The Office of the Australian Information Commissioner has found that Uber failed to protect the personal data of Australians following a cyber-attack in 2016. Uber had been able to prevent the attack and subsequently paid the attackers a reward in exchange for the destruction of the data. The Commissioner conducted an investigation into whether Uber’s preventative measures complied with the Privacy Act 1988 (Cth) (‘Privacy Act’).

Do Australian Privacy Laws apply to International Companies?

Uber does not have a head office in Australia and therefore has no physical presence in Australia. As such, it did not have a direct contractual relationship with Australian drivers or passengers when the data breach occurred. Uber claimed that it was not subject to the requirements under the Privacy Act. However, the Commissioner determined that as Uber carried out business in Australia, section 5B(1A) of the Privacy Act applied. This section extends the operation of the Privacy Act extra-territorially to the acts of organisations which engage in Australia, despite being registered or having their physical presence outside Australia.

How did Uber breach the Privacy Act?

 In their findings, the Commissioner determined that Uber failed to comply with three Australian Privacy Principles (APPs). We have written a previous article explaining these principles in more detail. In this case, the main breaches were:

• APP 11.1, which requires an entity to ‘take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss and [to protect the information] from unauthorised access, modification or disclosure’.
• APP 11.2, which requires an entity that no longer needs personal information it holds to ‘take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de- identified’.
• APP 1.2, which requires an entity to take reasonable steps to ‘implement practices, procedures and systems relating to the entity’s functions or activities that will ensure’ compliance with the APPs and will enable inquiries or complaints to be dealt with.

As a consequence of these breaches, the Commissioner ordered Uber to implement a comprehensive data retention and destruction policy, an information security program and an incident response program to ensure that they can comply with the APPs moving forward. However, no fines were imposed on the organisation.

This decision has made clear that global corporations will be held liable under Australian privacy laws even if customers’ personal information is retained overseas. It is also important to note that Uber has faced proceedings in other jurisdictions including the United Kingdom for similar breaches, and where monetary sanctions were imposed.

How Etheringtons Solicitors can help

The findings of the Commissioner are a timely reminder of the importance of both inter and intra-national entities who operate within Australia to ensure they are meeting their obligations when dealing with personal information. If you require assistance with understanding privacy obligations, do not hesitate to get in contact with our experienced team by calling (02) 9963 9800 or via our contact form.