Uber appoints first privacy and data protection chiefs

After almost of decade of being in business, Uber has announced two key privacy and data protection appointments as CEO Dara Khosrowshahi forges ahead with plans for the company’s initial public offering (IPO) in the next year.

Former Intel chief privacy and security counsel Ruby Zefo has been announced as Uber’s first chief privacy officer, starting on 6 August and TomTom vice-president of privacy security Simon Hania is to join Uber as its first data protection officer (DPO) in the autumn.

Until now, privacy was a shared responsibility across all business units in Uber, with no centralised group or individual being in charge.

According to Uber, Zefo – who is a board member of the International Association of Privacy Professionals (IAPP) – will be based in San Francisco and will fill “a critical global role responsible for the development and implementation of privacy standards, procedures and processes” in every market where the company operates.

According to Uber, Zefo has demonstrated strong leadership in building privacy programmes, teams and governance frameworks at a global scale.

Hania, who reportedly has a deep knowledge of European privacy law, will be based in Amsterdam and will oversee Uber's compliance with the EU’s General Data Protection Regulation (GDPR), which requires all companies to appoint a DPO where core activities involve collecting or processing EU citizens’ personal data.

Since the GDPR went into force in May, Uber has been using an outside firm based in the Netherlands as its interim DPO. When Hania takes up his post, he will “independently oversee Uber’s compliance with EU data protection laws”, the company said.

The key appointments come after embarrassing data breaches in 2014 and 2016, although the second breach only came to light in 2017, when it emerged that 57 million user accounts had been affected, including an estimated 2.4 million in the UK, and that Uber had paid hackers $100,000 through its bug bounty programme to delete the stolen data and keep quiet about the breach.

The 2016 breach, which included names, phone numbers and email addresses of Uber users, resulted in the revision of the settlement deal Uber had agreed with the US Federal Trade Commission over the 2014 breach.

The revised settlement added requirements that Uber keep records related to bug bounty reports and submit audits of its security systems on a regular basis.

Khosrowshahi, who was appointed CEO after Uber’s co-founder and first CEO Travis Kalanick was ousted in 2017 amid accusations that the company’s work culture condoned sexual harassment and gender discrimination, has been tasked with reforming and stabilising the company as well as improving transparency.

The appointment of Zefo and Hania come just a week after Uber announced the appointment of its first chief compliance officer, but the search for the right candidate to fill the role of chief financial officer, which has been vacant since 2015, still continues. Filling this role is viewed as a critical step ahead of its IPO, according to commentators.

But, before then, Khosrowshahi has to deal with an investigation by the Equal Employment Opportunity Commission after Uber employees filed several complaints against chief operating officer Barney Harford for racial and gender insensitivity, which started in August 2017, but only became public recently, according to financial information website MarketWatch.