Cyber Update - Uber found to have cancelled its trip with respect to its obligations under the Privacy Act

On 30 June 2021, the OAIC found that Uber had breached the Privacy Act 1988 and in doing so interfered with the privacy of over one million Australians.

The determination followed a detailed Commissioner-initiated investigation into US-based Uber Technologies Inc (UT) and Dutch-based Uber B.V. (UBV) (collectively, the Uber Companies).

Background

  • Uber provides a service via its Uber app that allows registered users to request a trip to a specific location to which they are then matched to a nearby driver.
  • Before using the app, Australians must register and input personal information such as their name and email address, and in certain circumstances, their mobile number and credit card details.

Facts

In the period between 13 October 2016 to 15 November 2016, data that UT stored in a cloud-based storage service was subjected to an external cyber attack.

The attackers accessed and downloaded files relating to approximately 1.2 million Australian accounts and 57 million accounts worldwide.

Rather than disclosing the data breach in a responsible manner, the Uber Companies paid the attackers a reward through a bounty program.

Following the data breach, Uber did not conduct a full-scale assessment as to the data that had been accessed and did not disclose the data breach to the public until November 2017.  

Uber’s defence

In this case, UT ran the ultimately unsuccessful argument that it was not subject to the Privacy Act because it was a US-based company.

Held

Commissioner Falk was satisfied that both Uber Companies were required to comply with the Privacy Act  and found that  the Uber Companies had breached the Privacy Act.

In essence, the Uber Companies were found to have failed to undertake reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles. 

Commissioner Falk has ordered the Uber companies to:

  • prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan that complies with the Australian Privacy Principles; and
  • appoint an independent expert to review the implementation of these policies and programs, submit reports to the OAIC, and make any necessary changes recommended in the reports.

Lavan Comment

This determination:

  • demonstrates that compliance with the Australian privacy laws is not simply an obligation restricted to Australian companies; and
  • as in the determination of the Court of Justice of the European Union referred to in our article dated 13 April 2021 illustrates the increasingly globalised approach to breaches of privacy laws.

If you have any queries in relation to this article, please contact Iain Freeman or Lorraine Madden.