Uber, the ridesharing giant, admitted that a "data security incident" in 2016 resulted in unauthorised access to the personal information of some 57 million UBER customers and drivers worldwide1.
Such personal data consisted of the names and contact information of approximately 2.7 million Uber customers and 82,000 Uber drivers (including their journey details, weekly pay and for some, their driver's licence numbers) in the United Kingdom according to the Information Commissioner's Office of the United Kingdom (the "ICO")2) and 174,000 Dutch citizens according to the Data Protection Authority of Netherlands (Autoriteit Persoonsgegevens) (the "Dutch DPA")3.
The Data Security Breach
According to ICO, Uber did not report the attack immediately and instead attempted to pay the cyber-attacker USD 100,000 to agree to non-disclosure and delete the relevant data.
What does the GDPR say?
Note that the General Data Protection Regulation numbered 2016/679 of the European Parliament (the "GDPR") was not in effect at the time of the breach.
The data protection legislation of the United Kingdom in effect at the time of the breach did not set a time limit to reporting breaches. However, Dutch data protection legislation did require Uber to report the breach within 72 hours of becoming aware of the breach.
The GDPR stipulates that any data security breach which may violate the rights and freedoms of data subjects shall be notified to the relevant data protection authority within 72 hours and data subjects shall also be notified if their privacy is deemed to be in high risk due to such data security breach.
The ICO and the Dutch DPA have recently imposed Uber fines of approximately USD 1.17 million in total (approximately USD 491,000 and approximately USD 680,000, respectively) due to its failure to safeguard personal data4.
In the US, Uber agreed to a settlement in September with all 50 states and the District of Columbia to pay USD 148 million for its failure to notify 600,000 affected drivers of the breach5.
Turkish Legislation on Data Security Breach
Article 12/5 of the Turkish Data Protection Law numbered 6698 sets out that in the event any personal data is unlawfully obtained by a third party, the data controller shall notify the Turkish Personal Data Protection Board and the affected data subject(s) as soon as possible.
Unlike the GDPR, there is no specific time limit to notify the breach and the severity of the breach is not taken into consideration to determine whether data subjects should be notified.
USD 150 million in fines is certainly not negligible, but in the context of the ride-sharing giant, who reportedly is targeting a USD 120 billion valuation for a 2019 IPO, is not astronomical either. This could have been very different if the breach had occurred in the current GDPR-era, in which case fines of the ICO and the Dutch DPA could have reached up to four percent of Uber's global annual revenue6.
The case of Uber should serve as a reminder to all businesses to ensure that their data protection standards and practices are up to the task and, in particular, that they have mechanisms and guidelines in place to address the consequences of breaches in a manner that complies with the requirements of applicable laws in all relevant jurisdictions.
2 Please see https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/11/ico-fines-uber-385-000-over-data-protection-failings/ for ICO's relevant announcement.
3 Please see https://autoriteitpersoonsgegevens.nl/en/news/dutch-dpa-fine-data-breach-uber for the Dutch data protection authority's (Autoriteit Persoonsgegevens) relevant announcement.
4 Please see the ICO's and the Dutch DPA's announcements provided in the above links.
5 Please see https://oag.dc.gov/release/ag-racine-reaches-148-million-nationwide for the Attorney General's official announcement in this regard.
6 As stipulated in Article 83 of the GDPR.