Uber breaches Australian privacy laws

The recent decision by the Australian Information Commissioner and Privacy Commissioner, Angele Falk, (Commissioner) in Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Uber) has provided further guidance as to exactly who is bound by the Privacy Act 1988 (Cth) (Act) though the ‘Australian link’ set out in subsections 5B(2)-(3) (Australian Link).  A full breakdown of what amounts to an Australian Link can be viewed in another article here.  This article discusses the Australian Privacy Principles (APPs) that were breached by Uber and what was decided the ride-sharing entity was to do in response to non-compliance with the Act.

Current Australian privacy law

Section 15 of the Act states:

“APP entities must comply with [APPs]

An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.”

Furthermore, subsection 13(1)(a) of the Act states:

“Interferences with privacy

APP entities

(1)  An act or practice of an APP entity is an interference with the privacy of an individual if:

(a)  the act or practice breaches an [APP] in relation to personal information about the individual…”

The APPs are outlined in Schedule 1 of the Act.  Relevant APPs to this article are:

“1.2  An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:

(a)  will ensure that the entity complies with the [APPs] and a registered APP code (if any) that binds the entity; and

(b)  will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the [APPs] or such a code.

…

11.1  If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a)  from misuse, interference and loss; and

(b)  from unauthorised access, modification or disclosure.

11.2  If:

(a)  an APP entity holds personal information about an individual; and

(b)  the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and

(c)  the information is not contained in a Commonwealth record; and

(d)  the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.”

Uber – the facts

Uber Technologies, Inc. (a body corporate incorporated in the United States) (UTI) and Uber B.V. (a body corporate incorporated in the Netherlands) (UBV) (together: Uber Companies) has been offering the Uber app (Uber App) in Australia since September 2012.^[1]  Since that date, the Uber App has collected personal information of its users (be it riders, drivers or both) which includes names, email addresses, phone numbers and driver’s licence numbers.^[2]  This data was stored by the Uber Companies on Amazon servers in the United States which was accessible by UTI employees.^[3]  Between 13 October and 15 November 2016, this data was breached (Data Breach) by hackers using credentials of some UTI employees.^[4]  Approximately 1.2 million Australian users of the Uber App (Australian Users) were affected by the Data Breach.^[5]  Australian Users’ names, email addresses, phone number, and driver’s licence numbers were among the information that was accessed by the Hackers.

Did the Uber Companies take reasonable steps to implement processes – APP 1.2

The Commissioner referred to the ‘reasonable steps’ test provided by the Office of the Australian Information Commissioner — APP Guidelines (Guidelines) which provides that the following are to be considered when determining a breach of APP 1.2:^[6]

• the nature of the personal information held;
• the possible adverse consequences for an individual if their personal information is not handled as required by the APPs;
• the nature of the APP entity, for example, relevant considerations include an entity’s size, resources and its business model; and
• the practicability, including time and cost involved.

The Commission also referenced some examples of ‘reasonable steps’ given by the Guidelines being:^[7]

“a. procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction or de- identification

1. security systems for protecting personal information from misuse, interference and loss and from unauthorised access, modification or disclosure, such as IT systems, internal access controls and audit trails
2. procedures for identifying and responding to privacy breaches, handling access and correction requests and receiving and responding to complaints and inquiries
3. governance mechanisms to ensure compliance with the APPs (such as a designated privacy officer and regular reporting to the entity’s governance body)
4. regular staff training and information bulletins on how the APPs apply to the entity, and its practices, procedures and systems developed under APP 1.2.”

The Commissioner was of the view that the Uber Companies did not:^[8]

• identify the vulnerability adequately;
• disclose the vulnerability responsibly;
• promptly conduct a full assessment of all personal information that may have been accessed by the Data Breach;
• promptly disclose the Data Breach; or
• conduct internal audits to confirm proper handling of data breaches.

