Mr BARTON (Eastern Metropolitan) (18:12): (1425) My adjournment tonight is for Minister Carroll, the Minister for Public Transport. On 23 July this year the Australian Information Commissioner and Privacy Commissioner determined that Uber interfered with the privacy of an estimated 1.2 million Australians. It was found that Uber companies failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber attack in October and November 2016. Uber breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access. They also failed to take reasonable steps to comply with the Australian Privacy Principles. Now, what makes this worse is that Uber chose to pay the attackers a reward through a bug bounty program. They did not conduct a full assessment of the personal information that may have been accessed, nor did they publicly disclose the breach until over a year later.
Uber has tried to argue that it is not subject to Australia’s Privacy Act, as Australians’ personal information is being indirectly transferred to overseas-based companies and their services. How could this be? Uber is attempting to circumvent our laws and regulations that protect the public and their right to privacy. We are letting Uber take our personal information overseas, only to have it stolen, with no breach of personal information publicly declared for over one year. When our personal information is not protected, we are vulnerable to exploitation and at risk of serious harm. Who is to hold Uber accountable for their management of our personal information when the regulator themselves could be engaging in data overreach?
Uber Privacy Act Breaches
No Description
Earlier this year Uber was approved by Commercial Passenger Vehicles Victoria to take part in the multipurpose taxi program. This is a government scheme which subsidises commercial passenger vehicle fares for people with accessibility or mobility needs, and as an authorised booking service provider within the multipurpose taxi program, Uber collects and stores information about MPTP members, the trips they have undertaken and their credit card details.
Given Uber sends and stores its data outside of Victoria and Australia, I am concerned that this may contravene government data standards. This is a government program, and it must adhere to the state and federal laws for data standards. Therefore the action I seek is for the minister to investigate that the personal details of those vulnerable multipurpose taxi program users are collected and protected in keeping with state and federal laws for data standards which the government program must adhere to.
In recognition that some individuals with mobility limitations cannot safely and independently use the public transport network, the Government is proud to support disability inclusion through the Multi Purpose Taxi Program (MPTP). The MPTP supports affordable transport options for members, enabling trips for social, economic, and medical reasons that may otherwise not hav
The Government values and is committed to protecting the privacy of all Victorians, including MPTP members. I am advised that Commercial Passenger Vehicles Victoria does not provide personal information of MPTP members to Uber, or any other data collection provider contracted to facilitate the payment of MPTP subsidies. When an MPTP member takes a trip with a commercial passenger vehicle service of their choice, MPTP members voluntarily provide their own personal information, including their MPTP member number to data collection providers for the purposes of validating the amount of the subsidy for a trip.
I am further advised that CPVV requires all approved data collection providers to comply with applicable Federal and Victorian privacy laws, including the Victorian Information Privacy Principles and the Protective Data Security Standards. These conditions are set out in the Data Collection Provider Contract template publicly available on the CPVV Website.
I understand that the Office of the Australian Information Commissioner (OAIC), the independent national regulator for privacy and freedom of information, has already made a determination with respect to the application of the Federal Privacy Act to Uber. Consistent with that determination, OAIC has also made a number of declarations with respect to Uber’s management of personal information.
Here in Victoria, the Office of the Victorian Information Commissioner (OVIC) is Victoria’s regulator for information access, information privacy, and data protection. I understand that this matter has also been raised with OVIC, and preliminary inquiries are being undertaken by OVIC.
