Following last week’s revelations of Uber’s personal data breach and its cover-up, we look at what the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK, would consider when deciding the level of fines and / or sanctions if the GDPR was already in effect.
Under the GDPR the ICO would look to Article 83 (2), which spells out the conditions under which the fines can be imposed and gives a guide as to how much they should be. Below we take each point and apply it to what we know about Uber’s case:
a. Nature, gravity and duration of the infringement as taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.
It is not clear how long it took to steal the personal data, however the fact that the breach had been concealed for over a year and that the number of data subjects affected exceeds 57 million people in multiple countries, including the UK, means that this breach will be viewed very seriously by the authorities. The assertion by Uber that no damage has been done to the people affected, because Uber paid the hackers to delete the personal data before it was used maliciously, does not mitigate the seriousness of the incident. Additionally the authorities might view the delay in the reporting of the incident as an aggravating factor when deciding on sanctions and fines.
b. The intentional or negligent character of the infringement.
It is unlikely there was an intentional infringement, but whether there was negligence is conjecture at the moment, so we shall have to leave this clause until we know more.
c. Any action taken by the controller to mitigate the damage suffered by data subjects.
On the one hand you could argue that Uber reacted to ensure that the personal data didn’t go any further than the hackers by paying them to delete the data – and let’s hope that they did actually delete the data. On the other hand paying the hackers to delete the data, one could call it a ransom in a way, and then trying to claim that Uber had commissioned the hackers to test their security, is not so ethical. So in fact their actions may be constituted as an aggravating factor when deciding on sanctions and fines.
d. The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32.
Article 25 deals with Data Protection by Design and Default and Article 32 deals with the Security of Processing. Data Protection by Design and Default is an important principle that is new to the GDPR as compared to previous data protection regulations. It states that data protection must be considered at the very beginning of the design of any new process, or the introduction of new technology. By doing this data protection is ‘baked in’ to the process and therefore at its very heart – if something is bolted on afterwards, it can easily be bolted off again!! Only an investigation will reveal whether they considered data protection by design and default when designing the processes and systems. Clearly Uber’s information security wasn’t up to the capabilities of the hackers. According to media reports, the two hackers were able to access a private area of Github, an online resource for developers. From there it is understood they found Uber’s log-in credentials to Amazon Web Services. It is reasonable to assume that they have fallen short against both Article 25 and 32.
d. Any relevant previous infringements by the controller or processor.
Uber has been fined $20,000 for a previous breach. If the circumstances of this breach are similar to the last one, then it proves that the organisation cannot learn from its mistakes and therefore the fine imposed this time will be higher. Even so the very fact that they have had incidents in the past may be seen as an aggravating factor.
e. The degree of cooperation with the supervisory authority.
Although Uber has now reported this to the supervisory authorities, it had concealed this breach for over a year, therefore any goodwill for the self-reporting has probably been subsumed by the concealment.
f. The categories of personal data affected by the infringement.
For drivers not only were names, email addresses and phone numbers stolen, but also driving licence details. In many countries the driving licence is a critical document providing proof of identity and / or address, so for the hackers, to have a store of these would possibly be a valuable inventory for sale. For customers it appears that names, email addresses and telephone numbers were taken. In terms of the risk profile of personal data the data sets about customers are at the lower end, however they are the building blocks for being able to steal someone’s identity, commit other fraudulent activities, or to try to penetrate the online accounts of the data subjects to commit any manner of crimes.
g. The manner in which the infringement became known to the supervisory authority and if the controller notified the authority.
As above, Uber finally confessed to the breach, but only after it had hidden the fact for over a year. It is unlikely they will receive favourable treatment just because they finally confessed.
h. Where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures.
It is not known if any supervisory authority had placed any orders on Uber for past breaches or near misses.
i. Adherence to approved codes of conduct.
Currently there are no codes of conduct covering personal data protection in the taxi industry.
j. Any other aggravating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly from the infringement.
It is very possible to argue that Uber was trying to avoid a fine, or other penalty, and so covered up the breach. It is probable that the concealment will be considered as an aggravating factor.
Looking at the relevant sections of Article 83 above it is very clear that Uber has breached many of them. Therefore the ICO would have a case for levying a large fine under the GDPR. However, it may well be that the ICO can only levy a fine under the Data Protection Act 1998, the maximum being £500,000. Indeed the reason that Uber has suddenly confessed to this breach might be because it was afraid that if the breach was discovered once the GDPR is in force, i.e. after 25th May 2018, then the fines would be considerably higher. In 2016 Uber’s turnover was $6.5bn so if the GDPR was in effect and it was fined 4% of its global turnover it would cost Uber a whopping $260m! Whatever the fines and sanctions that Uber face it will be interesting to see if customers will still trust them enough to continue using them.