Uber convicted of invasion of privacy
Australian Information and Privacy Commissioner Angelene Falk has determined that Uber Technologies, Inc. and Uber BV have violated the privacy of approximately 1.2 million Australians.
Commissioner Falk found that Uber companies failed to adequately protect the personal data of Australian customers and drivers, which were accessed in a cyber attack in October and November 2016.
The ruling follows detailed investigations into US company Uber Technologies Inc and Dutch company Uber BV, which involved significant jurisdictional issues as well as complex corporate agreements and information flows.
As Uber asked attackers to destroy the data and there was no evidence of further misuse, the Australian Information Commissioner’s Office (OAIC) investigation focused on whether Uber had preventative measures in place to protect Australians’ data.
Commissioner Falk found that the Uber companies had violated the Privacy Act of 1988 by failing to take reasonable steps to protect Australians’ personal information from unauthorized access and to destroy or anonymize the data if necessary . They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with Australian principles of confidentiality.
Rather than responsibly disclosing the breach, Uber paid attackers a reward through a bug bounty program for identifying a security vulnerability. Uber did not conduct a full assessment of the personal information it might have accessed until almost a year after the data breach and did not publicly disclose the data breach until November 2017.
Commissioner Falk said regulatory action was warranted in Australia following actions taken in other jurisdictions in relation to the cyber attack.
“We need to make sure that in the future Uber protects the personal information of Australians in accordance with privacy law,” she said.
“The case also raises complex issues regarding the application of privacy law to overseas-based companies that outsource the processing of Australians’ personal information to other companies within their group. companies. “
In this case, the Australians’ personal information was transferred directly to servers in the United States as part of an outsourcing agreement, and the United States-based company argued that it was not subject to it. to the Privacy Act.
Commissioner Falk said she was confident the two Uber companies were required to comply with the Privacy Act.
“This determination clarifies my view of the responsibilities of global businesses under Australian privacy law,” said Commissioner Falk.
“Australians need to be assured that they are protected by privacy law when providing personal information to a company, even if it is transferred overseas within the group of companies. . “
Commissioner Falk ordered Uber companies to:
- prepare, implement and maintain a data retention and destruction policy, information security program and incident response plan that will ensure companies comply with Australian privacy principles
- appoint an independent expert to review and report on these policies and programs and their implementation, submit reports to CATO and make necessary changes recommended in the reports.
The full determination can be found at oaic.gov.au/privacy-determinations