Privacy body halts Grab’s selfie verification, audio, video recording systems
MANILA, Philippines — The National Privacy Commission (NPC) has issued a cease and desist order (CDO) against three personal data processing systems of Grab Philippines, Inc. (Grab PH), saying it failed to comply with provisions of the Data Privacy Act of 2012 (DPA).
In a statement on Wednesday, the NPC said the Notice of Deficiencies it issued to Grab PH on January 31, 2020 noted several deficiencies in its selfie verification, pilot test of the in-vehicle audio recording, and pilot test of the in-vehicle video recording.
The NPC said the company “did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects” and “only the risks faced by the company were taken into account” in its Privacy Impact Assessment (PIA).
“The video recording system will also enable Grab employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the notice read.
In a meeting, the NPC said Grab representatives explained that the photo, audio and video files collected through the three systems will be released upon request of police authorities in the event of dispute, conflict or complaint.
But the commission said the public was not told any of this information through Grab PH’s privacy notice and privacy policy.
The company also failed to mention its legal basis in processing the collected data, said the NPC.
The privacy body also found the documents submitted by Grab PH to the commission “insufficient to establish whether the company’s data processing was proportional to its intended purpose; whether the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.”
While the option to withdraw consent was included by Grab PH in the PIA for the in-vehicle audio and in-vehicle video recording systems, the NPC noted that the details on how to exercise such right “were not sufficiently communicated to passengers through Grab message.”
“It was also unclear if and how the data processing will be affected upon such withdrawal of consent,” the commission said.
The NPC gave the ride-hailing firm 15 days to comply with the remedial measures directed in the NPC’s Notice of Deficiencies.
The commission, however, noted that it will decide on the lifting of the cease and desist order “on a per-system basis.”
“As such, the order is applied separately for each of the systems and takes effect until such time that the company fully implements proper controls to address the deficiencies identified in the notice,” the NPC further said in its statement.
The NPC clarified that the order was “not intended as a penalty” for the company rather it was “ a means to afford the company reasonable opportunity to achieve full compliance with the DPA, its rules, and related guidelines.”
This, in effect, would protect the riding public from unwanted privacy exposure and enable the company to modify its system to be compliant with the DPA, the NPC said.
“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded,” the NPC said in its cease and desist order.
“It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the order further read.
