Ridesharing company could not ‘uber’ out of its privacy obligations

Malcolm Campbell ||

August 11, 2021

The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, has found that ride-sharing giant Uber, which includes US-based Uber Technologies, Inc. and Dutch-based Uber B.V. (Uber) breached the Privacy Act 1988 (Cth) (Privacy Act). Following a cyber attack in October and November 2016 where the personal data of 1.2 million Australians was accessed, it has been found that Uber failed to appropriately protect the personal data of affected customers and drivers.[1] In fact, Uber paid the attackers a reward and required them to destroy the data. While there was no evidence of misuse of the data, the Office of the Australian Information Commissioner (OAIC) focused its investigation on whether Uber’s preventive measures complied with the Privacy Act.

Does the Privacy Act apply to Uber?

Uber had no physical presence in Australia, and it did not have a direct contractual relationship with Australian riders and drivers at the time of the data breach. In addition, the personal information had been directly transferred to servers in the United States. While Uber claimed that it was not subject to the Privacy Act, Commissioner Falk found that Uber had an ‘Australian link’ at the time of the data breach as, among other things, Uber carried on business in Australia. Therefore, according to section 5B(1A) of the Privacy Act, ‘the acts done, and practice engaged in’ by Uber, even though it had no presence in Australia at the time of the breach, came within the ambit of the Privacy Act.

Did Uber disclose the breach?

Instead of disclosing the breach, Uber paid the attackers a US$100,000 reward under a ‘bug bounty’ program and required them to destroy the data. Uber did not conduct an assessment of the personal information that may have been accessed and did not disclose the breach to the public until a year after the breach. Uber reported the breach to the OAIC in December 2017.

How did Uber breach the Privacy Act?

The OAIC investigated whether Uber’s preventative measures complied with the Privacy Act and found that Uber failed to comply with the following Australian Privacy Principles (APPs):

APP 11.1, which requires an entity to ‘take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and [to protect the information] from unauthorised access, modification or disclosure’.
APP 11.2, which requires an entity that no longer needs personal information it holds to ‘take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified’; and
APP 1.2, which requires an entity to take reasonable steps to ‘implement practices, procedures and systems relating to the entity’s functions or activities that will ensure’ compliance with the APPs and will enable inquiries or complaints to be dealt with.[2]

What orders were made?

Commissioner Falk ordered Uber to:

prepare, implement and maintain a data retention and destruction policy, information security program and an incident response plan in order to ensure that Uber complies with the APPs; and
appoint an independent expert to review the policies and programs, report on their implementation, submit reports to the OAIC, and make any changes that are recommended in the reports.

However, unlike the Dutch regulators who fined Uber $961,000, the British regulator who imposed a $722,000 fine and the $148 million US settlement that Uber agreed to, the OAIC did not impose a fine.

Key takeaways

The determination is a reminder that the Privacy Act has significant extraterritorial operation. Despite not having a physical presence in Australia, it is still possible for an entity to have an ‘Australian link’ and be subject to the Privacy Act.

It is also a timely reminder that organisations that are subject to the Privacy Act have ongoing obligations when dealing with personal information.

How can we help?

If you require assistance with understanding your privacy obligations, putting in place privacy policy, a data breach response plan, or responding to a data breach, please do not hesitate to contact a team member of Coleman Greig’s Commercial Advice Team, who would be more than happy to assist you.

[1] https://www.oaic.gov.au/updates/news-and-media/uber-found-to-have-interfered-with-privacy/.

[2] https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles/.

Authors

Malcolm Campbell

PHONE +61 2 9895 9357

Email Malcolm

TAGS:
Data Breach, Privacy Act

Send an enquiry

First name

Surname

Phone number

Email address

Message

Which area of law are you enquiring about?

Preferred office location

How did you hear about us?

Any personal information you provide is collected pursuant to our Privacy Policy.

Author

Big changes ahead for the regulation of building products in NSW

July 12, 2024

All participants in the construction industry need to be aware of imminent changes to the laws regulating building products.

SafeWork NSW releases new strategy to address psychosocial hazards

July 4, 2024

The SafeWork NSW Psychological Health and Safety Strategy 2024-2026 establishes new supports for employers regarding their duties in preventing psychosocial harm in the workplace.

Workplace relations changes effective 1 July 2024

June 28, 2024

As we move into the new financial year, the Fair Work Commission (FWC) have again released their annual update for employment law. Here’s what employers need to know about the changes.

Understanding roles in the strata scheme

June 17, 2024

A strata scheme is a building or group of buildings that have been divided into lots which can be apartments, villas, offices, units or townhouses. This will be articulated in the strata plan.

Can I put my home on Airbnb?

June 11, 2024

Airbnb is a form of short-term rental accommodation. To add your property to Airbnb in NSW, you are required to meet several laws and regulations governing short-term rentals.

When are liquidators required to seek approval to retain legal counsel?

May 30, 2024

When does a liquidator (or the company he or she is appointed to) need court, creditor, or committee approval to validly retain a solicitor to act in a liquidation matter which is likely to extend for longer than three months? The answer to this question has only recently been settled.

Women wearing denim jacket and man wearing a blue skirt sit together at a table as they look at a laptop screen

How to claim for unapproved variations? Quantum meruit in construction contracts

May 23, 2024

Building contracts establish the relationship between a builder and owner. Often however, changes are made to the scope of work during the course of a project that are not anticipated in the contract.

Draft legislation released for build-to-rent tax concessions

May 16, 2024

In April 2024 the Treasury released draft legislation implementing the ‘Build-to-Rent’ (BTR) tax concessions, which were first announced in the 2023-24 Federal Budget.

Proposed changes to building and construction law in NSW

May 14, 2024

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Paper doll cut outs of a man, woman and two children are on a book lying on a desk. There is a gavel in the background

Family Law amendments in force this week – What you need to know

May 7, 2024

As of 6 May 2024, changes to the Family Law Act 1975 from the Family Law Amendment Act 2023 and the Family Law Amendment (Information Sharing) Act 2023, passed 19 October 2023, are in effect.

Can you dismiss an employee who fails to return to the office?

April 24, 2024

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

April 4, 2024

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.