Question for written answer (Priority)
to the Commission
Rule 130
Alfred Sant (S&D)

P-007169-17

Subject: Commission action on Uber’s EU data breach
In October 2016, Uber experienced a massive data breach that included the personal information of 57 million consumers and drivers across the globe, including EU citizens. According to recent news, instead of notifying the authorities or the individuals affected, Uber paid the hackers responsible for the original breach $100,000 to delete the data and cover up the breach in security. In light of the EU legislation on measures applicable to the notification of personal data breaches as well as on privacy and electronic communications, Uber’s year long cover-up is highly questionable. This regulation specifies that when the breach of data can adversely affect the personal privacy of individuals, providers shall notify the individuals and this notification should be made no later than 24 hours after its detection.
· What is the Commission’s view of practices which enable a company active in the digital and sharing economy to experience a data breach without informing clients or the relevant national authorities?
· Does the Commission have any information on the impact this breach has had on consumers, and if so, does it plan to take formal action for the violation of EU legislation?