Dutch Authority fines Uber for violation data breach regulation
The Dutch Data Protection Authority (Dutch DPA) imposed a €600,000 fine upon Uber B.V. and Uber Technologies, Inc. (UTI) for violating the Dutch data breach notification obligation. The fine imposed on Uber is the first significant fine ever imposed by the Dutch DPA for violation of privacy regulation.
Although the fine was imposed on the basis of old legislation, the Dutch authority explicitly referred to the GDPR and involved the new regulation in their assessment. It is a clear signal from the Dutch DPA: violations of privacy regulation can and do lead to heavy fines. The AP has bared its teeth for the first time. The impact of the decision on businesses is likely to be high. Any final doubt about the importance of privacy rules will thus be dispelled.
Data of 57 million people exposed
The Uber-concern offers a taxi service through the use of an application. The data of drivers and users of the Uber-app outside the United States are transferred from the Netherlands to the United States. In the United States the data are stored on UTI servers. On 14 November 2016, UTI was informed of a vulnerability in its security system by means of an e-mail message from a group of hackers. This group of hackers gained access to the data of Uber users and Uber drivers. Later research showed that the data concerned 57 million people, 174,000 of whom were Dutch. It concerned various personal details, such as names, e-mail addresses and telephone numbers of customers and drivers, which could have been resold for phishing, unwanted advertising and colportage. The data breach took place from 13 October to 15 November 2016. On 15 November UTI resolved the data breach.
How Uber dealt with the data breach
At the time of the data breach the Dutch Personal Data Protection Act, now replaced by the General Data Protection Regulation (GDPR), was applicable. Both the Dutch Personal Data Protection Act and the GDPR contain a data breach notification obligation. Under this obligation, the controller must inform the Dutch DPA about the data breach, without undue delay and, if possible, no later than 72 hours after becoming aware of the breach. According to the Dutch DPA, Uber B.V. and UTI are jointly controllers. Therefore both Uber B.V. and UTI were obliged to report the data breach without undue delay. Uber notified the Dutch DPA on 21 November 2017. Uber did not respect the 72-hour period for reporting, nor did Uber inform the involved users in a timely and appropriate manner. These circumstances justify a fine of €600,000 according to the Dutch DPA.