04 Jan “Uber” Decision puts teeth into Australian Privacy Laws
A recent decision by Australian Information and Privacy Commissioner, Angelene Falk, has set a new standard on both data privacy and the disclosure of breach requirements to the regulator.
The Commissioner in a landmark privacy ruling found against Uber over a hack of the personal details of 1.2 million Australian customers and drivers.
Why was “Uber” in the commissions cross-hairs?
Uber Technologies, Inc. (a body corporate incorporated in the United States) (UTI) and Uber B.V. (a body corporate incorporated in the Netherlands) (UBV) (together: Uber Companies)) has been offering the Uber app (Uber App) in Australia since September 2012. Since that date, Uber App has collected personal information of its users (be it riders, drivers, or both) which includes names, email addresses, phone numbers and a driver’s licence number. This data was stored by the Uber Companies on Amazon servers in the United States where it was accessible by UTI employees. Between 13 October and 15 November 2016 this data was breached by hackers using credentials of some UTI employees. Approximately 1.2 million Australian users of the Uber App were affected by the data breach. Australian Users’ names, email addresses, phone numbers, and driver’s licence numbers were part of a major hack of more than 57 million Uber customers and drivers across the globe.
Uber’s failure to maintain proper security over people’s personal information was found by the Commissioner to be a breach of the Australian privacy laws even though Uber had no physical presence in Australia, and it did not have a direct contractual relationship with Australian riders and drivers at the time of the data breach.
Uber claimed that it was not subject to the Privacy Act as the personal information had been directly transferred offshore and held on servers in the United States. However, Commissioner Falk found that Uber had an “Australian link” at the time of the data breach as, among other things, Uber carried on business in Australia. Therefore, according to section 5B (1A) of the Privacy Act 1988 (Cth) (Privacy Act), the acts done and practice engaged in by Uber, even though it had no presence in Australia at the time of the breach, came within the ambit of the Privacy Act due to this “Australian link”.
“Uber’s” attempted cover-up
Instead of disclosing the breach, Uber paid the hackers a US$100,000 ransom on the basis that the robbers destroyed the hacked data.
Under the guise of what the information security industry calls a “bug bounty”, companies such as Uber pay uncontracted third parties to find vulnerabilities in their IT systems. The Commissioner did not consider that the use of a “bug bounty” as a sufficient risk mitigation process.
The Commissioner also found that Uber failed to comply with a number of Australian Privacy Principles contained within the Privacy Act. These included not taking reasonable steps to protect personal information that is no longer needed for its permitted purpose and failing to take steps to have proper systems in place.
Why is this ruling important?
The Uber ruling has broadened how interpretations under the Privacy Act will in future be applied to global businesses, such as cloud providers and technology providers, who considered that they operated outside of Australian law as they were not selling to Australian customers, only storing their personal information.
Through expanding the definitions within the Privacy Act, it is now possible for an overseas entity to have an “Australian link” and therefore be subject to the provisions of the Privacy Act.
While most Australian legislation will only apply to entities and citizens within the country, the Privacy Act 1988 (Cth) has international applications through the “Australian link” provision. Entities with this “Australian link” can be penalised for breaching the Act irrespective of whether the entity is aware of the provisions within the Act or not. Such was the case with the Uber Companies who faced penalties and sanctions by not being aware and thus not meeting their legal obligations. The ruling is also a wake-up call for IT departments within business entities. It is not sufficient for them to only focus on protecting their front-end systems, they need to also put equal focus on their back-end systems and safeguards.
How can & Legal Help?