OAIC Uber determination: a reminder of privacy failings in Australia


The Office of the Australian Information Commissioner has found Uber failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016. (For more, see the OAIC's media statement dated 23 July 2021: Uber found to have interfered with privacy).

NSWCCL statement

NSWCCL welcomes the recent determination against Uber, by the Office of the Australian Information Commissioner. However, it is also acts as a warning about the failures of the management of data privacy and data breach notification in Australia.

The OAIC determined that Uber’s US parent company and Dutch subsidiary breached provisions of the Privacy Act 1988 by failing to protect the privacy of the data of 1.2 million Australian customers and drivers from cyberattack. Uber breached the Act by “not taking reasonable steps to protect Australian’s personal information from unauthorised access and to destroy or de-identify the data as required”.

The OAIC also said that Uber “failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles”.

Uber disclosed the 2016 breach more than a year later and reported it to the OAIC in December 2017.  “Rather than disclosing the breach responsibly, Uber paid the attackers a reward through a bug bounty program for identifying a security vulnerability.”  NSWCCL considers that in acting to protect its commercial interests over that of its users and failing to notify them of the breach, Uber denied them the ability to mitigate any damage.

The OAIC has ordered Uber to prepare a data retention and destruction policy, information security program and incident response plan within three months, as well as appoint an independent expert to review the actions and report to OAIC within five months.

NSWCCL continues to be concerned that Australians’ online private information is not adequately protected. The Privacy Act does not adequately deal with the privacy of digital data transactions; technology not contemplated in the original drafting of the Act. Although the government announced yet another review in December 2019, it has again delayed its progression.  Reform of the Privacy Act has now stalled and the NSWCCL urges the Commonwealth to proceed with the review as a priority.

The OAIC also stated that there were “complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group”. NSWCCL has previously raised concerns about the security of offshore storage of sensitive information, for example, COVID-19 tracing app data in Amazon web storage.

Management of data privacy needs to encompass not only robust privacy legislation and breach notification but a statutory cause of action to cover serious invasions of privacy. Users of online services need to be empowered to directly seek redress and mitigate damage caused to them, where companies like Uber fail to do so.

More information: view the full determination on Austlii.