The phrase “Uber is in hot water again” has become a bit meaningless over the last few months — and for good reason. The embattled ride-hailing company has been limping from crisis to crisis since the beginning of the year. But this latest controversy — in which a top Uber executive obtained the medical records of a rape victim in India — could be the most legally dangerous one yet.
According to a report in Recode yesterday, Eric Alexander, the president of Uber’s business in the Asia Pacific, obtained the medical records of a woman who in 2014 had been raped by an Uber driver in India. Alexander later shared those records with Uber CEO Travis Kalanick and Senior Vice President Emil Michael, and others. After Recode contacted Uber about Alexander’s actions, he was fired.
Uber is in the midst of a high-profile investigation into its workplace, after numerous employees alleged instances of sexual harassment and bias. Yesterday, 20 Uber employees were terminated as a result of that investigation, and dozens of other instances are still under review. But the revelation about the handling of a rape victim’s medical records has thrown new fuel on the fire. The Financial Times today advocated for the firing of Kalanick, arguing, “It’s time to face facts. Uber does not have an image problem, it has a chief executive problem.”
Sources told Recode and other outlets that Alexander was motivated by a belief that Ola, a leading ride-sharing company in India, was behind the incident to sabotage Uber. (Ola released a statement calling Uber “low on morality.”) But legal sources in India tell The Verge that unless Uber received the consent of the victim before obtaining her records, the company’s executives were likely in violation of India’s privacy laws. But that because those laws are sill evolving, it may take time for any civil or criminal prosecution to unfold. A lawyer for the victim told Bloomberg that an apology from Kalanick and Alexander was expected, but made no mention of pursuing legal consequences.
“In India, Uber did face a lot of flack in the manner this [case] was handled,” a legal source in India who asked to remain anonymous told The Verge. The source was referring to the outrage that confronted Uber as a result of this crime. Police in New Delhi considered charging Uber with a crime over the company’s lax standards around background checks for drivers. Ultimately, the driver who committed the rape was sentenced to life in prison. And Uber was banned from operating in New Delhi, a prohibition that was eventually lifted until June 2015.
“They may continue to face the heat should the lady press the charges real hard,” the source continued. “It may take time though to get to the bottom of this, as the privacy law is still being tested in India.”
In the US, this would be a violation of the victim’s privacy. But the law relating to the privacy in India are “slowly evolving through various court judgements,” the source said. Privacy rules as laid out by the Medical Council of India, which regulates the healthcare sector in that country, state that any person seeking anyone else’s medical records “must obtain written consent from such person before collecting or using such information and also inform the person about the intended use of such information.” (We’ve reached our the MCI for comment and will update this story when we hear back.)
So unless Alexander obtained written consent before obtaining the victim’s medical records, he could find himself in violation of India’s privacy law. And his decision to share those records with Kalanick, Michael, and others at Uber may have also crossed the line as well, according to the source. Even if Alexander had obtained her records lawfully, he would have been “strictly prohibited from further disclosing/transferring the information to any third party without the prior consent of the provider of the information,” the source said.
A spokesperson for Uber confirmed that Alexander is no longer with the company, but declined to comment on the matter concerning the handling of a rape victim’s medical records. She did note that the victim previously settled a lawsuit with Uber in excess of $1 million. But the Indian legal source noted that “criminal liability cannot be settled though like this.”
Phillip Bezanson, a white collar defense attorney who specializes in the types of investigations currently underway at Uber, said the revelations about Alexander and the medical records need to be weighed against the bigger picture of multiple investigations into Uber’s toxic culture and corporate practices.
“When the federal government, the Department of Justice, is investigating Uber for various things, they have to make an assessment about Uber under principles of prosecuting business organizations,” he said. “The organization’s culture is a significant component. Whether [the behavior is] strictly illegal or legal is relevant. Things can be legally inappropriate, unseemly, and distasteful, and still color a prosecutors’ view when seeking to resolve far-flung potential criminal investigations.”
Bezanson’s reference to “various things” under investigation isn’t a hypothetical. Uber is currently being probed by the Department of Justice for its use of a digital tool called Greyball which reportedly used to deceive government regulators and hide the number of cars available on its app from law enforcement. Bezanson said the handling of a rape victim’s medical records by top Uber executives “certainly… warrants deeper digging and understanding.”
Alexander’s handling of the victim’s records was among the 215 cases of harassment, bullying, and inappropriate conduct identified by two law firms — Perkins Coie and Covington & Burling — during their probe into Uber’s corporate culture. The Covington & Burling report, including recommendations into what Uber can do to right its wobbling ship, is expected to be released in some form next week. Whether that includes a recommendation that Uber employees refrain from accessing confidential medical records of their customers remains to be seen.