show image

Uber hack throws light on GDPR powers

While your personal data might not be safe in Uber's hands (or steering wheel), users can seek solace in the emerging power of the new data protection rules, writes Jonathan Neumann

Uber has spent the last several years living up to its name. The most successful of Silicon Valley unicorns, the taxi app enjoys worldwide name recognition and popularity. But it has also been beset by hugely damaging sexual harassment claims and multiple executive resignations and dismissals, and has been challenged or banned in several European countries – including Italy, Denmark, Hungary and Bulgaria – as well as in China, Taiwan and elsewhere.

In the UK, Uber is mounting legal battles on at least two fronts: appealing its licence withdrawal in London and also a decision by an employment tribunal that its drivers are not contractors but workers (and are therefore entitled to additional rights and protections). Meanwhile, the EU’s highest court is deliberating over whether Uber is a transport company or a digital platform – and therefore how to regulate it. There’s more than one reason gig companies are called disruptors.

But Uber has most recently been diminished by yet another scandal – one that actually happened a while ago and that was only made public in November. In October 2016, a 20 year old living at home with his mother hacked the tech giant and stole the personal data of 57 million users, including 600,000 drivers in the United States. He then dropped Uber an email to let them know.

Rather than call the cops, alert the attorney general, and tell its drivers and customers about the hack, Uber reportedly decided to pay the ransom, and do what it could to ensure the stolen data would not be used.

So how can consumers of products like Uber’s comfort themselves that their personal data is secure?

The European Union thinks it has an answer. The General Data Protection Regulation, or GDPR, is coming into force in the UK and across the EU on 25 May 2018 (and will survive Brexit). The GDPR strengthens existing data protection law – including by codifying the so-called 'right to be forgotten'.

Obligations of data security and notification of breaches are also bolstered by the GDPR. This is relevant not only to ordinary users of Uber or consumers of legal and financial services, but also, for instance, to HNWs who have to disclose beneficial ownership information under money laundering rules and who want that data to remain confidential.

A personal data breach can be a breach that leads to the disclosure of, or access to, that data by someone not authorised to have it, or to the loss of access to, or destruction of, the data, or to an alteration of the data.

Those holding or using your data will have to notify their industry’s supervisory authority of the data breach, and must also notify you if the breach is 'likely to result in a high risk to the rights and freedoms' of the subject of the data (which is you!). What exactly 'high risk' means – and what (confusingly) makes a high risk 'likely' – are not totally clear as yet.

But the gargantuan fines the GDPR imposes on those who do not comply with its provisions (in some cases up to 4 per cent of a company’s global turnover) and the invitation to subjects of a data breach to sue for material and even non-material damage, will cause those holding and using your data to tread (or drive) a lot more carefully.

Whether or not the GDPR has struck the right balance between protecting consumers and overburdening service providers remains to be seen. But soon you’ll be able to order a cab with the confidence that your data has some powerful friends.

Jonathan Neumann works at boutique private wealth law firm Maurice Turnor Gardner LLP