Uber data breach highlights notification obligations and GDPR impact
On 21 November 2017, it was reported that Uber had suffered a hack resulting in the unauthorised access of personal data relating to around 50m customers and 7m drivers. Notwithstanding the regular stream of data breaches hitting the news, this incident was particularly notable for two reasons:
- the actual breach took place in October 2016 and was not made public by Uber or disclosed to regulators until over a year later; and
- Uber reportedly paid the hackers a $100,000 ransom to delete the data.
The incident provides a useful reminder of the current laws and imminent changes relating to data breaches.
The current regime
An organisation suffering a data breach (which may involve loss, theft or unauthorised access to the data and malicious acts such as hacking) may face questions as to its compliance with the Data Protection Act 1998 (DPA). The breach may have arisen as a result of a failure to take appropriate technical and organisational measures to protect personal data as required by the seventh data protection principle. This article focuses on the legal obligations surrounding data breach notifications.
The DPA does not contain any general mandatory requirement to notify regulators or data subjects in event of a data breach. Nonetheless, the Information Commissioner's Office (ICO), the UK data protection regulator, has published guidelines setting out its expectations relating to notifications. The guidance makes it clear the ICO expects to be notified in event of serious breaches, with the overriding factor being the potential harm to data subjects.
This regime clearly leaves a lot of discretion to data controllers, however, the ICO has stated that deliberately concealing breaches from regulators is a factor that could result in higher fines being imposed in event of non-compliance with the DPA being found.
Separate mandatory notification obligations are placed on providers of public electronic communication services to notify regulators, and in certain circumstances affected data subjects, of data breaches under the Privacy and Electronic Communications (EC Directive) Regulations 2003. However, these obligations do not apply to all data controllers.
It is not clear whether any of the data accessed in the Uber breach related to UK data subjects and thus whether the Data Protection Act was applicable. Uber has however recognised that it was under a legal obligation to notify regulators (which it failed to do) and the ICO has announced it is investigating.
Data breach notifications under the GDPR
The General Data Protection Regulation (GDPR) will come into force in May 2018 and will need to be implemented by UK business notwithstanding Brexit. It makes significant changes to the data breach notification regime.
Notification to regulators will become mandatory for data controllers (subject to a limited exception where the breach is unlikely to result in risk to the rights and freedoms of natural persons). The notification must take place without undue delay and not later than 72 hours after becoming aware of the breach. There is a separate obligation on data processors to notify the relevant data controller in event of a breach.
There are also notification obligations in respect of the affected data subjects, which must be made by the data controller without undue delay unless an exemption applies. Such exemptions comprise the breach being unlikely to result in high risk for rights and freedoms of data subjects, appropriate encryption or technical measures having been in place or the notification involving disproportionate measures (in which case a public announcement would be required). In addition, an internal register of data breaches must be maintained.
It is clear that under the GDPR regime (and the current DPA requirements), effective data breach policies and procedures will form part of the requirement for ensuring appropriate technical and organisational measures are in place to protect personal data. Such policies should include escalation of serious breaches to senior management – a measure that appears not to have been instigated at the time of the Uber data breach.
Fines for non-compliance with these procedures under the GDPR will be a maximum of the higher of €10m or 2% of total worldwide annual turnover. This significantly increases the potential fines from the current DPA regime (with maximum penalties of £500,000).
Summary
Whilst it is not clear whether Uber in fact breached the DPA in this instance, the case highlights the need for robust data breach management policies and ensuring the policies are properly implemented. As regards paying ransom to hackers, such measures may prove an effective way of limiting the consequences of a data breach. However, the negative publicity surrounding the Uber breach demonstrates just one of the potential consequences of dealing with a data breach in this manner.
The requirements relating to data breach notifications under the GDPR are far more prescriptive and the potential consequences of non-compliance more serious. Review of such policies will need to form part of GDPR preparations.
This article was written by Richard Davies. For more information, please contact Richard on +44 (0)20 7427 6732 or at richard.davies@crsblaw.com.
Our thinking
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.
Simon Green
International Bar Association quotes Simon Green on the future of the legal sector in Hong Kong
International Bar Association quote Simon Green on the future of Hong Kong's legal sector
Charlotte Duly
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Caroline Greenwell
Nowhere to hide for greenwashing brands
In the UK, regulators are cracking down, with many companies now at risk of financial and other penalties.
Jamie Cartwright
Weighing up the Plastic Packaging Tax
The Plastic Packaging Tax came into force on 1 April 2022.
Jamie Cartwright
Crunching numbers - Mandatory calorie laws come into force
The Calorie Labelling (Out of Home Sector) (England) Regulations 2021 (the Regulations) are now in force.
Jody MacDonald
Liverpool FC’s Hero Club and the current state of play with football NFTs
Liverpool’s Hero Club hit the headlines this week and serves as an interesting reflection of the current state of play.
Rachel Bell
Rachel Bell commented in IT Pro on the implications of the proposed EU’s Digital Markets Act
The proposed EU’s Digital Markets Act is set to require larger messaging platforms to interoperate with their smaller rivals.
Quentin de la Bastide
Constructing a Blue-print for Electronic Execution – New Guidance from the Industry Working Group on the Electronic Execution of Documents
Sonia Kenawy
Claimant ordered to pay security for costs in cryptocurrency dispute and digital assets rejected as form of security
Proceedings that are sure to be watched closely by the cryptocurrency community as well as legal practitioners.
Stewart Hey
Freezing Orders: Policing the Nuclear Option (PT 2)
Looking at the impact these checks and balances have when it comes to drafting and construing the terms of the order.
Stewart Hey
Freezing Orders: Policing the Nuclear Option
This article considered some of the checks and balances that apply when seeking access to one of the law’s most potent weapons.
Mark Hill
UAE Labour Law Update – The five big changes to note…
Federal Decree Law No. 33 of 2021 - The five big changes to note
Andrew Clarke
Charles Russell Speechlys advises Farfetch on its joint venture agreement with Clipper Logistics plc
Farfetch is a leading online luxury retail platform.
Jonathan McDonald
Online safety – 2022 begins with regulatory developments in both the UK and the EU
Last week saw developments within the UK and EU in their attempts to ensure online businesses do more to address illegal online content.