02 Sep Uber signs non-criminal persection agreement for data leakage
By Fabio Vieira e Gabriela Tchalian
In October 2016, technology company Uber Technologies Inc. (“Uber”) suffered a hacker attack and had personal data of 57 (fifty-seven) million users leaked. Out of the total, 50 (fifty) millions of those affected were customers and the remaining were drivers.
The issue is that the incident was only revealed to the public and authorities by the company on November 21, 2017.
In addition, Uber chose to pay the hackers US$ 100,000 (one hundred thousand dollars), via cryptocurrency, for their silence and non-use of the data accessed.
As a result, the federal courts of California and San Francisco (United States) filed their respective class action lawsuits against the company.
In such proceedings, it was claimed that Uber had acted negligently, not following reasonable standards of care and without the necessary administrative and technical safeguards.
At the time, Uber CEO, Mr. Dara Khosrowshahi, who had been on the position for a few months, confirmed the fact in a statement and said that it “should not have happened.”
The specific nationality of all affected users was not disclosed. However, there were personal data of more than 150 (one hundred and fifty) thousand Brazilian citizens.
Brazilians were notified of the leakage through e-mails sent in 2018. In the message, Uber apologized to its users and reported that the leaked data included name, e-mail, cell phone and internal identification codes, none of which would now be classified as sensitive personal data. It added that ‘outside experts have identified no indication of downloading of travel location histories, credit card numbers, bank account numbers or dates of birth’.
There are reports that some driver licenses numbers have also been leaked, although this category of data did not include Brazilian users.
It is worth remembering that General Data Protection Law (“LGPD”) entered into force in Brazil only in 2020, more than three (3) years after the incident. Still, the company was investigated by the Personal Data Protection Commission of the Public Prosecutor’s Office of the Federal District and Territories (“Commission”).
The investigation was concluded through an agreement between Uber and the Commission signed on April 4, 2018. Although it was not fully disclosed by the media, the agreement had as one of its requirements to communicate Brazilian personal data subjects who had their data affected by the leak. Sending e-mail from Uber mentioned above satisfied the requirement.
The leakage and subsequent conduct of the company also led to the payment of fines in France, the Netherlands and the United Kingdom, in addition to all the states of the United States.
On July 22, 2022, nearly six (6) years after the leakage, Uber signed an agreement with U.S. prosecutors, accepting responsibility for covering up the leak.
Under the agreement, Uber (i) admitted not to have communicated to the Federal Trade Commission (“FTC”); (ii) agreed to cooperate with the indictment against its former director of security, accused in 2020 of concealing the leakage and paying the attackers for silence; and (iii) agreed to maintain a privacy program signed in 2018 with the FTC for a period of 20 (twenty) years.
In return, Uber will not be criminally charged for covering up the leakage.
Despite being one of the current technological giants and having presented an innovative service, the company suffered a reputational shock.
Uber’s case also recalls the recent restriction imposed on ride-hailing app Didi, the most popular of its kind in China.
The Didi app was banned from receiving new users for nearly a year due to data protection breaches, after being evaluated by Cyberspace Administration of China, on the grounds that it was inappropriately using and collecting personal data from users.
A similar sanction – suspension of activities or ban on attracting new users – would not be unthinkable in Brazil if a violation like Uber’s was repeated. This is because article 52, XI and XII, LGPD includes as potential sanctions the suspension of the activity of processing personal data related to the infringement for up to 6 (six) months, extendable for an equal period, and the prohibition of exercising activities related to data processing.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments