INTERNATIONAL SCIENTIFIC JOURNAL

Scientific article
005.331:004]:342.738

CONTEMPORARY CRISES: CASE STUDY OF UBER

Karlo PALJUG1
Robert MIKAC2

Abstract: Doing business in the digital world and providing services via digital technolo-
gies have become a part of everyday life and a condition of progress. Many companies
operating in this area, such as Uber, have experienced global expansion, great growth and
brand recognition due to their excellent idea. In addition to success, they also face crises
that jeopardize their business, customers’ privacy, as well as the company’s value. Uber has
faced several very serious crises during its short history, so the purpose of this research
is of a twofold nature: first, to analyze how the company acted during crises; second, to
show the area of regulations such as the General Data Protection Regulation, in order to
minimize potential as well as actual crises in the digital world. The aim of the research is to
analyze Uber’s behaviour in crisis, to detect a number of publicly available indicators on
how to deal with and resolve the crisis, and to provide recommendations for similar crises
that will happen to businesses in the digital world.
Keywords: Uber, GDPR, digital technology, regulation, personal data, crisis, crisis man-
agement

Introduction
The frequency of crises in the modern world shows how subjects have to pay attention
to the management. Crisis management is not only reflected in the sphere of physical threats
but also of digital as well as emerging hazards, which manifest themselves in the violation of
the ‘colossal’ regulation. The fast digital world has given many advantages, as well as dangers
that do not affect the digital sphere alone, but transcend into the real physical world. In order
for digital technologies and e-economy to continue to develop, they need a large amount of
data, which brings challenges that need to be successfully overcome, otherwise breaches are
possible, and they are often expensive.
The main drivers of digital demands are corporations, and data for them have become
more important than ever before. However, as drivers, they are also extremely vulnerable when
it comes to the cyber sphere of doing business. One important aspect of this is also the use of
large sets of personal data for different purposes, with the aim of maximising profits.
However, the rules adopted in the field of data protection set out to a large extent the
conditions under which data can be used correctly for the required purposes. Although the pro-
tection of personal data is not a question that arose several years ago, it is an area of privacy that
has been developing at least in the last fifty years.3 Today, we are witnessing a rapidly changing
1
The author is MSc. & univ. spec. polit., Zagrebačka banka, Croatia
2
Tue author is PhD, University of Zagreb, Faculty of Political Science, Croatia
3
For example, in the German state of Hesse in 1970, the Data Protection Act was adopted,
followed by the adoption of similar regulations across Europe — Sweden in 1973, France in 1978, etc.

CONTEMPORARY MACEDONIAN DEFENCE 93

 INTERNATIONAL SCIENTIFIC JOURNAL

way of doing business, which is the result of the digitalisation of processes within corporations
as well as in the society. In addition to the development of numerous data collection models of
individuals, it has been shown that manipulation of personal data can have significant conse-
quences (Information Commissioner’s Office of the United Kingdom 2018a).
Any data breach constitutes a potential crisis that can bring significant negative effects
on business. In order to overcome it, a good understanding of the matter is crucial, along with
the clearly established crisis management mechanisms, as well as sufficient resources.
Crisis management represents the capacity of the organisation to act quickly, efficiently
and effectively in situations where the objective is to minimise adverse effects on the normal
course of the business, and the damage itself. As a set of functions, it aims to identify, learn and
anticipate possible crisis situations and to establish specific ways to enable the organisation to
prevent an escalation of the crisis or to find ways to minimise the consequences and return to
its normal situation (Kešetović et al. 2013: 101).
The case of data breach that has affected the international corporate Uber is one of the
flagrant examples what subjects are not allowed to do when confronted with a crisis situation.
Uber was a target of a hacker attack in 2016, during which the attackers were able to gain access
to the source code on GitHub, find Cloud Credentials and use them to download data. Although
the breach has occurred in the United States, it has affected a vast number of individuals across
the world, including citizens of EU Member States.
If such a situation occurred at now when the General Data Protection Regulation is ap-
plicable, it would, at the very least, withdraw the sanction against a legal person which, through
its failure enabled the data breach, but which could be much higher than the one in the United
States. This example is a good way of pointing out what matters and what should be avoided.
The aim of this work is to explore how the international company Uber managed a crisis
situation, which steps need to been taken to protect its own value, its users and data (data from
users and corporations). The purpose of the study is to analyse ways and models of application
of different approaches and crisis management measures in this specific case, in order to draw
lessons for similar cases in the future. The central research question is explanatory and is stated
as follows: How did Uber manage the mentioned crisis? To answer this question, we will try
to use desk top qualitative research framework using several different scientific methods to be
explained below.
The structure of the research shall be divided as follows: Introduction will be followed
by the heading of the theoretical and methodological framework where the key concepts and
methods of research will be explained. This is followed by a Data protection in which a norma-
tive framework will be presented. After which comes the section on Data breach which explains
how the breach occurred. Part of the Uber case and the crisis management key parts of the crisis,
as well as what Uber did during the crisis will be presented. This is followed by a Discussion
about Uber’s methods of dealing with the crisis which will be analyzed in accordance with the
set theoretical and methodological framework and the Conclusion will provide a cross-section
of all research and recommendations for future action in similar crises.

Theoretical and Methodological Framework

“The crisis has led to a change — either sudden or gradual — bringing about a
serious problem that needs to be addressed immediately. In business, the crisis is ev-
erything that may cause sudden and serious harm to employees, reputation or financial

94 CONTEMPORARY MACEDONIAN DEFENCE

 INTERNATIONAL SCIENTIFIC JOURNAL

performance of the company” (Luecke 2005:15). The commercial crisis represents a

situation in which an organization find itself — influenced by internal or external factors
— that threatens its survival (Sučević 2010: 12-15). Managing certain situations that
do not necessarily require a crisis, or if they are transformed into a crisis by addressing
crisis management. Previously, it was stated that the crisis management represented the
organisation’s ability to deal rapidly, efficiently and effectively in situations where the
objective of minimising adverse effects on the normal course of business, and of the
damage itself (Kešetović et al. 2013: 101). In that regard, a crisis management is part
of a broader system of organisational risk management. Although we are all aware of
numerous crises, “rare managers are actively preparing for potential crises”. They are
still less training for crisis management. None of these gaps should be surprising, as
crisis management is still a young discipline (Luecke 2005: 15). Therefore, as the main
theoretical framework of the analysis we take the theory of crisis management, which
is part of security studies, economics and management studies, and as such, represents
an extremely suitable basis for this research.
In crisis management analysis, the most commonly and globally used is the
framework consisting of four phases: prevention, preparedness, response, and recovery.
We need to determine when and at what level the analysis is carried out. According to
Ole Holsti, there are four reference levels of crisis analysis: the state, the bureaucratic
organization, society and the individual (Kešetović et al. 2013: 29). Our research in-
cludes an analysis at the level of the organisation. Moreover, for a more detailed analysis
approach, different authors have developed additional stages of analysis compared to
four globally used. Arjen Boin and associates have developed a theoretical framework
that involves five critical tasks for crisis management: observation, decision-making,
interpretation, completion and learning (Boin et al. 2005: 10). Norman Ougustin con-
siders that there are six phases of the crisis management at the disposal of the business
companies: crisis avoidance, preparation for crisis management, crisis recognition,
crises containment, crisis resolution, drawing conclusions (Ougustin: 2010:11). While
Richard Luecke refers to eight stages: preparing for possible dangers, avoiding dangers,
contingency planning, crisis recognition, containing crisis, crisis resolution, media
cooperation, learning from the crisis (Luecke 2005: 16-20). Given the available space
in this survey and for the purposes of this work, we have decided to focus primarily on
a part of the solution to the crisis by closing the solutions outlined here by the authors.
According to Boin et al. (2005: 79), successful crisis management requires a
framework of what the crisis is, which allows them to define appropriate strategies for
resolving it. Ougustin (2010: 46) states that it is necessary to start implementing the
crisis plan as soon as possible. When a company is exposed to a crisis, the assumption
is that it has several realistic options at its disposal; they need to be considered and
the company needs to act in accordance with its crisis plan. Luecke (2005: 122-124)
believes that during a crisis, time works against those who need to resolve the crisis,
and the more time passes, the problem spreads, takes root and becomes increasingly

CONTEMPORARY MACEDONIAN DEFENCE 95

 INTERNATIONAL SCIENTIFIC JOURNAL

difficult to overcome. So it is necessary to act quickly and decisively in any crisis. It

is also necessary to tirelessly communicate with all key groups of the public such as
clients, shareholders and employees. Communication, among other things, is a tool in
suppressing rumours and coordinating all activities needed to resolve the crisis.
Since this analysis has been given to an explanatory research question (How?)
specified in the case study method for carrying out the analysis (Yin 2007: 16). “Study
(Analysis) on selected cases implies the use of different methods to analyse in details
one or several selected cases concerning the same or a similar subject or issue of re-
search.... The method of analysing the case is used to better understand the substance
of the problem, to develop more general theoretical claims about the regularity in the
analysed structure and process, to create a typology or categories relating to social
phenomena or to develop new hypothesis tested at a later research activity” (Tkalac
Verčić et al. 2010: 94). So that the research involves one unit of analysis, the conduct
of Uber in a crisis, that is to say a single case, is investigated, since Uber manages
the crisis in which it found itself. Additional methods used are analysis, synthesis and
comparative method. The analysis is used to study individual parts in relation to the
whole and other parts. Synthesis explains the state of reality by assembling simpler
parts into a particular unit. While using a comparative method, we analyze individual
parts of the same case study.

