Uber decided to double-down in its race to the moral bottom. Not content with spying on customers, misleading regulators, employing sex-pests and generally having a toxic corporate culture, the taxi-subsidy service tried to conceal a hack that breached the personal details of more than 57m people, including drivers as well as riders.
Much is being made in the press of how big the fine for the breach could have been, if only it had happened after the 25th of May 2018, GDPR day. Up to 4% of global turnover, or €20m, whichever is the larger. Woo. They’ll probably get a substantial fine in the US anyway, since breach disclosure is already a legal requirement across the pond. Double-woo. They’ve just raised $10bn from Softbank. They don’t care.
Tell you what, though. After May next year, the ICO could make them care. It’s a Michael Caine moment: not a lot of people know this. Article 58, paragraph 2, section f. Oh yes. The regulator’s powers include the ability to “impose a temporary or definitive limitation, including a ban on processing.”
In other words, if you don’t comply, the ICO can shut you down. That should get anyone’s attention.