Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Uber fined £385,000 in the UK and €600,000 in the Netherlands


Uber US and Uber Netherlands were considered to be joint controllers which made them both separately liable for claims of customers of Uber. Uber was fined after a 'serious breach' allowing hackers to download worldwide 54 million customer data.

Full names, email addresses and phone numbers were obtained during the October and November 2016 cyberattacks but Uber did not inform customers or drivers for more than a year. Instead, it paid the attackers $100,000 (£78,000/€88,00) to destroy the information that had been downloaded.

After an investigation by the supervisory authorities of  Belgium, Germany, France, Italy,  Spain, UK and the Netherlands, of which the Dutch Supervisory Authority was in charge, Uber has been fined £385,000 in the UK and €600,000 in the Netherlands because of “a series of avoidable data security flaws” allowing hackers to download personal information of 2.7 million customers in the UK and 174,000 in the Netherlands, worldwide the total amounted to 54 million customers. 

The Information Commissioner’s Office (ICO) and the Dutch Supervisory Authority found Uber guilty of a “serious breach” of UK data protection law and found that Uber had shown a “complete disregard” for the customers and drivers whose information was stolen.

The security breach potentially exposed users of Uber’s app to an increased risk of fraud, both the ICO and Dutch Supervisory Authority said in their rulings of 26 November 2018.

Uber’s failure to report the leak was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen, according to the supervisory authorities in both countries.

At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support.

That left the customers and drivers vulnerable. Paying the attackers and then keeping quiet about it afterwards was not, in the ICO’s view, an appropriate response to a cyberattack.

Under the laws the Netherlands and the laws of some otherEuropean countries as these were in place at the time, Uber would also have had the duty to report these data breaches and face the consequences. However, now that the General Data Protection Regulation (GDPR) came into force on 25 May this year, the breach was subject to a significantly higher penalty.

Companies found guilty of a breach under the GDPR are liable to fines of up to €20 million or 4 per cent of their global turnover, which could amount to billions of euros for the largest technology companies. The actual fines imposed on Uber are peanuts in this respect, especially in the light of Uber having paid $ 148 million dollars in de US to settle claims for damages with US customers.

For lawyers it was interesting to see that Uber US and Uber Netherlands were considered to be joint controllers which made them both separately liable for claims of the data subjects, in this case customers of Uber.


Article provided by: Bob Cordemeyer (Cordemeyer & Slager / advocaten – CS Law, The Netherlands)


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.