Mr BARTON (Eastern Metropolitan) (18:12): (1425) My adjournment tonight is for Minister Carroll, the Minister for Public Transport. On 23 July this year the Australian Information Commissioner and Privacy Commissioner determined that Uber interfered with the privacy of an estimated 1.2 million Australians. It was found that Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016. Uber breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access. They also failed to take reasonable steps to comply with the Australian Privacy Principles. Now, what makes this worse is that Uber chose to pay the attackers a reward through a bug bounty program. They did not conduct a full assessment of the personal information that may have been accessed, nor did they publicly disclose the breach until over a year later.
Uber has tried to argue that it is not subject to Australia’s Privacy Act, as Australians’ personal information is being indirectly transferred to overseas-based companies and their services. How could this be? Uber is attempting to circumvent our laws and regulations that protect the public and their right to privacy. We are letting Uber take our personal information overseas, only to have it stolen, with no breach of personal information publicly declared for over one year. When our personal information is not protected, we are vulnerable to exploitation and at risk of serious harm. Who is to hold Uber accountable for their management of our personal information when the regulator themselves could be engaging in data overreach?
Given Uber sends and stores its data outside of Victoria and Australia, I am concerned that this may contravene government data standards. This is a government program, and it must adhere to the state and federal laws for data standards. Therefore the action I seek is for the minister to investigate that the personal details of those vulnerable multipurpose taxi program users are collected and protected in keeping with state and federal laws for data standards which the government program must adhere to.
See speech here.