Uber has been fined the sum of £385,000 by the Information Commissioner’s Office (ICO), following a contravention of data protection principle 7 of the Data Protection Act 1998 (DPA). The monetary penalty notice was issued collectively by the ICO to five Uber entities: (i) Uber London Limited; (ii) Uber Britannia Limited; (iii) Uber Scot Limited; (iv) Uber NIR Limited and (v) Uber BV (based in the Netherlands).
In October and November 2016, a cyber-attack on a cloud-based storage system operated by Uber Technologies Inc. (Uber US) allowed the access and download of personal data belonging to 2.7 million UK Uber customers and almost 82,000 Uber drivers.
In particular, those individuals affected by the data breach were not informed of the incident for more than a year following the attack. Uber was found to have instead paid the cyber-attackers the sum of $100,000 to destroy the personal data that had been downloaded from the cloud-based storage system.
In considering the large-scale data breach, the ICO leant heavily on the requirements of data protection principle 7 of the DPA, which states the following:
“(7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The ICO determined that Uber US, acting as a processor on behalf of Uber, had adopted inadequate measures in respect of ensuring the security of the personal data of its customers and drivers. The ICO paid particular attention to Uber’s decision to pay the cyber-attackers and not report the breach, noting Uber’s “complete disregard” for its customers and drivers and its failure to offer any help and support. Uber were found to have contravened principle 7 and the requirements for the ICO to issue a monetary penalty under the DPA had been met.
Autoriteit Persoonsgegevens, the data protection authority for the Netherlands, has also fined Uber under its relevant pre-GDPR legislation following an examination of the impact of the data breach in its own jurisdiction.
It is important to note in this case that Uber’s data breach occurred prior to the General Data Protection Regulation (EU) 2016/679 (GDPR) coming into force and this investigation therefore took place under the rules of the DPA. The maximum financial penalty in civil cases under the DPA was £500,000, a much lower limit than is provided for in the GDPR’s evolved data protection principles, under which the ICO has the power to impose penalties on a data controller up to €20,000,000 or 4% of global turnover.