Therefore, the Uber Companies were seen to not have had adequate systems within place to handle data attacks and therefore breached APP 1.2.^[9]

Did the Uber Companies take reasonable steps to protect data – APP 11.1

The Commissioner stated:

“…that ‘reasonable steps’ must include both documented policies and procedures, and behaviours consistent with those policies and procedures…”^[10]

While the Commissioner accepted that the Uber Companies had taken some steps to protect the personal information they had collected from unauthorised access,^[11] they had failed to take ‘reasonable steps’ due to:^[12]

• there being no multi-factor authentication requirements for access to the held data;
• the functional access keys being available in plain text code;
• the access keys were not in regular rotation;
• the file backups were not encrypted or deleted in accordance with UTI’s normal process; and
• there was foreseeable risk in the amounts of personal information processed by the individuals at UTI.

Therefore, the Commissioner held the Uber Companies to be in breach of APP 11.1.^[13]

Did the Uber Companies take reasonable steps to destroy irrelevant data – APP 11.2

The Commissioner referred to the ‘reasonable steps’ test provided by the Guidelines at paragraph [11.33] which provides that the following are to be considered when determining a breach of APP 11.2:^[14]

• the amount and sensitivity of the personal information;
• the possible adverse consequences for an individual if their personal information is not destroyed or de-identifiable;
• the entity’s information handling practices, such as how it collects, uses and stores personal information, including whether personal information handling practices are outsourced to third parties
• the nature of the APP entity, for example, relevant considerations include an entity’s size, resources and its business model; and
• the practicability, including time and cost involved.

First, the Commissioner considered whether the personal information was no longer needed for any purpose.  The personal information was contained inside of backup files in connection with a complete internal process.^[15]  The backups were no longer needed upon this completion of the internal process and therefore the personal information contained therein should have been deleted or de-identified.^[16]

However, due to:

• the files not being deleted in the normal process;^[17]
• there not being any evidence the Uber Companies put policies or procedures in place to destroy or de-identify the personal information;^[18]
• the Uber Companies not being aware the backup files’ existence;^[19]
• there being serious foreseeable risk of this personal information getting into the wrong hands;^[20] and
• there being multiple deficiencies in UTI’s information handling practices,^[21]

the Commissioner was of the view that the Uber Companies had not taken ‘reasonable steps’ to destroy or de-identify the personal information and were therefore in breach of APP 11.2.^[22]

Remedies

The Commissioner ordered that, by the 30 October 2021, the Uber Companies must, among other things:^[23]

• implement an incident response plan to ensure compliance with APP 1.2 and 11.1;
• implement a security program to ensure compliance with APP 11.1;
• implement a data retention and destruction policy to be ensure com with APP 11.2; and
• engage an independent expert to prepare a report that sets out actions and their reasonable timeframes for the Uber Companies to comply with.

Takeaways

While most Australian legislation will only apply to entities and citizens within the country, the Privacy Act 1988 (Cth) has international applications through the Australian Link.^[24]  Entities with this Australian Link can be penalised for breaching the Act.  This will occur whether the entity is aware of the Act or not.  Such was the case with the Uber Companies who faced penalties by not being aware and thus not meeting their legal obligations.  The Commissioner directed the Uber Companies to, among other things, implement multiple plans, policies and programs to ensure their compliance with the.  It was also ordered that the Uber Companies engage an independent expert to form a plan of action  to ensure compliance.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Cases

Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34

Other materials

Explanatory Memorandum

Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth)

Further information on privacy compliance for businesses

If you need advice on your legal obligations or risks you may have as an APP entity under the Privacy Act 1988, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (Uber) [4], [38].

[2] Uber [4].

[3] Uber [6].

[4] Uber [6].

[5] Uber [8].

[6] Uber [116]; see also Office of the Australian Information Commissioner, APP Guidelines [1.6].

[7] Uber [115]; see also Office of the Australian Information Commissioner, APP Guidelines [1.7].

[8] Uber [125-35].

[9] Uber [137].

[10] See also Office of the Australian Information Commissioner, Telstra Corporation Limited: Own motion investigation report.

[11] Uber [89], [93].

[12] Uber [94-5].

[13] Uber [97].

[14] Uber [99].

[15] Uber [103].

[16] Uber [104].

[17] Uber [106].

[18] Uber [108].

[19] Uber [108].

[20] Uber [110].

[21] Uber [109-10].

[22] Uber [112].

[23] Uber [2].

[24] Privacy Act 1988 (Cth) s 5B(2)-(3).

---

Related insights about privacy law