Uber Fined for 2016 Data-Breach
In 2016 Uber fell victim to a breach affecting 57 million of its users world-wide. Since some of the affected users were residents of the UK and Netherlands, authorities in these countries began investigating the leak and Uber’s behavior in connection to it. Since the EU-wide GDPR regulations covering just such cases were only ratified in 2018, such investigations took place under the legal frameworks of the respective countries.
As a result, Uber was found to have acted carelessly with user data and fined GBP 385,000 in the UK and EUR 600,000 in the Netherlands.
What will the effects be?
This particular fine will have little effect on Uber as it is minuscule when compared to the company’s revenues. However, the fine sets a precedent for breaches happening in the future. The practice of regulators fining companies for data breaches is relatively recent. Until the early 2010s, data breaches were seen as something to be merely regretted. While public and legal opinion on the severity of breaches has since changed, we still see relatively few actual fines being issued by regulators and other governing bodies.
The EU’s new GDPR legislation however makes fines much more potent, allowing regulators to impose fines of up to EUR 17 million or 4% of the company’s revenue. Fines in this range have a much higher potential to impact overall earnings of large companies and thus exert pressure on the board of directors. After all, large fines are likely to impact share prices which will cause quick action by shareholders.
By establishing precedent in cases that occurred before the GDPR was enacted, governments are setting precedents that allow them to impose such high fines in future cases.
While we don’t believe the current fine will have a significant impact on Uber, the proceedings are nonetheless important as they set a precedent that will likely have a significant impact on the implementation of fines under GDPR rules.