Data Protection
A fast digitalised world has created the need to adopt a comprehensive regula-
tion to protect the personal data of each individual. Why is that so? This is due to
the fact that the personal data has become new oil of the economy, as well as the
technologies that go with it. Personal data can be used in a variety of ways, some
of them are most often used for marketing purposes, but it goes to the realm, some-
times difficult to understand – development of artificial intelligence, calculating risk,
improving business, etc.
However, misuse of personal data may entail consequences for people, which
may be minor, but can also be horrible.4 From the illegal use of the electronic ad-
dresses to send marketing messages, to identity theft, with the prospect of even worse
consequences in the future.
Therefore, in order to ensure that the use of personal data is provided for in
the expected frameworks, as well as to guarantee adequate protection from malicious
individuals and groups, in 2016, the EU adopted legislation affecting business to a
very large extent. The referred legislation is the General Data Protection Regulation,

4
For example, the Cambridge Analytica case has shown how illegally collected data can influence
democratic processes. In the said case, Facebook Inc and Facebook Ireland Limited were fined £ 500,000
by the UK Information Commissioner Office. For more see https://ico.org.uk/about-the-ico/news-and-
events/news-and-blogs/2019/10/statement-on-an-agreement-reached-between-facebook-and-the-ico/.

96 CONTEMPORARY MACEDONIAN DEFENCE

 INTERNATIONAL SCIENTIFIC JOURNAL

which became applicable in May 2018 (hereinafter: GDPR or Regulation) (European

Parliament and Council 2016).
It is a regulation the application of which is extremely broad. The rules apply to
the processing of data in the context of the activities of an establishment of a control-
ler or processor in the EU, but also those that are not established on the territory of
the EU (when they are offering goods and services to individuals to the EU, as well as
monitoring their behaviour). In other words, the legislation applies practically to the
whole world that is doing business with the EU (ibid: Article 2).
GDPR is the general regulation in the field of data protection, which serves as
a fundament for other relevant legislations which are or will be enacted in the future.
The Regulation has led companies not only to change the basis of a certain business
process, but to have in place clear procedures for situations where its provisions will
be breached. Given that the aim of this article is to clearly define crisis management
mechanisms in case of data breach, greater attention will be paid to this “first line of
defence”.

Data Breach
A personal data breach is defined as a security breach leading to accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data processed. In other words, it is a situation where there is an unauthorised or un-
lawful removal of personal data (e.g. loss of personal data, sending a message to an
incorrect electronic address or theft of personal data). For example, it is possible for one
of the company’s staff to copy clients’ data to the USB and sell these data to another
company or to a hacker using a malicious program — ransomware5 — in order to block
the company’s access to the data. These examples do not fall within the utopia, but
are considered as a practically everyday occurrence. As we will see in the case of the
scenario that has hit Uber and ultimately made it clear how not to act when it comes
to modern business, and much less when it comes to personal data.
The European Union Agency for Network and Information Security (ENISA), in
its Threat Landscape Report from 2018, identified 15 main cyber threats in the world:
malware (malicious software designed to cause intentional damage to IT infrastructure
– viruses, worms, spyware, Trojan horses); web-based attacks (through web systems
such as browsers, extensions, websites and web services); web application attacks (us-
ing weaknesses in web services and applications); phishing (defrauding information
by posing as a legitimate company and sending emails and messages with a malicious
attachment, URL, etc.); disturbed denial of service – DDoS attack (disruption to the
regular traffic of a server, service or network by overwhelming it with internet traffic);
spam (flooding users with unsolicited emails or messages); botnets (connected devices

5
See more about ransomware https://www.cert.hr/19795-2/ransomware/

CONTEMPORARY MACEDONIAN DEFENCE 97

 INTERNATIONAL SCIENTIFIC JOURNAL

that are running bots, i.e. software applications that run automated tasks like DDoS
attacks); data breaches (successful outcomes of cyber threats as leakage or exposure of
data); insider threat (within a company or organization); physical manipulation/damage/
theft/loss (of a storage device); information leakage; identity theft; cryptojacking (or
cryptomining – use of device processing power to mine cryptocurrencies); ransomware
(ransom of blocked files and devices); and cyber espionage (ENISA, 2019: 9).
As we see cyber threats are numerous and very different, it is therefore essential to
be prepared for data breach, but also to know how to recognise it. It is easy to recognise
a theft of USB containing personal data, but the detection of a data breach can be much
more subtle, to an extent that it can only be seen when significant damage has already
occurred.6 It is also necessary to set up a plan and a team with appropriate knowledge
to guide the process when such a crisis occurs (Information Commissioner’s Office
of the United Kingdom 2018b). It is necessary to determine whether the appropriate
technical and organisational measures have been implemented so as to determine im-
mediately whether a data breach has taken place, and to inform the authority and the
individuals concerned within a specified period of time (European Parliament and of
the Council 2016: Preliminary provisions, paragraph 87).
A breach may potentially have a number of significant adverse effects on the
individuals whose data are affected and may result in physical, material or non-material
damage. The Regulation clarifies that it can be about the loss of control of data, limita-
tion of rights, discrimination, identity or fraud, financial losses, reputational damage,
as well as the loss of confidentiality that can be addressed (Article 29 Data Protection
Working Party7, 2018).
Once the data breach has occurred, it is necessary to report to the national su-
pervisory authority responsible for the protection of personal data (hereinafter: The
supervisory authority), within 72 hours of being aware of it. Article 33 of the GDPR is
worded as follows: The Regulation’s report shall include the following: description of
the nature of the data breach (what personal data are violated, number of individuals);
name and contact details of the data protection officer (or in case the company does not
have a data protection officer, then the contact person who can give more information);
description of the likely consequences; description of the measures that the company

6
It is possible to imagine cases of infringements arising from the passage of time. For example,
an organisation providing children with a specific skill in enrolling a child’s consent to be able to pub-
lish the photos on the organisation’s official page. Once a child has reached adulthood, the organisation
continues with the same practice, if he or she has obtained consent. While the initial treatment was in
compliance with the statutory provisions, once the child has reached the age, the organisation sought to
obtain the child’s consent again in order to proceed with the lawful publication of the photograph on the
official website.
7
Article 29 Data Protection Working Party was set up under Article 29 of Directive 95/46/EC.
It is an independent European advisory body on data protection and privacy. Its tasks are described in
Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. After adoption of the GDPR it
became the European data protection board.

98 CONTEMPORARY MACEDONIAN DEFENCE

 INTERNATIONAL SCIENTIFIC JOURNAL

takes or suggests to take in order to resolve the problem, including taking measures to
reduce the effects thereof.
However, if a data breach is not likely to result in a risk to the rights and freedoms
of individuals, then the organisation does not need to report to the supervisory author-
ity, but it is important to bear in mind that such a breach has to be also documented, as
well as the reasons why it is considered not to pose a risk to the rights and freedoms.
It may be the case where the personal data have already been made public. The situa-
tion where personal data are essentially not readable to unauthorised parties is similar.
However, at the outset a notification may not be required but the same may change
over time and the risk should be re-assessed. If it is subsequently established that the
key is compromised (in encryption) or a weak point in encryption software is detected,
then notification could be required (Article 29 Data Protection Working Party, 2018).
We live in a globalised world where information travels faster than ever, where
services are delivered from one country to all citizens of the world, personal data not
only affecting citizens of one country, but more of them, may be misused. The Regu-
lation states, in such cases, of cross-border infringements must be notified to each
supervisory authority responsible for carrying out the task on the territory of its own
Member State (European Parliament and of the Council 2016: article 55).
In doing so, the company must take care which supervisory authority is the
leading one, since it will be the authority of the State where the company has its main
establishment or the single establishment in the EU. Organisations should assess the
lead supervisory authority when drafting their action plan, allowing them to react more
quickly and fulfil their obligations in the light of the Regulation. This means in addition
to inform the lead authority and the competent authorities in the countries where it is
also has establishment (Article 29 Data Protection Working Party, 2018).
We see therefore how data breaches would not evolve into a crisis, i.e. if they are
transformed into a crisis need to respond through a crisis manager, who must be aware
of the requirements that are brought before them by this ‘colossal’ regulation — GDPR.
In addition to knowing how to recognise the data breach, short time limits must be
respected, as well as allocating sufficient resources to dealing with the breach. In the
light of the rapidly changing digital world threats are an everyday case, and especially
when we have the cyber threats cited by ENISA. Bearing in the mind the stages of the
crisis management according to Luecke and other authors, but also any threats which
exist in the realm of personal data, it is not a question of whether any potential crisis
will occur, but only when they will happen.

Uber case study and manner of managing the crisis

Looking at the Uber case, it is necessary to see the broader picture around this
company’s security and privacy. And not just to observe the data breach from 2016,
but also those that occurred in 2011 and 2014.

CONTEMPORARY MACEDONIAN DEFENCE 99

 INTERNATIONAL SCIENTIFIC JOURNAL

In fact, in 2011, Uber offered to the markets of large cities the ‘Black car’ and
‘Ride-sharing’ services. In doing so, the participants were able to track Uber’s “God’s
view”, which allowed them to see all drivers, as well as all users who ordered driving.
Although it was an anonymous version, at one of parties they decided to “honour” their
guests with the so-called “Creepy Stalker View” which revealed identities and showed
the position and movement of certain users in real time. That case led the authorities
to open an investigation (Torre 2019).
In May 2014, hackers managed to enter the Cloud and access the data of more
than 100.000 individuals and in addition, difficulties encountered with the monitoring
of workers in which some workers access users’ personal data. These two cases resulted
in settlements with supervisory authorities due to a lack of supervision of workers and
lack of security measures. Uber has agreed to third party auditing in the next 20 years,
and to adopt a robust privacy protection programme (Torre 2019).
These cases were already sufficiently aggravating, in relation to a relatively young
company that started to break into the world market. However, in 2016 there was a new
attack of cyber criminals and that is when the real agony began. Indeed, the attackers
were able to gain access to the source code on GitHub (using stolen credentials). They
found the Cloud credentials and by using them to download the company’s data in 16
large files containing personal data of 57 million users and drivers from all over the
world. Affected by the aforementioned cases, the company “came up with a clever idea”
and decided not to report the attack and paid the attackers USD 100,000 as a reward
for the detected bug (Torre 2019; Somerville 2017; Frankel 2017).
However, as also mentioned by the regulator in the United Kingdom — ICO,
Uber has paid a ‘reward’ to the attackers that were fundamentally different from the
legitimate bounty. They were hackers who, instead of detecting vulnerability and re-
porting it, misused it and downloaded personal data (Hern 2018).
We are free to say that the 2016 data breach, i.e. the ‘Uber data breach’, become
a synonym for a very serious infringement, as well as for non-compliant behaviour.
The company decided neither to inform the authorities, nor the users that their per-
sonal data had been compromised by an unauthorised third party. In addition, in taking
measures for reducing the risk to the rights and freedoms of individuals, the company
started monitoring accounts 12 months after the attack in order to prevent possible
fraud (Hern 2018).
Finally, in agreement with the authorities, Uber has adopted a data breach no-
tification model, as well as data protection practices and a corporate integrity scheme
for employees reporting unethical behaviour. In addition, it commissioned a third party
to assess data protection practices at the time and paid a record high fine of USD 148
million (Torre 2019; Hern 2018).
In its public statement, the company emphasised that it has made significant
changes in leadership to ensure an adequate level of transparency with regard to regula-
tors and users. They highlighted how they learn from their mistakes and that they will

100 CONTEMPORARY MACEDONIAN DEFENCE

 INTERNATIONAL SCIENTIFIC JOURNAL

continue to work on gaining the trust of users (Hern 2018).

In August 2020, a criminal complaint against Josef Sullivan, formerly Chief

Security Officer, was raised resulting from the obstruction of justice and covering up
data breach. Sullivan engaged in concealment not only by the fact that hacking had
taken place, but also that there had been a data breach of millions of users and drivers
(Conger 2020).
Bearing in mind all of the above, it is clear that any similar treatment, such as
Uber’s, would fail to satisfy the requirements laid down by the GDPR. Apart from the
poor preparation for the crisis, a series of wrong decisions, as well as non-transparency,
led to a very high penalty, but also to the fact that today, 4 years after the last data
breach, the case of this company is synonymous with “how not to act”. Concealment of
the data breach, i.e. false reporting to regulatory bodies and the public, which would be
contrary to the GDPR, entails severe consequences. While it is possible to discuss the
level of cyber security within the company itself, what has led to the final outcome of
the case are the number of decisions which went in the direction of avoiding liability.

Debate
As it is likely to see in the series of given incidents in Uber, as an epilogue there
was not only a fine, but also criminal prosecution, certainly reputational damage, which
is estimated to be, among other things, due to the cover-up in question, Uber has lost
about USD 20 billion in value (Somerville 2017). Moreover, in some Member States
of the European Union regulators, since there was data breach of their citizens, they
have decided to impose a penalty. For example, the Dutch Data Protection Authority
imposed a penalty of EUR 600,000, the French Data Protection regulator EUR 400,000
and the British Information Commissioner 385,000 pounds. It is necessary to highlight
the penalties imposed for data breach that occurred before the application of the GDPR.
The Commission Nationale de l’Informatique et des Libertés (CNIL), the French
regulator stated on 20 October 2018, when they publicly disclosed the information on
the imposition of a fine, that the penalty would be much higher if the Regulation was
applicable at that time (Commission Nationale de l’Informatique et des Libertés 2018).
By doing so, Uber has practically shown a school example of what an organiza-
tion should not do in the event of a data breach. Considering such a data breach in the
light of the Regulation, there were a number of missteps that ultimately followed all
those repercussions highlighted above.
In this type of a case, first, when such a breach occurs, there is an obligation to
report it to the competent supervisory authority at the latest within 72 hours of becom-
ing aware of it, unless the data breach is unlikely to result in a risk for the rights and
freedoms of individuals. Accordingly, there is an obligation to notify the supervisory
authority of the Member State where the organization has its main establishment, but

CONTEMPORARY MACEDONIAN DEFENCE 101

 INTERNATIONAL SCIENTIFIC JOURNAL

it is also a good practice to provide such information to the supervisory authorities of

other Member States if the data breach has occurred in their territories or to their citi-
zens. As we have seen, in the Uber situation, the company did not report a data breach
for a certain period of time, and it decided to cover up the whole case. There was also
a large number of affected individuals and set of personal data in this, so an exception
would be considered out of the question.
In the Guidelines on notification of data breach under Regulation 2016/679,
Article 29 Data Protection Working Party has highlighted that the data controller in
the situation of data breach will have to notify the lead supervisory authority, in case
of cross-border data processing. Organisations have to pay attention when drawing up
the action plan, it must be assessed which supervisory authority is the lead authority.
They also have to specify that, in the event of a data breach involving cross-border
processing, the lead supervisory authority must be informed, which does not neces-
sarily have to be the supervisory authority responsible for the territory of the affected
subjects or on the location where the breach took place. It is recommended that the
organization in such case should state whether the breach occurs in other Member
States and in which Member States there are individuals who are likely to be affected
by a data breach (Article 29 Data Protection Working Party 2018).
As we have seen, there is also an obligation to inform the data subjects in case
of a data breach without undue delay, unless the breach is not likely to result in a high
risk for the rights and freedoms of the individual, so that the notification threshold is
higher than for the supervisory authority. However, in such situations where there is
a data set (name, e-mail address, mobile phone number and driving licence number),
as well as a large number of individuals, but also where there is a third-party criminal,
there is certainly a high risk. Such data could be offered on the Dark Web and could
achieve a significant price and may, in addition, be used for further criminal purposes.
Individuals affected by a data breach can be informed directly, unless doing so would
involve disproportionate effort, in the case of which they shall be given a public no-
tice. Recital 86 of GDPR states the following: „The controller should communicate to
the data subject a personal data breach, without undue delay, where that personal data
breach is likely to result in a high risk to the rights and freedoms of the natural person
in order to allow him or her to take the necessary precautions. The communication
should describe the nature of the personal data breach as well as recommendations
for the natural person concerned to mitigate potential adverse effects. Such commu-
nications to data subjects should be made as soon as reasonably feasible and in close
cooperation with the supervisory authority, respecting guidance provided by it or by
other relevant authorities such as law-enforcement authorities. For example, the need
to mitigate an immediate risk of damage would call for prompt communication with
data subjects whereas the need to implement appropriate measures against continuing
or similar personal data breaches may justify more time for communication“ (European
Parliament and Council 2016: Preliminary provisions, paragraph 86).

102 CONTEMPORARY MACEDONIAN DEFENCE

 INTERNATIONAL SCIENTIFIC JOURNAL

It is important to stress that the risk assessment should take into a account several
parameters: the type of infringement, the nature, the sensitivity and the amount of per-
sonal data involved, the ease with which the individuals are identified, the seriousness
of the consequences for the individuals, the specific characteristics of the individual,
the specific characteristics of the data controller and the number of individuals affected.
Organisations shall, upon request, cooperate with the supervisory authority in
the performance of its tasks. In other words, the conduct, such as in Uber’s case, is
certainly not in line with the Regulation and constitutes a breach of the Regulation.
Such non-cooperation may, in any event, also be reflected in the amount of the penalty
that may be imposed by the supervisory authority. It is also necessary to document the
infringement and to surrender such documents to the supervisory authority. Making
false statements before the public and the supervisory authorities, as well as the cover
up attempts, is certainly not in the direction of good cooperation with the supervisory
authority.
When imposing an administrative fine, the supervisory body that could impose in
such a case would certainly not be small. The supervisory authority shall be guided by
the nature, gravity and duration of the breach, whether measures are taken to mitigate
the damage suffered by the data subject, the degree of responsibility, relevant previ-
ous data breach, the degree of cooperation with the supervisory authority, the affected
categories of personal data, the manner in which the supervisory authority became
aware of the breach and any other aggravating or mitigating factors (Article 29 Data
Protection Working Party, 2017). The penalty may be imposed up to EUR 10,000,000
or up to 2 % of the total worldwide annual turnover of the preceding financial year. In
case of severe data breach the penalty could go up to EUR 20,000,000 or up to 4 %
of the total worldwide annual turnover of the preceding financial year. In addition, in
the event of a breach of several provisions of the Regulation, the total amount of the
fine may not exceed the administrative amount set for the most serious infringement.
In 2015, Uber recorded an annual turnover of USD 1.5 billion, so that each indi-
vidual supervisory authority could impose a maximum penalty of USD 60 million due
to such data breach, as a number of provisions of the Regulation have been infringed.
However, if such breach occurs in 2020, the fine could reach an amount of USD 564
million, given that the global turnover in 2019 was USD 14.1 billion.8
It must, of course, bear in mind the possibility of a group action for damages, but
also a loss of reputation that may be reflected in a fall in the share price, boycotting the
use of a service or a product, and such negative effects can have a very drastic effect
on the company’s business.
In the analysis of everything done by Uber, according to publicly available data
and the set theoretical and methodological framework, we can point out that the company

8
Annual traffic data extracted from https://www.statista.com/statistics/550635/uber-global-net-
revenue/

CONTEMPORARY MACEDONIAN DEFENCE 103

 INTERNATIONAL SCIENTIFIC JOURNAL

did not successfully manage the crisis because it did not set the necessary framework
to define the kind of crisis they faced, which would allow them to define and then to
undertake appropriate strategies to address the crisis. Furthermore, the analysis found
that Uber did not have a contingency plan at its disposal, so even if they considered
realistic options available, they could not implement them effectively because they did
not have a background or guide in the form of a contingency plan to respond better in
relation to the way their executive management reacted.
Furthermore, the analysis showed that the company’s management did not cope
well with the crisis, over time their problem became bigger, they took root in their
ranks and they could not overcome it on their own. While regarding communication
in a crisis they did everything contrary to the recommendations they should follow
and decided to cover up the situation which turned out to be the wrong decision. So
the behaviour of Uber’s executive management is a prime example of how not to act
during a business crisis.

Conclusion
Business crises show that most companies are unprepared for the crises that happen to
them and that, as in the example of Uber, they do not have a developed crisis management as
part of the company’s strategic business processes. Many companies around the world are fail-
ing after the first major crisis in which they found themselves due to both financial losses and
loss of reputation. Luck has helped Uber. Even after several crises (2011, 2014 and 2016) and
despite the fact that they were not well managed, the company survived and continued to oper-
ate. But their case is very indicative both for them and for many others such as other companies,
users, regulators, law enforcement agencies etc. The significance of this case study shows the
importance of looking at such crises and justifies the reasons for its research.
The crisis in question and publicly available data confirm the correctness of the set
theoretical and methodological framework, its design and composition, which is adapted to the
research and analysis of this crisis. Crisis management theory and the scientific research methods
used were applied in a way to extract key observations related to the crisis and Uber’s handling
of the crisis in which they found themselves. Although aware that no theory can explain all the
facts and processes, especially in today’s extremely fast, dynamic and multi-layered world, we
still need theories as patterns by which to interpret the processes we have chosen to analyze.
Regarding the part of the discussion on this crisis, it is important to point out that the
need and usefulness of regulation in all processes, including in the part of digital business,
has been justified. Especially since the digital world is in exponential development, it brings
us numerous advances but also significant challenges and dangers. Therefore, regulation is
necessary and desirable in a way that protects users, companies, societies and states, and does
not restrict them in their business. This is exactly what is being achieved through the GDPR.
This is additionally important because it enables the regulation of the operations of companies
that are established and registered outside the European Union and provide services around the
world, including to the citizens of the Union.
The key recommendations of this research are that it is necessary to develop crisis man-
agement in addition to regulation at all levels and in all areas. The analysis showed that Uber
did not have crisis management in place, so it did not even try to manage the crisis effectively,

104 CONTEMPORARY MACEDONIAN DEFENCE

 INTERNATIONAL SCIENTIFIC JOURNAL

but went along the line of least resistance, hoping that everything would somehow resolve itself
with as little damage as possible. It turned out that they were not right and that with adequate
crisis management they would certainly respond better and more successfully to the crisis, in
which they found themselves, and thus, better protect the personal data of the customers and
the value of the company. So investing in security, such as establishing a crisis management
system is not a cost but a necessity of every business organization.

REFERENCES:
Article 29 Data Protection Working Party (2018) , Guidelines on Personal data breach notification
under Regulation 2016/679, (adopted on 3 October 2017, as last Revised and Adopted on 6
February 2018), https://azop.hr/images/dokumenti/217/wp250rev01_enpdf-1.pdf, accessed 13
October 2020
Article 29 Data Protection Working Party (2017), Guidelines on the application and setting of
administrative fines for the purposes of the Regulation 2016/679 (adopted on 3 October 2017),
https://azop.hr/images/dokumenti/217/guide_lines_application_of_administrative_fines.pdf ,
accessed 20 October 2020
Boin, A., Hart, P., Stern, E., Sundelius, B. (2005), The Politics of Crisis Management: Public
Leadership under Pressure, New York: Cambridge University Press
Commission Nationale de l’Informatique et des Libertés (2018), UBER: sanction de 400.000€
pour une atteinte à la sécurité des données des utilisateurs, https://www.cnil.fr/fr/uber-sanction-
de-400000eu-pour-une-atteinte-la-securite-des-donnees-des-utilisateurs, accessed 12 October
2020
Conger, K. (2020), Former Uber Security Chief Charged With Concealing Hack, The New York
Times, https://www.nytimes.com/2020/08/20/technology/joe-sullivan-uber-charged-hack.html
(accessed 28 October 2020).
European Parliament and Council (2016), REGULATION (EU) 2016/679 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the
European Union L 119/1, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX
:32016R0679&from=HR, accessed 2 October 2020
European Union Agency for Network and Information Security (2019). ENISA Threat Landscape
Report 2018. 15 Top Cyberthreats and Trends, https://www.enisa.europa.eu/publications/enisa-
threat-landscape-report-2018, accessed 12 October 2020
Frankel, A. (2017), Data breach class actions are the least of Uber’s problems, Reuters, https://
www.reuters.com/article/legal-us-otc-uber-idUSKBN1DM2Q3, accessed 13 October 2020
Hern, A. (2018), Uber fined £385,000 for data breach affecting millions of passengers, The
Guardian, https://www.theguardian.com/technology/2018/nov/27/uber-fined-385000-for-data-
breach-affecting-millions-of-passengers-hacked, accessed 12 October 2020
Information Commissioner’s Office of the United Kingdom (2018a), Democracy disturbed?
Personal information and political influence, https://ico.org.uk/media/2259369/democracy-
disrupted-110718.pdf, accessed 25 September 2020
Information Commissioner’s Office of the United Kingdom (2018b), Personal data breaches,
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/personal-data-breaches/, accessed 28 October 2020

CONTEMPORARY MACEDONIAN DEFENCE 105

 INTERNATIONAL SCIENTIFIC JOURNAL

Kešetović, Ž., Korajlić, N., Toth, I. (2013), Krizni menadžement (Crisis Management), Sarajevo:
University of Sarajevo, Faculty of Criminology, Criminology and Security Studies; Velika
Gorica: University of Applied Sciences Velika Gorica
Luecke, R. (2005), Upravljanje kriznim situacijama (Crisis Management), Zagreb: Zgombić &
Partneri (translation of the Harvard Business School publication)
Ougustin, N. R. (2010), Upravljanje kriznim situacijama (Managing Crisis), Beograd: Data Status
(translation of the Harvard Business School publication)
Somerville, H. (2017), Uber may have just lost $20.5bn in value, Independent, https://www.
independent.co.uk/news/business/news/uber-shares-latest-update-value-lost-billinos-softbank-
japan-discount-ride-sharing-taxi-a8079511.html, accessed 12 October 2020
Statista (2020), Global net revenue of Uber from 2013 to 2019, https://www.statista.com/
statistics/550635/uber-global-net-revenue/, accessed 23 October 2020
Sučević, D. (2010), Krizni menadžement (Crisis Management), Zagreb: Lider
Tkalac Verčić, A., Sinčić Ćorić, D., Pološki Vokić, N. (2010), Priručnik za metodologiju
istraživačkog rada (Manual for research methodology), Zagreb: M.E.P. d.o.o.
Torre, L. (2019), The Uber Breach Story: On how security woes can lead to a criminal complaint,
Medium.com, https://medium.com/golden-data/case-study-uber-technologies-inc-data-breach-
7261484d6471, accessed 21 October 2020
Yin, R. K. (2007), Studija slučaja: dizajn i metode (Case study: design and methods), Zagreb:
Faculty of Political Sciences

106 CONTEMPORARY MACEDONIAN DEFENCE