Businessman touch screen concept Binary Code

Ridesharing company could not ‘uber’ out of its privacy obligations

Malcolm Campbell ||

The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, has found that ride-sharing giant Uber, which includes US-based Uber Technologies, Inc. and Dutch-based Uber B.V. (Uber) breached the Privacy Act 1988 (Cth) (Privacy Act). Following a cyber attack in October and November 2016 where the personal data of 1.2 million Australians was accessed, it has been found that Uber failed to appropriately protect the personal data of affected customers and drivers.[1]  In fact, Uber paid the attackers a reward and required them to destroy the data. While there was no evidence of misuse of the data, the Office of the Australian Information Commissioner (OAIC) focused its investigation on whether Uber’s preventive measures complied with the Privacy Act.

Does the Privacy Act apply to Uber?

Uber had no physical presence in Australia, and it did not have a direct contractual relationship with Australian riders and drivers at the time of the data breach. In addition, the personal information had been directly transferred to servers in the United States. While Uber claimed that it was not subject to the Privacy Act, Commissioner Falk found that Uber had an ‘Australian link’ at the time of the data breach as, among other things, Uber carried on business in Australia. Therefore, according to section 5B(1A) of the Privacy Act, ‘the acts done, and practice engaged in’ by Uber, even though it had no presence in Australia at the time of the breach, came within the ambit of the Privacy Act.

Did Uber disclose the breach?

Instead of disclosing the breach, Uber paid the attackers a US$100,000 reward under a ‘bug bounty’ program and required them to destroy the data. Uber did not conduct an assessment of the personal information that may have been accessed and did not disclose the breach to the public until a year after the breach. Uber reported the breach to the OAIC in December 2017.

How did Uber breach the Privacy Act?

The OAIC investigated whether Uber’s preventative measures complied with the Privacy Act and found that Uber failed to comply with the following Australian Privacy Principles (APPs):

  1. APP 11.1, which requires an entity to ‘take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and [to protect the information] from unauthorised access, modification or disclosure’.
  2. APP 11.2, which requires an entity that no longer needs personal information it holds to ‘take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified’; and
  3. APP 1.2, which requires an entity to take reasonable steps to ‘implement practices, procedures and systems relating to the entity’s functions or activities that will ensure’ compliance with the APPs and will enable inquiries or complaints to be dealt with.[2]

What orders were made?

Commissioner Falk ordered Uber to:

  1. prepare, implement and maintain a data retention and destruction policy, information security program and an incident response plan in order to ensure that Uber complies with the APPs; and
  2. appoint an independent expert to review the policies and programs, report on their implementation, submit reports to the OAIC, and make any changes that are recommended in the reports.

However, unlike the Dutch regulators who fined Uber $961,000, the British regulator who imposed a $722,000 fine and the $148 million US settlement that Uber agreed to, the OAIC did not impose a fine.

Key takeaways

The determination is a reminder that the Privacy Act has significant extraterritorial operation. Despite not having a physical presence in Australia, it is still possible for an entity to have an ‘Australian link’ and be subject to the Privacy Act.

It is also a timely reminder that organisations that are subject to the Privacy Act have ongoing obligations when dealing with personal information.

How can we help?

If you require assistance with understanding your privacy obligations, putting in place privacy policy, a data breach response plan, or responding to a data breach, please do not hesitate to contact a team member of Coleman Greig’s Commercial Advice Team, who would be more than happy to assist you.

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

Help! My builder won’t finish the job – what do I do?

It’s normal for building projects to experience setbacks during construction.  However, in extreme cases your builder may suspend works and leave the site or disappear without explanation. This article will explain your available options if your builder won’t return to the site, and how to avoid the common pitfalls which may affect your rights against your builder.

Is your intellectual property secure?

Securing intellectual property (IP) is critical in today’s competitive and increasingly digital landscape. From innovative startups to established enterprises, big or small, safeguarding your business’ intellectual assets can help ensure sustained competitiveness, legal protection and set you up to capitalise on your unique creations.

Out with the old (section 260) and in with the new (Part IVA)

Part IVA overcomes deficiencies of section 260 of the Income Tax Assessment Act (ITAA), exposed by judicial decisions. Part IVA was introduced, albeit with limitations on scope, to provide an appropriate balance between combatting tax avoidance without discouraging commercial and familial transactions.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230