+61 8 9288 6000
Chinese
Services
Our People
The Firm
News
Publications
Blog
Community
Careers
Contact

Cyber Update - Uber found to have cancelled its trip with respect to its obligations under the Privacy Act

YOU MIGHT ALSO BE INTERESTED IN:
Doxxing and Privacy Reform, the Establishment of a New Statutory Tort
22 April 2024
Phisherman - Australia’s new Cyber Security Strategy protecting businesses and customers
12 February 2024
Boards Feel Unprepared To Protect Themselves From Cybersecurity Threats While Data Breaches And Privacy Complaints Rise
08 November 2023
Boards’ Oversight Of Cyber Risk - Your Obligation To Be Prepared For Attack
13 October 2023
View all Cyber & Data Protection Updates

On 30 June 2021, the OAIC found that Uber had breached the Privacy Act 1988 and in doing so interfered with the privacy of over one million Australians.

The determination followed a detailed Commissioner-initiated investigation into US-based Uber Technologies Inc (UT) and Dutch-based Uber B.V. (UBV) (collectively, the Uber Companies).

Background

  • Uber provides a service via its Uber app that allows registered users to request a trip to a specific location to which they are then matched to a nearby driver.
  • Before using the app, Australians must register and input personal information such as their name and email address, and in certain circumstances, their mobile number and credit card details.

Facts

In the period between 13 October 2016 to 15 November 2016, data that UT stored in a cloud-based storage service was subjected to an external cyber attack.

The attackers accessed and downloaded files relating to approximately 1.2 million Australian accounts and 57 million accounts worldwide.

Rather than disclosing the data breach in a responsible manner, the Uber Companies paid the attackers a reward through a bounty program.

Following the data breach, Uber did not conduct a full-scale assessment as to the data that had been accessed and did not disclose the data breach to the public until November 2017.  

Uber’s defence

In this case, UT ran the ultimately unsuccessful argument that it was not subject to the Privacy Act because it was a US-based company.

Held

Commissioner Falk was satisfied that both Uber Companies were required to comply with the Privacy Act  and found that  the Uber Companies had breached the Privacy Act.

In essence, the Uber Companies were found to have failed to undertake reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles. 

Commissioner Falk has ordered the Uber companies to:

  • prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that complies with the Australian Privacy Principles; and
  • appoint an independent expert to review the implementation of these policies and programs, submit reports to the OAIC, and make any necessary changes recommended in the reports.

Lavan Comment

This determination:

  • demonstrates that compliance with the Australian privacy laws is not simply an obligation restricted to Australian companies; and
  • as in the determination of the Court of Justice of the European Union referred to in our article dated 13 April 2021 illustrates the increasingly globalised approach to breaches of privacy laws.

If you have any queries in relation to this article, please contact Iain Freeman or Lorraine Madden.

Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.
SERVICES
PUBLICATIONS
AUTHOR
Level 20, 1 William Street, Perth Western Australia 6000     Telephone +61 8 9288 6000
Quadrant Advisory
   ©2016-2024 Lavan. All rights reserved.   
Privacy Policy
Terms & Credits
Site Map