Written by Michael Swinson & Cal Samson.
Dealing with an overlapping patchwork of disparate and sometimes contradictory privacy laws is a challenge for any multinational business. The challenge is even greater for online businesses that operate across multiple jurisdictions via a single platform (after all, the internet knows no jurisdictional boundaries). As torrents of information from around the world flow across digital platforms, it is increasingly difficult to keep track of what compliance requirements apply, particularly where domestic privacy laws have extra-territorial effect and domestic regulators claim jurisdiction over global operators.
A recent determination by the Australian Information Commissioner, after an extensive multi-year investigation, against Uber serves as a cautionary reminder to global corporations of the scope of their potential exposure to Australian privacy laws, even if they have limited or no physical presence here. These issues are likely to be tested again in the context of the Commissioner's ongoing civil penalty proceedings against Facebook in relation to the historical Cambridge Analytica incident (albeit that those proceedings are still at a relatively preliminary stage and are unlikely to be resolved for some time) and it is also possible that this area of law will be simplified as part of the Government's ongoing review of the Australian Privacy Act. However, for now, the Commissioner's analysis in the Uber determination serves as the clearest view of how the current laws will be applied in practice.
In her determination, the Commissioner found that the US-based Uber Technologies, Inc. (Uber), and its Dutch-based subsidiary Uber B.V. (UBV), each failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber-attack in October and November 2016 (Uber Data Breach).
Specifically, the Commissioner found that each company:
- had an 'Australian link' and therefore was within the jurisdiction of the Privacy Act; and
- breached the Privacy Act as each failed to comply with their obligations under APPs 1.2 (in relation to practices and procedures), and 11.1 and 11.2 (in relation to security).
Extra-territorial application of the Privacy Act
Uber and UBV are respectively incorporated in the US and the Netherlands. Accordingly, the first substantive issue for the Commissioner was whether each company had an 'Australian link' such that they would be bound by the Privacy Act in relation to activities carried on outside Australia under the relevant jurisdictional 'hook' in section 5B of the Privacy Act.
In that respect, the Commissioner was required to be satisfied that, at the time of the Uber Data Breach, both UBV and Uber each: (a) carried on business in Australia; and (b) collected or held the relevant personal information in question in Australia.
In respect of UBV, the Commissioner had no difficulty establishing, and it was not in dispute, that UBV carried on business in Australia and collected personal information from Australian users. At the time of the Uber Data Breach, UBV was, for regions outside of the US, both the data controller for and licensor of the Uber app, and entered into direct contractual arrangements with both Australian riders and drivers. The Commissioner held that, despite being incorporated in the Netherlands and having no physical presence in Australia, UBV clearly had an 'Australian link'.
The equivalent analysis for Uber was less straight-forward, and Uber strongly disputed that it was subject to the jurisdiction of the Privacy Act. The Commissioner accepted that Uber did not have a physical presence in Australia, was headquartered in the US and did not have a direct contractual relationship with Australian riders or drivers at the time of the Uber Data Breach. Notwithstanding this, the Commissioner considered that Uber carried on business in Australia because it:
- installed and managed authentication, security and localisation cookies and similar technologies on Australian users' devices;
- rolled out new solutions (such as services, products, safety features, and troubleshooting) developed in the US on an international basis, including to Australia; and
- used centralised and global tools to enable UBV to carry out ad campaigns for Australian users.
The Commissioner relevantly held that it was not determinative that some or all of these acts may have been instituted or controlled remotely, or that they were done on behalf of UBV rather than on Uber's own behalf. Rather, touching upon requirements developed in previous case law on carrying on business in Australia, the Commissioner held that these activities demonstrated that Uber was engaging in activity in Australia, which was in the nature of a commercial enterprise, and which had a repetitive and permanent character.
The Commissioner also found that Uber collected personal information from Australian users in Australia. While UBV controlled the direct relationship with those users, in practice, data from those users was transferred straight to servers controlled and owned by Uber in the US. As such, the Commissioner was satisfied that Uber collected this information at the same time as it was collected by UBV – in other words, there was a simultaneous act of collection by the two entities. Combined with the Commissioner's conclusion that Uber was carrying on business in Australia, this meant that Uber had an 'Australian link' and was, therefore, bound to comply with the Australian Privacy Act in relation to its handling of information about Australian users.
Breaches of the APPs
The Commissioner found that both Uber companies breached the Privacy Act for failure to comply with their obligations under the APPs. In particular, the Commissioner found that both companies interfered with the privacy of the affected Australian users by failing to take reasonable steps in the circumstances to:
- protect their personal information from unauthorised access, in breach of APP 11.1; and
- destroy or de-identify their personal information once it was no longer required, in breach of APP 11.2.
Further, the Commissioner held that both UBV and Uber failed to take reasonable steps in the circumstances to implement practices, procedures and systems relating to the Uber companies' functions and activities, to ensure compliance with the APPs, in breach of APP 1.2. From UBV's perspective, it was not sufficient to simply outsource these compliance obligations to Uber, with Uber being primarily responsible for the operation of the underlying technology platforms, given the substantial amount of information about Australian users at stake and foreseeable security risks. That is, some level of oversight by UBV was still required.
As a result, the Commissioner ordered the companies to prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan to ensure compliance with APPs 1.2, 11.1 and 11.2 respectively and to appoint an independent expert to review, report and provide recommendations on these policies and programs and their implementation, and submit the reports to the OAIC.
The Commissioner noted that while both UBV and Uber have already been subjected to regulatory action in other jurisdictions in relation to the Uber Data Breach, it was still appropriate and proportionate to take further action in Australia. In reaching this conclusion, the Commissioner indicated there was a public interest in making a declaration on these matters, noting that there were: "complex issues that are specific to the Australian legislative context, including the application of the extraterritorial jurisdiction provisions in the Privacy Act to companies that outsource the handling of Australians' personal information to companies within their corporate group through 'data processing' agreements or similar arrangements".
This determination serves as a significant statement by the Commissioner as to her view on the extraterritorial application of the Privacy Act. She has publicly stated that it "makes my view of global corporations' responsibilities under Australian privacy law clear". As such, global businesses (parent companies and subsidiaries alike) with users in Australia should be on notice that they may be required to comply with Australian privacy laws.
- In the Commissioner's view it is clear that having no physical presence in Australia and no direct contractual relationship with Australians is no barrier to international entities from falling within the jurisdiction of the Privacy Act if they otherwise have sufficient connection with business activities that take place here. Uber has indicated that it will not appeal the Commissioner's determination, so it remains to be seen whether the courts will agree with the Commissioner's views.
- An entity cannot outsource compliance obligations under the Privacy Act simply by outsourcing relevant data processing activities to a related entity, or indeed to any other entity. The outsourcing entity will need to maintain an appropriate level of oversight and involvement to ensure that there is no privacy breach by the service provider for which the outsourcing entity may ultimately share some responsibility.
- Global businesses may still face regulatory action in Australia, even if they have been subject to similar actions in other jurisdictions.