Latest News


Media Releases

Uber Privacy Act Breaches

Aug 5, 2021 | CPV Inquiry, MPTP Inquiry, News, Parliament

Mr BARTON (Eastern Metropolitan) (18:12): (1425) My adjournment tonight is for Minister Carroll, the Minister for Public Transport. On 23 July this year the Australian Information Commissioner and Privacy Commissioner determined that Uber interfered with the privacy of an estimated 1.2 million Australians. It was found that Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016. Uber breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access. They also failed to take reasonable steps to comply with the Australian Privacy Principles. Now, what makes this worse is that Uber chose to pay the attackers a reward through a bug bounty program. They did not conduct a full assessment of the personal information that may have been accessed, nor did they publicly disclose the breach until over a year later.

Uber has tried to argue that it is not subject to Australia’s Privacy Act, as Australians’ personal information is being indirectly transferred to overseas-based companies and their services. How could this be? Uber is attempting to circumvent our laws and regulations that protect the public and their right to privacy. We are letting Uber take our personal information overseas, only to have it stolen, with no breach of personal information publicly declared for over one year. When our personal information is not protected, we are vulnerable to exploitation and at risk of serious harm. Who is to hold Uber accountable for their management of our personal information when the regulator themselves could be engaging in data overreach?

Uber Privacy Act Breaches

No Description


Earlier this year Uber was approved by Commercial Passenger Vehicles Victoria to take part in the multipurpose taxi program. This is a government scheme which subsidises commercial passenger vehicle fares for people with accessibility or mobility needs, and as an authorised booking service provider within the multipurpose taxi program, Uber collects and stores information about MPTP members, the trips they have undertaken and their credit card details.

Given Uber sends and stores its data outside of Victoria and Australia, I am concerned that this may contravene government data standards. This is a government program, and it must adhere to the state and federal laws for data standards. Therefore the action I seek is for the minister to investigate that the personal details of those vulnerable multipurpose taxi program users are collected and protected in keeping with state and federal laws for data standards which the government program must adhere to.


Answered: 26 August 2021 from Hon. Ben Carroll

In recognition that some individuals with mobility limitations cannot safely and independently use the public transport network, the Government is proud to support disability inclusion through the Multi Purpose Taxi Program (MPTP). The MPTP supports affordable transport options for members, enabling trips for social, economic, and medical reasons that may otherwise not hav

The Government values and is committed to protecting the privacy of all Victorians, including MPTP members. I am advised that Commercial Passenger Vehicles Victoria does not provide personal information of MPTP members to Uber, or any other data collection provider contracted to facilitate the payment of MPTP subsidies. When an MPTP member takes a trip with a commercial passenger vehicle service of their choice, MPTP members voluntarily provide their own personal information, including their MPTP member number to data collection providers for the purposes of validating the amount of the subsidy for a trip.

I am further advised that CPVV requires all approved data collection providers to comply with applicable Federal and Victorian privacy laws, including the Victorian Information Privacy Principles and the Protective Data Security Standards. These conditions are set out in the Data Collection Provider Contract template publicly available on the CPVV Website.

I understand that the Office of the Australian Information Commissioner (OAIC), the independent national regulator for privacy and freedom of information, has already made a determination with respect to the application of the Federal Privacy Act to Uber. Consistent with that determination, OAIC has also made a number of declarations with respect to Uber’s management of personal information.

Here in Victoria, the Office of the Victorian Information Commissioner (OVIC) is Victoria’s regulator for information access, information privacy, and data protection. I understand that this matter has also been raised with OVIC, and preliminary inquiries are being undertaken by OVIC.

Share this:

Related News

Uber’s Trojan Horse

Uber’s Trojan Horse

It gives me no pleasure to say to the Allan government, "I told you so," but I told you so! Will Wednesday, the 29th of November 2023, go down as the beginning of the end of competition in the taxi space in Victoria? We have seen time and time again seen Uber's...

This video highlights troubling corporate practices by Uber in the US

Caution: This video highlights troubling corporate practices by Uber in the US. It's vital to recognize that such behavior may extend to places like Australia. The Transport Workers Union (TWU) strong advocacy at a state and federal level backs the Albenese Labor...

Uber’s plan to destroy this industry has failed!

Uber’s plan to destroy this industry has failed!

After 10 years of facing a foreign taxi company that entered and operated in this country illegally, allowing them to gain a commercial advantage by underwriting the cost of delivering their service to effectively buy market share, government regulators turned a blind...