Among the GDPR’s most headline-grabbing provisions are the significantly increased administrative fines. There is also the requirement that the relevant supervisory authority must be advised of personal data breaches by data controllers “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (GDPR article 33 sec. 1).
The Bloomberg news agency recently published the fact that the controversial ride-sharing company Uber was aware of a significant breach of data in 2016 when it is alleged to have paid hackers US $100,000 to delete the personal data it had acquired of some 57 million customers (and self-employed drivers). The information was obtained by the hackers when they penetrated Uber’s cyber-defences, but Uber cannot avoid blame if it failed to take adequate steps to ensure that the data was protected from exposure in the first place. It is a possible indicator of perceived liability that Uber’s chief security officer has now resigned from the company.
The GDPR does not always receive good publicity from businesses on account of the perceived need to deploy significant resources to achieve compliance. However, Uber’s breach underlines the fact that article 33 is needed. The tougher regime on data breaches will be welcomed by the public at large.
Uber’s conduct is understood to be presently under discussion by the EU data protection authorities.
Under current data protection legislation, the relevant supervisory authority should be notified of any significant breach of data . Uber has already been fined for failing to disclose another breach of data that took place in 2014 (the €20,000 penalty for that was derisory). Further action is likely before the GDPR becomes law in connection with the 2016 breach.
When the GDPR is in force, it is likely that the cover-up of a serious breach of data of this nature will incur a heavy administrative fine. The potential maximum could be £10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher (GDPR article 83 sec. 4(a)). Supervisory authorities may want to demonstrate the impact of the GDPR by levying significant fines on prominent organisations such as Uber. If Uber once again exposes itself to a significant breach of data after 24th May, 2018 (the GDPR implementation date), and fails to disclose it quickly enough, it may be fined for both the lack of adequate data security measures as well as for any cover up. It would also have to disclose the breach to any of its customers who are affected. In addition to the other controversies Uber has recently faced, the combined effect of a serious monetary penalty as well as the bad public relations that would follow anyway may have a significant impact on the company’s viability.
Author:
Laurie Heizler, Of Councel, Barlow Robbins LLP, LaurieHeizler@barlowrobbins.com
Ecovis is a leading global consulting firm with its origins in Continental Europe. It has over 5,000 people operating in over 60 countries. Its consulting focus and core competencies lie in the areas of tax consultation, accounting, auditing and legal advice.
The particular strength of Ecovis is the combination of personal advice at a local level with the general expertise of an international and interdisciplinary network of professionals. Every Ecovis office can rely on qualified specialists in the back offices as well as on the specific industrial or national know-how of all the Ecovis experts worldwide. This diversified expertise provides clients with effective support, especially in the fields of international transactions and investments – from preparation in the client’s home country to support in the target country.
In its consulting work Ecovis concentrates mainly on mid-sized firms. Both nationally and internationally, its one-stop-shop concept ensures all-round support in legal, fiscal, managerial and administrative issues.
The name Ecovis, a combination of the terms economy and vision, expresses both its international character and its focus on the future and growth.
ECOVIS AG Steuerberatungsgesellschaft
Ernst-Reuter-Platz 10
10587 Berlin
Telefon: +49 89 5898-266
Telefax: +49 (30) 310008556
http://www.ecovis.com
ECOVIS AG Steuerberatungsgesellschaft*
Telefon: +49 (89) 5898-266
E-Mail: gudrun.bergdolt@ecovis.com