Uber decision a stark reminder of the extraterritorial reach of the Privacy Act 1988 (Cth)

The Office of the Australian Information Commissioner's (OAIC) decision on 30 June 2021¹ that two non-Australian entities, Uber Technologies, Inc. (UTI) and Uber B.V. (UBV) (together, the Uber Companies), breached the Privacy Act 1988 (Cth) (Privacy Act) following a data breach in October/November 2016 is a timely and stark reminder of the extraterritorial reach of the Privacy Act.

In short, even if a foreign corporation has no physical presence in Australia and only has an online presence, it may still be subject to the jurisdiction of the Privacy Act. This is so even if that foreign company has outsourced the handling of Australians’ personal information to companies within their corporate group through "data processing" agreements or similar arrangements.

In this article, we unpack the extraterritorial jurisdiction provisions in the Privacy Act. Further, in light of the OAIC's finding that each of the Uber Companies interfered with the privacy of approximately 1.2 million Australians under the Australian Privacy Principles (APPs), we conclude with some observations as to what could have been done to ensure compliance with the Privacy Act.

Jurisdiction issue: "Australian link" found

The APPs² regulate the collection, use, disclosure and security of personal information held by Australian government agencies and, subject to several exceptions, private sector organisations (APP entities).

An APP entity is defined under section 6(1) of the Act to include an "organisation", and an "organisation" includes a body corporate that is not (relevantly) a small business operator. UTI is a body incorporated in the United States and the parent company of UBV. UBV is a body incorporated in the Netherlands. Both Uber Companies were found to be APP entities.

The Privacy Act extends to an act done, or practice engaged in, outside Australia by an organisation that has an "Australian link" (section 5B).

The key issue in the OAIC's decision was, therefore, whether the Uber Companies had an "Australian link" so as to come within the extraterritorial jurisdiction provisions of the Act.

What does it mean to have an "Australian link"?

The Uber Companies are foreign entities and, as such, in order to have an "Australian link" they must:

1. carry on business in Australia; and
2. have collected or held personal information in Australia, either before or at the time of the act or practice.

The Uber Companies did not dispute that UBV fell under the jurisdiction of the Privacy Act. However, UTI submitted that it was not an APP entity and, therefore, the OAIC did not have jurisdiction to find it breached the Privacy Act or to make a determination against it.

UTI disputed that it carried on business in Australia. Pursuant to the 2016 Data Processing Agreement UTI had entered into with UBV (2016 DPA), UTI was contractually required to process data on a global basis on behalf of UBV, which included the personal information of Australian riders and drivers, in accordance with UBV's instructions. UTI submitted that none of these data processing activities occurred in Australia.

UTI also submitted that it did not collect or hold the personal information of Australian users in Australia at the time of the data breach, as it received such information only after it was provided to UBV through the Uber app or website. The diagram below illustrates the data processing process under the 2016 DPA.

Commissioner's jurisdiction finding

Commissioner Falk found that both Uber Companies had an "Australian link", as they carried on business in Australia and collected personal information in Australia. As such, the Privacy Act extended to the acts done, and practices engaged in, by the Uber Companies during the period the data breach occurred.

Collection of personal information in Australia at the time of the data breach

The concept of "collection" is broad. It includes gathering, acquiring or obtaining personal information from any source and by any means, including from individuals and other entities, or information associated with web browsing, such as personal information collected by cookies.

Commissioner Falk held that UTI collected personal information of Australian users when they submitted personal information via the Uber app or website in Australia and the data was directly transferred to servers controlled and owned by UTI in the US. In her view, the fact that UTI might have collected Australians’ personal information pursuant to a contract with UBV was not determinative.

As for UBV, Commissioner Falk found that UBV also collected the same personal information UTI collected because UTI was required to hold and use Australian users’ personal information in accordance with UBV’s instructions. This indicated that UBV had control of the record (a document or an electronic or other device) in which the personal information was held. Further, it is possible for more than one APP entity to simultaneously collect the same personal information under the Privacy Act.

Carried on business in Australia

Commissioner Falk found that although UBV was incorporated in the Netherlands and had no physical presence in Australia, this was not determinative. The following factors led her to find that UBV carried on business in Australia at the time of the data breach:

1. UBV was, for regions outside of the US, the data controller and licensor of the Uber app, and entered into direct contractual arrangements with both Australian riders and drivers;
2. UBV was the entity with contractual responsibility for the collection of personal information of Australian users at the time of the data breach; and
3. UBV collected personal information in Australia.

In finding that UTI also carried on business in Australia at the time of the data breach, again, it was not determinative that UTI did not have a physical presence in Australia and was headquartered in the US, did not have any direct contractual or other relationship with riders or drivers in Australia, and was not involved in collecting or remitting payments in respect of Australian riders or drivers.

What was determinative were the following activities UTI undertook on a global basis as data processor for UBV under the 2016 DPA which involved Australian users:

1. UTI installed and managed authentication, security and localisation cookies and similar technologies on Australian users’ devices for the purpose of enabling users to log in and remain logged in to the Uber app and to enable security features on the Uber app;
2. Where a new service, product or safety feature was developed in the US (such as by the product engineering team), UTI would roll this out internationally, including to Australia;
3. UTI carried out troubleshooting of general bugs or issues with the Uber app in the US, for example by its product engineering teams, and then rolled out these solutions internationally, including to Australia;
4. UTI used centralised and global tools to enable UBV to carry out ad campaigns for Australian users, including by providing advertisements developed by local Uber entities for display to Australian users to third-party sites such as Google and Facebook. This included UTI centrally managing, on a global basis, the Uber group’s global pixel.

