenya, a motorway funded by the European Investment Bank runs over roadside dwellers
  11. ACCACompany Law Package: Making the Best of Digital and Cross Border Mobility,
  12. International Partnership for Human RightsCivil Society Worried About Shortcomings in EU-Kyrgyzstan Human Rights Dialogue

Latest News

  1. Revealed: 98% of EU 'expert groups' take place in private
  2. EU commission warns Italy on budget, moves towards fines
  3. Challenges for new Franco-German eurozone plan
  4. EU parliament vote strengthens whistleblower protection
  5. Deutsche Bank dragged into Danish bank scandal
  6. New EU human rights sanctions to focus on Africa
  7. Boycott threats mount on eve of Interpol election
  8. EU parliament to renege on transparency promises

Stakeholders' Highlights

  1. UNESDAThe European Soft Drinks Industry Supports over 1.7 Million Jobs
  2. Mission of China to the EUJointly Building Belt and Road Initiative Leads to a Better Future for All
  3. International Partnership for Human RightsCivil society asks PACE to appoint Rapporteur to probe issue of political prisoners in Azerbaijan
  4. ACCASocial Mobility – How Can We Increase Opportunities Through Training and Education?
  5. Nordic Council of MinistersEnergy Solutions for a Greener Tomorrow
  6. UNICEFWhat Kind of Europe Do Children Want? Unicef & Eurochild Launch Survey on the Europe Kids Want
  7. Nordic Council of MinistersNordic Countries Take a Stand for Climate-Smart Energy Solutions
  8. Mission of China to the EUChina: Work Together for a Better Globalisation
  9. Nordic Council of MinistersNordics Could Be First Carbon-Negative Region in World
  10. European Federation of Allergy and AirwaysLife Is Possible for Patients with Severe Asthma
  11. PKEE - Polish Energy AssociationCommon-Sense Approach Needed for EU Energy Reform
  12. Nordic Council of MinistersNordic Region to Lead in Developing and Rolling Out 5G Network

Join EUobserver

Support quality EU news

Join us