Uber data breach highlights notification obligations and GDPR impact
On 21 November 2017, it was reported that Uber had suffered a hack resulting in the unauthorised access of personal data relating to around 50m customers and 7m drivers. Notwithstanding the regular stream of data breaches hitting the news, this incident was particularly notable for two reasons:
- the actual breach took place in October 2016 and was not made public by Uber or disclosed to regulators until over a year later; and
- Uber reportedly paid the hackers a $100,000 ransom to delete the data.
The incident provides a useful reminder of the current laws and imminent changes relating to data breaches.
The current regime
An organisation suffering a data breach (which may involve loss, theft or unauthorised access to the data and malicious acts such as hacking) may face questions as to its compliance with the Data Protection Act 1998 (DPA). The breach may have arisen as a result of a failure to take appropriate technical and organisational measures to protect personal data as required by the seventh data protection principle. This article focuses on the legal obligations surrounding data breach notifications.
The DPA does not contain any general mandatory requirement to notify regulators or data subjects in event of a data breach. Nonetheless, the Information Commissioner's Office (ICO), the UK data protection regulator, has published guidelines setting out its expectations relating to notifications. The guidance makes it clear the ICO expects to be notified in event of serious breaches, with the overriding factor being the potential harm to data subjects.
This regime clearly leaves a lot of discretion to data controllers, however, the ICO has stated that deliberately concealing breaches from regulators is a factor that could result in higher fines being imposed in event of non-compliance with the DPA being found.
Separate mandatory notification obligations are placed on providers of public electronic communication services to notify regulators, and in certain circumstances affected data subjects, of data breaches under the Privacy and Electronic Communications (EC Directive) Regulations 2003. However, these obligations do not apply to all data controllers.
It is not clear whether any of the data accessed in the Uber breach related to UK data subjects and thus whether the Data Protection Act was applicable. Uber has however recognised that it was under a legal obligation to notify regulators (which it failed to do) and the ICO has announced it is investigating.
Data breach notifications under the GDPR
The General Data Protection Regulation (GDPR) will come into force in May 2018 and will need to be implemented by UK business notwithstanding Brexit. It makes significant changes to the data breach notification regime.
Notification to regulators will become mandatory for data controllers (subject to a limited exception where the breach is unlikely to result in risk to the rights and freedoms of natural persons). The notification must take place without undue delay and not later than 72 hours after becoming aware of the breach. There is a separate obligation on data processors to notify the relevant data controller in event of a breach.
There are also notification obligations in respect of the affected data subjects, which must be made by the data controller without undue delay unless an exemption applies. Such exemptions comprise the breach being unlikely to result in high risk for rights and freedoms of data subjects, appropriate encryption or technical measures having been in place or the notification involving disproportionate measures (in which case a public announcement would be required). In addition, an internal register of data breaches must be maintained.
It is clear that under the GDPR regime (and the current DPA requirements), effective data breach policies and procedures will form part of the requirement for ensuring appropriate technical and organisational measures are in place to protect personal data. Such policies should include escalation of serious breaches to senior management – a measure that appears not to have been instigated at the time of the Uber data breach.
Fines for non-compliance with these procedures under the GDPR will be a maximum of the higher of €10m or 2% of total worldwide annual turnover. This significantly increases the potential fines from the current DPA regime (with maximum penalties of £500,000).
Summary
Whilst it is not clear whether Uber in fact breached the DPA in this instance, the case highlights the need for robust data breach management policies and ensuring the policies are properly implemented. As regards paying ransom to hackers, such measures may prove an effective way of limiting the consequences of a data breach. However, the negative publicity surrounding the Uber breach demonstrates just one of the potential consequences of dealing with a data breach in this manner.
The requirements relating to data breach notifications under the GDPR are far more prescriptive and the potential consequences of non-compliance more serious. Review of such policies will need to form part of GDPR preparations.
For more information, please contact Richard Davies or Jonny McDonald.
Our thinking
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Mark Howard
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.
Simon Green
International Bar Association quotes Simon Green on the future of the legal sector in Hong Kong
International Bar Association quote Simon Green on the future of Hong Kong's legal sector
Charlotte Duly
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Keir Gordon
Charles Russell Speechlys celebrates this year’s Sports Technology Awards finalists
The Sports Technology Awards celebrates tech-led innovation in sports, globally.
Mark Hill
Mark Hill quoted in The Times on the Ed Sheeran High Court copyright case win
Mark Hill quoted in The Times on the Ed Sheeran High Court copyright case win
Caroline Greenwell
Nowhere to hide for greenwashing brands
In the UK, regulators are cracking down, with many companies now at risk of financial and other penalties.
Jamie Cartwright
Weighing up the Plastic Packaging Tax
The Plastic Packaging Tax came into force on 1 April 2022.
Jamie Cartwright
Crunching numbers - Mandatory calorie laws come into force
The Calorie Labelling (Out of Home Sector) (England) Regulations 2021 (the Regulations) are now in force.
Mark Hill
Mark Hill quoted in the Daily Mail discussing Ed Sheeran’s copyright court case win
Mark Hill quoted in the Daily Mail discussing Ed Sheeran’s copyright court case win
Jamie Cartwright
Jamie Cartwright comments on the potential impact of the plastic packaging tax
Jamie Cartwright comments on the potential impact of the plastic packaging tax
Jody MacDonald
Liverpool FC’s Hero Club and the current state of play with football NFTs
Liverpool’s Hero Club hit the headlines this week and serves as an interesting reflection of the current state of play.
Rachel Bell
Rachel Bell commented in IT Pro on the implications of the proposed EU’s Digital Markets Act
The proposed EU’s Digital Markets Act is set to require larger messaging platforms to interoperate with their smaller rivals.
Sonia Kenawy
Claimant ordered to pay security for costs in cryptocurrency dispute and digital assets rejected as form of security
Proceedings that are sure to be watched closely by the cryptocurrency community as well as legal practitioners.
Stewart Hey
Freezing Orders: Policing the Nuclear Option (PT 2)
Looking at the impact these checks and balances have when it comes to drafting and construing the terms of the order.
Stewart Hey
Freezing Orders: Policing the Nuclear Option
This article considered some of the checks and balances that apply when seeking access to one of the law’s most potent weapons.