Ridesharing company could not ‘uber’ out of its privacy obligations

Malcolm Campbell ||

August 11, 2021

The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, has found that ride-sharing giant Uber, which includes US-based Uber Technologies, Inc. and Dutch-based Uber B.V. (Uber) breached the Privacy Act 1988 (Cth) (Privacy Act). Following a cyber attack in October and November 2016 where the personal data of 1.2 million Australians was accessed, it has been found that Uber failed to appropriately protect the personal data of affected customers and drivers.[1] In fact, Uber paid the attackers a reward and required them to destroy the data. While there was no evidence of misuse of the data, the Office of the Australian Information Commissioner (OAIC) focused its investigation on whether Uber’s preventive measures complied with the Privacy Act.

Does the Privacy Act apply to Uber?

Uber had no physical presence in Australia, and it did not have a direct contractual relationship with Australian riders and drivers at the time of the data breach. In addition, the personal information had been directly transferred to servers in the United States. While Uber claimed that it was not subject to the Privacy Act, Commissioner Falk found that Uber had an ‘Australian link’ at the time of the data breach as, among other things, Uber carried on business in Australia. Therefore, according to section 5B(1A) of the Privacy Act, ‘the acts done, and practice engaged in’ by Uber, even though it had no presence in Australia at the time of the breach, came within the ambit of the Privacy Act.

Did Uber disclose the breach?

Instead of disclosing the breach, Uber paid the attackers a US$100,000 reward under a ‘bug bounty’ program and required them to destroy the data. Uber did not conduct an assessment of the personal information that may have been accessed and did not disclose the breach to the public until a year after the breach. Uber reported the breach to the OAIC in December 2017.

How did Uber breach the Privacy Act?

The OAIC investigated whether Uber’s preventative measures complied with the Privacy Act and found that Uber failed to comply with the following Australian Privacy Principles (APPs):

APP 11.1, which requires an entity to ‘take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and [to protect the information] from unauthorised access, modification or disclosure’.
APP 11.2, which requires an entity that no longer needs personal information it holds to ‘take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified’; and
APP 1.2, which requires an entity to take reasonable steps to ‘implement practices, procedures and systems relating to the entity’s functions or activities that will ensure’ compliance with the APPs and will enable inquiries or complaints to be dealt with.[2]

What orders were made?

Commissioner Falk ordered Uber to:

prepare, implement and maintain a data retention and destruction policy, information security program and an incident response plan in order to ensure that Uber complies with the APPs; and
appoint an independent expert to review the policies and programs, report on their implementation, submit reports to the OAIC, and make any changes that are recommended in the reports.

However, unlike the Dutch regulators who fined Uber $961,000, the British regulator who imposed a $722,000 fine and the $148 million US settlement that Uber agreed to, the OAIC did not impose a fine.

Key takeaways

The determination is a reminder that the Privacy Act has significant extraterritorial operation. Despite not having a physical presence in Australia, it is still possible for an entity to have an ‘Australian link’ and be subject to the Privacy Act.

It is also a timely reminder that organisations that are subject to the Privacy Act have ongoing obligations when dealing with personal information.

How can we help?

If you require assistance with understanding your privacy obligations, putting in place privacy policy, a data breach response plan, or responding to a data breach, please do not hesitate to contact a team member of Coleman Greig’s Commercial Advice Team, who would be more than happy to assist you.

[1] https://www.oaic.gov.au/updates/news-and-media/uber-found-to-have-interfered-with-privacy/.

[2] https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the-australian-privacy-principles/.

Disclaimer: This article is for general information purposes only and is not a substitute for legal advice. For more details, please read our full disclaimer.

Authors

Malcolm Campbell

PHONE +61 2 9895 9357

Email Malcolm

TAGS:
Data Breach, Privacy Act

Send an enquiry

First name

Surname

Phone number

Email address

Message

Which area of law are you enquiring about?

Preferred office location

How did you hear about us?

Any personal information you provide is collected pursuant to our Privacy Policy.

Author

To be or not to be on the witness stand – Evidence of children in family law matters

Madison Kelly February 20, 2026

Can a child be a witness in your family law matter? Section 100B(1) of the Family Law Act 1975 (Cth) states that a child is not to swear an affidavit unless the Court makes an Order for that child to do so.

Disclosure obligations for agents: Illegal building works

Barbara Papevski February 12, 2026

The obligations of real estate agents to disclose material facts are complex and difficult to navigate. Agents may question how far they must go in respect to disclosure.

Business people shaking hands, finishing up a meeting.

Joint venture vs. partnership

Malcolm Campbell February 11, 2026

Joint venture or partnership? We explain the differences and highlight the pros and cons of each structure.

ATO Remissions – General Interest Charge, Shortfall Interest Charge and Failure to Lodge Penalties

Stephen Lau February 5, 2026

The ATO has recently introduced standardised application forms to request remissions, including updates to their guidance.

A woman works from home. She's sitting at a desk with a Christmas tree in the background

Employment arrangements during the holiday season break

Victoria Quayle February 3, 2026

Many businesses will be preparing for a shutdown period over the upcoming holiday season break. Earlier this year, standardised shutdown provisions were inserted into the majority of modern awards. These covered how you could direct employees to take annual leave or unpaid leave during an annual shutdown

Unfair dismissals: Reasonable redeployment opportunities

Victoria Quayle January 28, 2026

A recent Fair Work Commission decision has highlighted the importance of considering all relevant and reasonable redeployment options when making an employee redundant.

Avoiding end-of-lease surprises: What you need to know about make good obligations

Laura Bazouni December 15, 2025

When a commercial or retail lease comes to an end, both landlords and tenants face one final hurdle – the ‘make good’ obligations contained in the lease. These obligations set out the condition in which the tenant must return the premises to the landlord at the end of the term.

Year-end land tax and foreign surcharge – What you need to know

Stephen Lau, Kate Sohn December 9, 2025

With 31 December 2025 fast approaching, if you have not done so already, we encourage you to review/double check your property arrangements and documentation. Assessments for land tax and foreign surcharge are issued around this time, and understanding your obligations now can help you avoid unexpected liabilities.

Key changes to Paid Parental Leave under Baby Priya’s Law

Victoria Quayle December 2, 2025

Last month, the Australian Government passed landmark legislation called the Fair Work Amendment (Baby Priya’s) Act 2025, providing additional protections for employees who receive employer-funded paid parental leave.

A father and daughter look at a tablet together

Changing a child’s name after separation

Nicole Stevens November 12, 2025

Separation can bring with it a range of emotions and the dispute between separating parents can be far and wide, including whether the surname of a child should be retained or changed.

A young couple sites at a table in an office

Can you be bound to an agreement even though it doesn’t comply with legislation?

Nicole Stevens October 23, 2025

A Binding Financial Agreement is a document that separating couples can enter into to divide their assets as an alternative to Court Orders. Once entered into, the Agreement overrides the jurisdiction of the Federal Circuit and Family Court of Australia to make property orders.

When child support doesn’t cover the costs – What you can do

Madison Kelly October 9, 2025

In Australia, child support is governed by the Child Support (Assessment) Act 1989 (Cth). It is processed through Services Australia (Child Support) where a formulaic approach is taken to determine the amount of child support payable by one parent to the other.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.