Europe's data protection authorities are discussing Uber's big data breach at this week's plenary session of their Article 29 Working Party — a meeting that could potentially see them create a task force to deal with the issue in a coordinated fashion, or merely write a stern open letter.
Meanwhile, with the EU's data protection landscape still being relatively fragmented ahead of May's General Data Protection Regulation introduction, Uber is facing multiple Member-State investigations. As reported by the IAPP's Jedidiah Bracy, CIPP, data protection authorities from the U.K., Italy, Austria and Poland have already announced separate investigations.
Agnieszka Świątek-Druś, spokesperson for Poland's DPA, told The Privacy Advisor, "As of yet not legal actions have been undertaken, however, GIODO is looking into the issue in order to establish more facts and decide upon what steps to take. Since Uber’s privacy policy states that the controller is located in the Netherlands, the main control proceedings will most likely be conducted by the Dutch data protection with which GIODO will cooperate where possible," she said.
The Netherlands, where Uber has based its EU operations, is also probing the incident. In addition, the National Privacy Commission in the Philippines announced an investigation on Tuesday.
A week ago, new-broom Uber CEO Dara Khosrowshahi informed the world that the company had last year suffered a massive data breach affecting 57 million Uber passengers and drivers from around the world. Two people had apparently "inappropriately accessed" the information, which was held on Amazon Web Services. The data included names, email addresses and mobile phone numbers — and, in the case of 600,000 U.S. drivers, license numbers too.
As Khosrowshahi put it, Uber "subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed." But as Bloomberg reported, this involved giving the responsible individuals $100,000. Most damningly, it seems the strategy at the time of the October 2016 attack was to hush the whole thing up — a gambit that has now cost Uber chief security officer Joe Sullivan his job.
DPAs aren't the only ones looking into the case seriously. Investigations are now underway in at least five U.S. states (Massachusetts, Illinois, Connecticut, New York and Missouri), and 10 federal lawsuits have been filed against the company, as well as two in Chicago state court. But in Europe, regulators are also racing to get their heads around the scale of the breach and the implications of Uber's failure to notify anyone until now.
"We have the plenary session [this week] and they decided the day after we heard about this Uber data breach that we would put it on the agenda," said Marine de Baillenx, a spokeswoman for CNIL, the French DPA that spearheads the WP29.
Although the GDPR will toughen up sanctions for data-protection-flouting companies in a major way, EU DPAs have in recent years found it useful to overcome their relatively weak fining ability by banding together to coordinate their responses. This is what happened when they wanted to tackle Google over its unified privacy policy, and when they decided to berate Facebook for its absorption of WhatsApp user data.
When Yahoo (these days called Oath) belatedly reported the 2014 theft of half a billion users' personal data, it last year became the recipient of a stern letter urging it to cooperate with national DPAs in their investigations.
The Italian DPA was the first of the Member States to open a full-blown investigation. "We cannot but voice our strong concern for the breach suffered by Uber, which was reported belatedly by the U.S. company. We initiated our inquiries and are gathering all the information that can help us assess the scope of the data breach and take the appropriate steps to protect any Italian citizen involved," said DPA president Antonello Soro in a statement last Wednesday, shortly after the breach was revealed.
"It is clearly surprising that a digital multinational like Uber has patently insufficient and inadequate security measures in place to protect data; indeed, we are dismayed by the poor transparency shown towards users, which we intend to investigate," Soro added.
The U.K. Information Commissioner's Office (ICO) has weighed in slightly more tentatively, with deputy commissioner James Dipple-Johnstone saying in a Wednesday statement that the authority was working with "relevant authorities in the U.K. and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations."
Dipple-Johnstone pointed out that Uber should have notified the ICO at the time of the breach. It's worth noting that the U.K.'s current Data Protection Act does not give data controller a legal obligation to report breaches, although the GDPR certainly will introduce such an obligation.
However, even the current British law states that "appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." The Data Protection Act comes with maximum fines of £500,000.
"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," Dipple-Johnstone said in his statement.
Perhaps the most relevant DPA in this case might be that in the Netherlands. As Uber's international headquarters are situated there, it has the most clear-cut jurisdiction.
"We got a data breach report from Uber and we are looking at it at this moment. We are not at this moment doing a formal investigation – we are just looking at the report to see if we got all the information we would need to have a good knowledge of the data breach," Frederique Hermie, a spokeswoman for the Dutch DPA, told The Privacy Advisor. "So it's too early to say if we are doing an investigation and if Uber has broken the Dutch privacy law."
Hermie explained that, under that law, companies have 72 hours to report data breaches once they become aware of them. If, following a formal investigation, the Dutch DPA decides the law has been broken, it can levy fines of up to €820,000.
In these pre-GDPR days, the heaviest potential fines – in excess of €1 million – could come from Italy. If that investigation were to find serious wrongdoing (and if the DPA there were to successfully establish jurisdiction), then the fine would be calculated in part based on the number of Italians who were affected.
But that's information that isn't clear yet. For now, everyone is scrambling to find out the damage in their own countries. And what happens next could very much depend on the collective strategy established at this week's WP29 meeting.
Uber did not respond to repeated requests for comment on this story.
photo credit: bfishadow Uber in Beijing via photopin (license)