Uber’s Handling of Data Breach ‘Irresponsible': EU Privacy Chief

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Uber Technologies Inc.'s handling of a massive 2016 data breach illustrates why the European Union adopted a new privacy regime with a mandatory data breach notification requirement, the bloc’s top privacy official said Nov. 30.

Uber engaged in “irresponsible behavior” by waiting more than a year to reveal Nov. 21 the data breach, which affected 57 million of its customers and drivers around the world, EU Justice Commissioner Vera Jourova said.

The Uber breach is “a very telling example of the challenges we face” in terms of protecting private data, Jourova said at the European Data Protection & Privacy Conference, in Brussels. When the EU General Data Protection Regulation takes effect May 25, 2018, companies will be required to tell data protection authorities about serious data breaches within 72 hours of discovering an incident.

Under the GDPR, failure to notify regulators of a data breach could result in a fine of up to ten million euros ($11.85 million), or 2 percent of the global annual revenues of a company in question.

EU privacy regulators have opened a joint investigation into the Uber breach, which will be headed by the Dutch privacy office. Representatives from the Belgian, French, German, Italian, Spanish, and U.K. privacy offices will also be members of the Uber breach task force, according to a Nov. 29 statement from the Article 29 Working Party, which is made up of privacy officials from the 28 EU countries.

Collective Redress

Responding to a question from Bloomberg Law, Jourova said the European Commission, the EU’s executive arm, is considering proposing a collective redress mechanism for EU consumers that would “also cover the field of protection of privacy.”

In “mass harm” cases such as the Uber data breach case, “we need to equip people to defend their rights themselves,” Jourova said. Consumers should be able in the EU to pursue “one strong case” rather than seeking compensation through the courts individually, she said.

Mass harm cases in the EU are loosely akin to consumer class action lawsuits in the U.S.

A future collective redress right would be in addition to privacy enforcement actions pursued by privacy regulators, Jourova said. The commission plans to publish proposals in April 2018, she said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security