The disclosure by Uber of a data breach that occurred in October 2016 has prompted a growing number of regulators to open investigations into the company. According to Bloomberg, the breach (which Uber disclosed on November 21, 2017) involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.
Following the disclosure of circumstances of the breach and its discovery, data protection authorities (“DPAs”) in the EU have been publicly critical of the timing of the company’s disclosure. In the UK, the Information Commissioner’s Office has stated that it expects Uber to alert all affected individuals, while acknowledging that the breach is “unlikely to pose a direct threat to citizens.” Meanwhile, the president of the Italian DPA has indicated its intention to investigate the “poor transparency” demonstrated by Uber.
Uber faces its strictest penalties in the Netherlands, where its European operations are based. Dutch rules specify fines of up to €820,000 for failure to disclose a data breach. However, the timing of the breach is such that Uber will not face the more severe penalties that will come into effect with the EU General Data Protection Regulation on 25 May 2018, following which fines of up to 4% of worldwide turnover may be levied.
The Article 29 Working Party announced on Wednesday that it would be coordinating national regulatory responses to the Uber breach across the EU. (The Article 29 Working Party is an advisory body made up of a representative from the DPA of each EU Member State, the European Data Protection Supervisor and the European Commission). As part of the coordination effort, the Article 29 Working Party is establishing a task force led by the Dutch DPA, which will include representatives from DPAs in France, Italy, Spain, Belgium, Germany and the UK. Such task forces are generally reserved for the most serious cases, and have previously been established for investigations into Microsoft, Google, Facebook and Yahoo.
In the meantime, in the United States, the attorneys general of Massachusetts, Illinois, New York, Missouri and Connecticut have each announced investigations into the breach, and a class action lawsuit on behalf of affected drivers has been filed in California. In addition, Uber previously entered into a prior consent order with the Federal Trade Commission (“FTC”) in relation to another breach which occurred in 2014. The consent order prohibits Uber from misrepresenting “the extent to which [Uber] protects the privacy, confidentiality, security or integrity of any personal information.” The FTC, which has levied significant fines in the past on companies that were found to have violated its consent orders, has stated that it is “closely evaluating the serious issues raised” by the Uber breach.