Uber found to have breached Australian privacy law
The Office of the Australian Information Commissioner has revealed that the ride-sharing and delivery app Uber has breached Australian privacy laws.
In a detailed investigation, Uber was held to have interfered with the privacy of approximately 1.2 million Australians and failed to take reasonable steps to implement practices, procedures and systems relating to Uber’s functions or activities for compliance with Australian Privacy Principles. This user data breach occurred in 2016, and at the time, Uber had no physical presence in Australia. This meant that all data collected was being fed through Amazon servers, headquartered in the United States.
Furthermore, this issue became complicated because in 2016, none of Uber’s drivers were classified as workers under the company. Consequently, Uber argued that there was no contractual duty in relation to data for drivers and also extended this notion to riders. However, this sentiment was dismissed by the Commissioner, commenting that there was a sufficient ‘Australian link’ by virtue of the extra-territoriality principle to extend the operation of the Privacy Act 1988 (Cth) to Uber and its parent company. As such, the Commissioner ordered that Uber prepare a data retention and destruction policy, an information security program, and an incident response plan to appropriately manage its user data.
Ultimately, Uber failed to take the appropriate steps to protect its Australian rider’s data but has now accepted that it is bound by Australia’s privacy laws. Uber has taken on the advice of the Commissioner as well as obtained ISO 27001 certification to improve its business information systems and internal security policies. However, this precedent will likely be carried forward to establish an ‘Australian link’ to any company that conducts business in Australia offshore. Moreover, it demonstrates the extraterritorial reach and jurisdiction of Australia’s privacy laws and will hopefully improve data management by major digital organisations.
For the full reading of the decision, see here.