{"id":1848,"date":"2019-01-14T15:29:14","date_gmt":"2019-01-14T15:29:14","guid":{"rendered":"https:\/\/www.calligo.io\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/"},"modified":"2024-01-18T14:44:56","modified_gmt":"2024-01-18T14:44:56","slug":"what-the-uber-fines-teach-us-about-local-data-privacy-enforcement","status":"publish","type":"post","link":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/","title":{"rendered":"What the Uber fines teach us about local data privacy enforcement"},"content":{"rendered":"\n<p>Data Privacy News: What&#8217;s in a name? What the Uber fines teach us about local data privacy enforcement<\/p>\n\n\n\n<p>The Uber data breach of 2016 is creating quite the ripple effect.<\/p>\n\n\n\n<p>Most obviously, the hack\u2019s revelation, and the media furore that accompanied it, caused numerous boards and management teams to ask the dreaded question of their data security teams, \u201cCould this happen to us?\u201d And many answers will have been sheepishly and concerningly in the affirmative.<\/p>\n\n\n\n<p>But the ramifications go far beyond the reignited cybersecurity question. It has also highlighted an interesting legal point \u2013 and one that is often overlooked.<\/p>\n\n\n\n<p><strong>Uber 2016 data breach timeline &#8211; edited highlights<\/strong><\/p>\n\n\n\n<p>The Uber data breach of 2016 is creating quite the ripple effect.<\/p>\n\n\n\n<p>Most obviously, the hack\u2019s revelation, and the media furore that accompanied it, caused numerous boards and management teams to ask the dreaded question of their data security teams, \u201cCould this happen to us?\u201d And many answers will have been sheepishly and concerningly in the affirmative.<\/p>\n\n\n\n<p>But the ramifications go far beyond the reignited cybersecurity question. It has also highlighted an interesting legal point \u2013 and one that is often overlooked.<br>October and November 2016\u00a0\u2013 Uber is hacked through a vulnerability in GitHub (an online resource for developers) which led them to Uber\u2019s AWS login credentials. 57 million customers\u2019 and drivers\u2019 names, email addresses and mobile phone numbers are exposed, along with the driving licence and journey details for the 600,000 drivers affected. Uber conceals the hack and pays the hackers $100,000 to delete the data.<br>November 2017\u00a0\u2013 breach is\u00a0revealed by Bloomberg\u00a0and confirmed by Uber. Joe Sullivan, Chief Security Officer, and one of his deputies are fired for their roles in the cover-up, which was also known about by the then CEO, Travis Kalanick. Dara Khosrowshahi, who had taken over as Chief Executive Officer in the previous September,\u00a0pledges transparency for the future.<br>May 2018\u00a0\u2013 GDPR comes into force, meaning the breach can only be penalised under pre-existing data protection laws, not GDPR.<br>July 2018\u00a0\u2013 Uber announces former Intel chief privacy and security counsel Ruby Zefo as Uber\u2019s first Chief Privacy Officer and TomTom\u2019s ex-VP for Privacy Security, Simon Hania, joins Uber as its first\u00a0DPO.<br>September 2018\u00a0\u2013 US court fines Uber $148m as part of a legal settlement, avoiding a public court case in an action brought by 50 US states and the District of Colombia.<br>November 2018\u00a0\u2013 British and Dutch regulators impose fines on Uber of \u00a3385,000 ($490,760) and E600,000 ($678,780) respectively. Uber said in a statement, \u201cWe\u2019re pleased to close this chapter on the data incident from 2016.\u201d<br>December 2018\u00a0\u2013 the French Data Protection Authority fines Uber E400,000 ($460,000).<\/p>\n\n\n\n<p>The events of November and December of last year are signalling a very interesting pattern that data privacy professionals need to take careful note of.<\/p>\n\n\n\n<p>The Dutch regulator, the&nbsp;Autoriteit Persoonsgegevens,&nbsp;has ostensibly taken the lead on this case on behalf of all of Europe, on the basis that Uber\u2019s European presence is headquartered in the Netherlands.<\/p>\n\n\n\n<p>However, it is the way that the UK Information Commissioners Office (ICO) and the French&nbsp;Commission Nationale de l\u2019Informatique et des Libert\u00e9s&nbsp;(CNIL) have acted that has sparked the most interest. Not only have they fined the Dutch HQ for the impact of the breach on their own respective citizens, but they have also taken the additional steps of fining the local entities separately.<\/p>\n\n\n\n<p><strong>Why is this important?<\/strong><\/p>\n\n\n\n<p>Because Uber tried to prevent exactly this happening with its carefully worded intra-company agreements. In these documents, each of its local corporate entities were named as mere \u201cprocessors\u201d of personal data, not \u201ccontrollers\u201d, meaning under pre-GDPR legislation, they could not be held ultimately liable, nor fined.<\/p>\n\n\n\n<p>But the French and British regulators disagreed. They ruled that the deciding factor was not how the corporate entity was named or considered by Uber\u2019s internal privacy structure, but how they acted in practice. And because they performed the role of a local data controller, they could be held responsible for their part in the local infringements (such as not reporting the breach to the relevant regulators within 72 hours), just as the European headquarters could be fined for its role in the wider offences (such as failing to identify and rectify the vulnerability itself).<\/p>\n\n\n\n<p>In other words, role-based liability comes down to how you act, not what you call yourself.<\/p>\n\n\n\n<p>Lawyers will not find this ruling surprising at all. This is a standard tenet of common law.<\/p>\n\n\n\n<p>However, many privacy professionals are not necessarily so experienced in the way the law works. Those companies whose privacy teams are experts in technology, security and policy, and not law, may overlook the need to ensure that the way their local offices operate reflects what the privacy structure expects, creating legal vulnerabilities in the process.<\/p>\n\n\n\n<p>This is presumably exactly what has happened to Uber. Rather than their legal and privacy team trying to pull off a ruse based on a technicality, it appears that there is a clear mismatch between what the privacy structure anticipated of the local entities\u2019 roles and how they acted in reality.