It did not matter that some or all of these activities were instituted or controlled remotely without the need for employees in Australia, or that they were carried out on behalf of UBV to facilitate UBV's provision of services to Australian users.

It was enough that the above activities demonstrated that UTI was involved in activities in Australia that amounted to, or were ancillary to, transactions that made up or supported UTI’s provision of data processing services to UBV under the 2016 DPA. When considered together with the evidence that UTI collected riders' and drivers’ personal information in Australia at the time of the data breach, the OAIC considered that it was clear evidence that UTI was engaging in activity in Australia in the nature of a commercial enterprise, which constitutes the carrying of business in Australia.

Commissioner's breach finding

Having found that the OAIC has jurisdiction, Commissioner Falk went on to make the following findings of breach by the Uber Companies:

1. the Uber Companies' act or practice interfered with the privacy of the affected Australian users by failing to:

• take reasonable steps to protect personal information against unauthorised access in breach of APP 11.1; and
• take reasonable steps to delete or de-identify personal information no longer needed for a permitted purpose in breach of APP 11.2;

2. the Uber Companies failed to comply with the requirement in APP 1.2 to take reasonable steps to implement practices, procedures and systems relating to the entity's functions or activities, to ensure compliance with the APPs.

Commissioner Falk found there were multiple deficiencies with UTI's information handling practices. There were deficiencies in the Uber Companies' security processes and practices, and there was no evidence that they implemented policies and procedures to deal with the destruction or de-identification of backup files containing personal information that were created outside of UTI's ordinary processes.

There were also deficiencies in the Uber Companies' incident response plan, which led to 11 to 12-month delays in forensic investigation into and disclosures of the breach, and a payment being made to "threat actors" (persons carrying out the cyberattack) pursuant to a bug bounty program before proper investigation was undertaken.

Key takeaways

The OAIC's jurisdiction determination reinforces the extraterritorial reach of the Privacy Act. In a time of rapid digital transformation and a growing global digital economy, organisations are increasingly conducting their business worldwide through the internet and remotely through electronic communications.

Foreign corporations and their acts or practices undertaken overseas are subject to the jurisdiction of the Privacy Act as long as an "Australian link" is found. To have an Australian link, it is not necessary that a foreign entity has a physical presence in Australia.

It is therefore important for foreign and Australian organisations to understand who, where and how they are handling Australians' personal information, including the third-party entities they have engaged through "data processing" agreements or similar arrangements to handle the Australian personal information. Supply chain management and an understanding of the flow of data within the business is paramount to an organisation's ability to implement practices, procedures and systems in compliance with the APPs. Clearly, outsourcing the processing of Australians' personal information to a foreign entity does not exclude the application of the Privacy Act.

As for the findings of breach and what the Uber Companies could have done to ensure compliance with the APPs, we make the following observations, which may be helpful when considering the policies and programs in place in your organisation:

• Although multi-factor authentication (MFA) is critical, what is more important to consider is where MFA has been implemented. Whilst UTI had MFA in place for individual user account access to the Amazon Web Services (AWS) S3 repository, which stored the backup file containing Australians' personal information, it was lacking MFA for UTI’s private repositories in GitHub³ which the threat actors hacked into, as well as MFA for programmatic access to UTI’s AWS S3 repository. This would have ensured that the threat actors would not have been able to access the compromised files unless they also had access to UTI's network.
• One of the simplest ways to reduce an organisation's vulnerability to an attack is to prevent an access-control hole. If access points are hardened, it will be more difficult for a threat actor to gain access to the domain administrative credentials or data in the first place unless more forceful measures are used. A key question to consider is therefore whether any policies are in place to prevent leaks and any access-control holes. The problem with the Uber Companies was that they failed to implement a policy that required UTI to rotate the AWS access keys on a regular basis, which could have been done easily by using a secrets management tool. UTI had also failed to implement a policy that required that functional access keys were not available in plain text in code.
• Further, it is not a reasonable step for compliance with the APPs to simply rely on the skills and expertise of the data processing company engaged. Commissioner Falk was of the view that it was not reasonable for UBV to rely almost entirely on the 2016 DPA contractual arrangements and the skill and expertise of UTI, in circumstances where UBV entrusted UTI with the processing of a substantial amount of personal information, and there was a foreseeable risk of adverse consequences to individuals if information was subject to unauthorised access.
• Finally, Commissioner Falk emphasised that all the policies and procedures that should have been in place to ensure compliance with the APPs must be operationalised. This means that as well as having the relevant policies and procedures in place, an organisation should also require regular and appropriate employee training on those policies; testing of policies, and implementation of processes to monitor compliance with policies and procedures. It is only through operationalisation of these policies and procedures that the board and employees of an organisation are able to assess their effectiveness and continually improve them.

¹ Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34.

² Set out in Schedule 1 of the Privacy Act.

³ GitHub is a third-party software development platform that was used by software engineers at UTI to store code for collaboration and development.