Punishment against Uber (FR)
In the fall of 2016, data from approximately 57 million customers were stolen, including about 1.4 million Frenchmen. Uber concealed this incident and paid the attackers $ 100,000, – for assurances that the data will be deleted. The French data protection agency CNIL imposed a fine of € 400,000 on the company due to the incident. The French Data Protection Act states that data breaches must be reported to the relevant regulatory authority within 72 hours. This rule can also be found in the GDPR. Uber consciously ignored this obligation.
The incident occurred before the entry into force of the GDPR, so the fine was imposed under the French Data Protection Act, which provides for a maximum fine of three million euros. As a result of this incident, the UK also imposed a fine of £ 500,000 on the company, which was the maximum penalty under the then UK Data Protection Act.
Type of Issue:
Theft of Data
Number of involved data records:
1 400 000
Special category of data involved:
Violation of GDPR Paragraph: