Following a FTC complaint, which background Jason Wool explains with great detail here, the Commission has issued a Decision and Order against Uber with serious implications on the futures company’s approach to privacy.
Among the main provisions contained in this Order, Uber is required to establish and implement a new and comprehensive privacy program
reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of Personal Information.
This is, beyond the generic obligations of privacy and confidentiality (more on this, below), it seems that the FTC is imposing Uber the obligation of incorporating the principles of privacy by design to its product and services development cycles, something that comes pretty close to the recent European Union’s approach introduced in the brand new General Data Protection Regulation (see with more detail its art. 25 GDPR).
Also, when outlining Uber’s privacy and confidentiality obligations, the FTC refers to a figure very similar to the Data Protection Officer (DPO), also introduced in the European GDPR (see arts. 37 and ff.). Specifically, the Commission imposes the designation of
an employee or employees to coordinate and be responsible for the privacy program.
As if this were not enough, the FTC’s Decision additionally imposes a biennial assessment completed by a qualified, objective, independent third-party professional, a thorough compliance report one year after the issuance date of the order, and the obligation of record keeping for 20 years, among others.
Though regulatory times for disrupting companies.