Penalty against Uber (FR)

Penalty against Uber (FR)

In the fall of 2016, data was stolen from about 57 million customers, including about 1.4 million French people. Uber concealed this incident and paid the attackers $100,000.00, for the assurance that the data would be deleted. The French data protection authority CNIL imposed a fine of €400,000 on the Group as a result of the incident. French data protection law stipulates that data protection breaches must be reported to the competent supervisory authority within 72 hours. This provision is also found in Article 33 (1) of the GDPR. Uber has deliberately ignored this reporting obligation.

The incident occurred before the GDPR came into force, so the fine was imposed under the French Data Protection Act, which provides for a maximum fine of three million euros. As a result of this incident, the UK also fined the company £500,000, which was the maximum penalty under the UK Data Protection Act at the time.

Entscheidungsdatum:
19.12.2018

Land:
France

Art des Verstoßes:
Theft of Data

Betroffene Datensätze:
1 400 000

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 400,000,-

Quelle:
Communication from the French data protection authority CNIL (French)