Author: Valdemaras Kovalevskis, lawyer and attorney assistant at METIDA
- How leaked data scandals damage reputation of large companies?
- You failed when protecting personal data – inform supervisory authority
- Neglect attitude leads to huge fines
At the end of 2017 Uber revealed that it had failed to report the leak of data including the names, e-mail addresses and mobile phone numbers of 50 million clients and 7 million drivers which occurred in October 2016. In addition to the names, e-mail addresses and mobile phone numbers, the hackers also stole the license details of roughly 600,000 drivers. The company concealed the hack not only from the supervisory authorities but from the users as well.
Moreover, it was revealed that Uber paid the hackers $100,000 to destroy the data and to ‘confirm’ the data had been destroyed.
It was not the first data theft in the history of Uber. In early 2017 Uber was fined $20,000 for failing to disclose a considerably less serious breach of personal data protection to the supervisory authority. Uber did not learn from its mistakes and stepped on the same rake for the second time.
General Data Protection Regulation envisages cases when the breaches related to personal data protection must be reported not only to the supervisory authorities but also to the individuals whose data had been processed.
When do we need to report a breach of data protection to the supervisory authority?
The breach of data protection can be understood in a rather broad sense. Such cases include breaches which cause the personal data to be accidentally or illegally destroyed, lost, replaced, exposed without consent, forwarded, kept or otherwise organized. The cases considered to be a breach of data protection also include providing access to the data processed without consent.
General Data Protection Regulation envisages the duty of the controller to report to the supervisory authority (State Data Protection Inspectorate in Lithuania) nearly every breach of data protection. It shall not be reported if such a breach should not jeopardise the rights and freedoms of natural persons. It should be immediately reported to the supervisory authority, but not later than 72 hours after the discovery of a breach of personal data protection.
When does the data subject have to be informed about the breach of data protection?
In cases when the breach of data protection can put the rights and freedoms of natural persons at high risk, the person who processes the data shall immediately report this to the data entity, too. It is obvious that ‘high’ is an evaluative concept, and the regulation does not provide a list of cases when the risk is considered to be high, so the controller should remain free, albeit limited, to decide what is a high risk.
We shall assume that the data entity will have to be informed about the breach of data security when the personal data of special categories, e.g. genetic, biometric or health-related data, are lost. The presence of a high risk can also be associated with the event of the financial loss for a natural person.
Failure to report the breaches of data protection is subject to a fine
General Data Protection Regulation envisages that a failure of a controller to comply with the obligation to report a breach of data protection shall be subject to a fine up to 10 million euro or, in case of a company, up to 2% from its overall global turnover of the previous fiscal year.
The case of Uber is a great lesson that one shall not avoid reporting the breaches of data protection to the supervisory authority, as the concealment of the fact can cause even more damage. In any case, if a breach of data protection occurs, one should not pay the hackers any fees of “ransom” or “silence”, because when it is revealed, one can not only be subjected to a larger fine from the supervisory authority but also loses the money paid to the blackmailers. In such a case, one not only incurs bigger losses than they could have incurred, but the reputation is affected even more, as it is revealed that the controller is not capable of properly assessing the risks, related with the protection of personal data and does not pay enough attention to data protection.