On 21 November 2017, it was reported that Uber had suffered a hack resulting in the unauthorised access of personal data relating to around 50m customers and 7m drivers. Notwithstanding the regular stream of data breaches hitting the news, this incident was particularly notable for two reasons:
- the actual breach took place in October 2016 and was not made public by Uber or disclosed to regulators until over a year later; and
- Uber reportedly paid the hackers a $100,000 ransom to delete the data.
The incident provides a useful reminder of the current laws and imminent changes relating to data breaches.
The current regime
An organisation suffering a data breach (which may involve loss, theft or unauthorised access to the data and malicious acts such as hacking) may face questions as to its compliance with the Data Protection Act 1998 (DPA). The breach may have arisen as a result of a failure to take appropriate technical and organisational measures to protect personal data as required by the seventh data protection principle. This article focuses on the legal obligations surrounding data breach notifications.
The DPA does not contain any general mandatory requirement to notify regulators or data subjects in event of a data breach. Nonetheless, the Information Commissioner's Office (ICO), the UK data protection regulator, has published guidelines setting out its expectations relating to notifications. The guidance makes it clear the ICO expects to be notified in event of serious breaches, with the overriding factor being the potential harm to data subjects.
This regime clearly leaves a lot of discretion to data controllers, however, the ICO has stated that deliberately concealing breaches from regulators is a factor that could result in higher fines being imposed in event of non-compliance with the DPA being found.
Separate mandatory notification obligations are placed on providers of public electronic communication services to notify regulators, and in certain circumstances affected data subjects, of data breaches under the Privacy and Electronic Communications (EC Directive) Regulations 2003. However, these obligations do not apply to all data controllers.
It is not clear whether any of the data accessed in the Uber breach related to UK data subjects and thus whether the Data Protection Act was applicable. Uber has however recognised that it was under a legal obligation to notify regulators (which it failed to do) and the ICO has announced it is investigating.
Data breach notifications under the GDPR
The General Data Protection Regulation (GDPR) will come into force in May 2018 and will need to be implemented by UK business notwithstanding Brexit. It makes significant changes to the data breach notification regime.
Notification to regulators will become mandatory for data controllers (subject to a limited exception where the breach is unlikely to result in risk to the rights and freedoms of natural persons). The notification must take place without undue delay and not later than 72 hours after becoming aware of the breach. There is a separate obligation on data processors to notify the relevant data controller in event of a breach.
There are also notification obligations in respect of the affected data subjects, which must be made by the data controller without undue delay unless an exemption applies. Such exemptions comprise the breach being unlikely to result in high risk for rights and freedoms of data subjects, appropriate encryption or technical measures having been in place or the notification involving disproportionate measures (in which case a public announcement would be required). In addition, an internal register of data breaches must be maintained.
It is clear that under the GDPR regime (and the current DPA requirements), effective data breach policies and procedures will form part of the requirement for ensuring appropriate technical and organisational measures are in place to protect personal data. Such policies should include escalation of serious breaches to senior management – a measure that appears not to have been instigated at the time of the Uber data breach.
Fines for non-compliance with these procedures under the GDPR will be a maximum of the higher of €10m or 2% of total worldwide annual turnover. This significantly increases the potential fines from the current DPA regime (with maximum penalties of £500,000).
Whilst it is not clear whether Uber in fact breached the DPA in this instance, the case highlights the need for robust data breach management policies and ensuring the policies are properly implemented. As regards paying ransom to hackers, such measures may prove an effective way of limiting the consequences of a data breach. However, the negative publicity surrounding the Uber breach demonstrates just one of the potential consequences of dealing with a data breach in this manner.
The requirements relating to data breach notifications under the GDPR are far more prescriptive and the potential consequences of non-compliance more serious. Review of such policies will need to form part of GDPR preparations.