On 30 June 2021, the OAIC found that Uber had breached the Privacy Act 1988 and in doing so interfered with the privacy of over one million Australians.
The determination followed a detailed Commissioner-initiated investigation into US-based Uber Technologies Inc (UT) and Dutch-based Uber B.V. (UBV) (collectively, the Uber Companies).
In the period between 13 October 2016 to 15 November 2016, data that UT stored in a cloud-based storage service was subjected to an external cyber attack.
The attackers accessed and downloaded files relating to approximately 1.2 million Australian accounts and 57 million accounts worldwide.
Rather than disclosing the data breach in a responsible manner, the Uber Companies paid the attackers a reward through a bounty program.
Following the data breach, Uber did not conduct a full-scale assessment as to the data that had been accessed and did not disclose the data breach to the public until November 2017.
In this case, UT ran the ultimately unsuccessful argument that it was not subject to the Privacy Act because it was a US-based company.
Commissioner Falk was satisfied that both Uber Companies were required to comply with the Privacy Act and found that the Uber Companies had breached the Privacy Act.
In essence, the Uber Companies were found to have failed to undertake reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.
Commissioner Falk has ordered the Uber companies to: