GDPR: Could an Uber reporting failure trigger a 6% fine plus $148 million?

The EU GDPR (General Data Protection Regulation) issues administrative fines for non-compliance. The higher-tier fine is up to 4% of an organization’s global turnover or €20 million (about $24 million), whichever is greater.

Although they differ in content, all 50 U.S. states have data breach reporting rules in place. Uber has recently been fined $148 million for failing to report a data breach.

What would have happened if Uber’s breach had been more recent, and had involved EU residents’ personal data? It would certainly have reached the media much sooner, as data subjects can initiate actions under the GDPR.

If Uber had kept it a secret, the eventual fine would have been an aggregate of 2% for failing to report it, plus 4% because the level of negligence that allowed the breach was perhaps extreme.

Supervisory authorities state that all aspects of a breach will be treated on an aggregated basis and only one fine – to the maximum allowed under the GDPR – will be levied, but there is a clear argument that the two issues – the breach and the non-reporting – are separate failures, which (in order for the fine to be ‘proportionate and dissuasive’) should each be treated on their respective (de)merits and that the appropriate fine would therefore be 6%.

The future is interesting. Breach-readiness is going to be a critical business capability.