<\/p>\n\n\n\n<p>As we have said in these Data Privacy news blogs many times before, data privacy is a multi-faceted discipline, and far more complex in practice than many realise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement<\/p>\n","protected":false},"author":33,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[142,140,141,121],"tags":[],"post_format_type":[40],"class_list":["post-1848","post","type-post","status-publish","format-standard","hentry","category-data-governance","category-data-privacy-glossary","category-data-protection","category-glossary"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What the Uber fines teach us about local data privacy enforcement | Calligo<\/title>\n<meta name=\"description\" content=\"The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What the Uber fines teach us about local data privacy enforcement | Calligo\" \/>\n<meta property=\"og:description\" content=\"The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\" \/>\n<meta property=\"og:site_name\" content=\"Calligo\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-14T15:29:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-18T14:44:56+00:00\" \/>\n<meta name=\"author\" content=\"Brendan Walsh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@calligocloud\" \/>\n<meta name=\"twitter:site\" content=\"@calligocloud\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Brendan Walsh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\"},\"author\":{\"name\":\"Brendan Walsh\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f\"},\"headline\":\"What the Uber fines teach us about local data privacy enforcement\",\"datePublished\":\"2019-01-14T15:29:14+00:00\",\"dateModified\":\"2024-01-18T14:44:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\"},\"wordCount\":879,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.calligo.io\/#organization\"},\"articleSection\":[\"Data Governance\",\"Data Privacy\",\"Data Protection\",\"Glossary\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\",\"url\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\",\"name\":\"What the Uber fines teach us about local data privacy enforcement | Calligo\",\"isPartOf\":{\"@id\":\"https:\/\/www.calligo.io\/#website\"},\"datePublished\":\"2019-01-14T15:29:14+00:00\",\"dateModified\":\"2024-01-18T14:44:56+00:00\",\"description\":\"The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement\",\"breadcrumb\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.calligo.io\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What the Uber fines teach us about local data privacy enforcement\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.calligo.io\/#website\",\"url\":\"https:\/\/www.calligo.io\/\",\"name\":\"Calligo\",\"description\":\"Building value through data\",\"publisher\":{\"@id\":\"https:\/\/www.calligo.io\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.calligo.io\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.calligo.io\/#organization\",\"name\":\"Calligo\",\"url\":\"https:\/\/www.calligo.io\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg\",\"contentUrl\":\"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg\",\"width\":1200,\"height\":630,\"caption\":\"Calligo\"},\"image\":{\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/calligocloud\",\"https:\/\/www.linkedin.com\/company\/calligo-limited\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f\",\"name\":\"Brendan Walsh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g\",\"caption\":\"Brendan Walsh\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What the Uber fines teach us about local data privacy enforcement | Calligo","description":"The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/","og_locale":"en_GB","og_type":"article","og_title":"What the Uber fines teach us about local data privacy enforcement | Calligo","og_description":"The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement","og_url":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/","og_site_name":"Calligo","article_published_time":"2019-01-14T15:29:14+00:00","article_modified_time":"2024-01-18T14:44:56+00:00","author":"Brendan Walsh","twitter_card":"summary_large_image","twitter_creator":"@calligocloud","twitter_site":"@calligocloud","twitter_misc":{"Written by":"Brendan Walsh","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#article","isPartOf":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/"},"author":{"name":"Brendan Walsh","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f"},"headline":"What the Uber fines teach us about local data privacy enforcement","datePublished":"2019-01-14T15:29:14+00:00","dateModified":"2024-01-18T14:44:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/"},"wordCount":879,"commentCount":0,"publisher":{"@id":"https:\/\/www.calligo.io\/#organization"},"articleSection":["Data Governance","Data Privacy","Data Protection","Glossary"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/","url":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/","name":"What the Uber fines teach us about local data privacy enforcement | Calligo","isPartOf":{"@id":"https:\/\/www.calligo.io\/#website"},"datePublished":"2019-01-14T15:29:14+00:00","dateModified":"2024-01-18T14:44:56+00:00","description":"The Uber data breach of 2016 created quite a ripple effect. What data breach teaches us about local data privacy enforcement","breadcrumb":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.calligo.io\/insights\/glossary\/what-the-uber-fines-teach-us-about-local-data-privacy-enforcement\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.calligo.io\/"},{"@type":"ListItem","position":2,"name":"What the Uber fines teach us about local data privacy enforcement"}]},{"@type":"WebSite","@id":"https:\/\/www.calligo.io\/#website","url":"https:\/\/www.calligo.io\/","name":"Calligo","description":"Building value through data","publisher":{"@id":"https:\/\/www.calligo.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.calligo.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.calligo.io\/#organization","name":"Calligo","url":"https:\/\/www.calligo.io\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/","url":"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg","contentUrl":"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg","width":1200,"height":630,"caption":"Calligo"},"image":{"@id":"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/calligocloud","https:\/\/www.linkedin.com\/company\/calligo-limited\/"]},{"@type":"Person","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f","name":"Brendan Walsh","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g","caption":"Brendan Walsh"}}]}},"_links":{"self":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts\/1848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/users\/33"}],"replies":[{"embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/comments?post=1848"}],"version-history":[{"count":0,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts\/1848\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/media?parent=1848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/categories?post=1848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/tags?post=1848"},{"taxonomy":"post_format_type","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/post_format_type?post=1848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}