NPC calls out Grab for data system deficiencies
Published Feb 05, 2020 00:00 am
|
Updated Feb 05, 2020 00:00 am
By Rizal Obanil
Grab Philippines, Inc. (Grab PH), which has already been penalized millions of pesos in fines, will now have to deal with another setback after the National Privacy Commission (NPC) issued a cease and desist order for the firm’s alleged failure to comply with the Data Privacy Act of 2012.
(NATIONAL PRIVACY COMMISSION / MANILA BULLETIN)
The NPC in a statement Wednesday said that it issued a notice of deficiencies to Grab PH on January 31, 2020 when they found out that the company had several deficiencies in its verification during the pilot test of the in-vehicle audio recording and in vehicle video recording.
Aside from this, the NPC also said the Grab PH was not able to express clearly the potential risks the company’s data processing system posed to Grab users’ personal information and that “only the risks faced by the company were taken into account” in their privacy impact assessment (PIA).
The NPC had a meeting with representatives from the company wherein Grab PH supposedly assured that they will release the photo, audio and video files to the police if and when there is a “dispute, conflict or complaint.”
“The video recording system will also enable employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the NPC notice read.
The NPC said the problem lies in the fact that the public, or Grab patrons were not sufficiently informed that such data processing will be done and that this was allegedly not conveyed properly through Grab PH’s privacy notice and privacy policy.
Furthermore, should a Grab user opt to withdraw consent to the data processing of his or her photo, video or audio file, it was unclear to the NPC how the company will deal with such a predicament.
Also, the NPC said that the company did not mention their legal basis for processing the collected data and the documents which Grab PH submitted were reportedly not sufficient to support the company’s stand to be allowed to process such data; whether it is “proportional to its intended purpose,” and whether “the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.”
Upon receipt of the said order from the NPC, Grab PH was given 15 days to comply with the Notice of Deficiencies. The NPC will then decide whether to lift the CDO or not but stated the the commission will decide the matter on a “per-system basis”, meaning three separate decisions on the three systems that Grab PH has for photo, audio and video.
“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the NPC said in the CDO they sent to Grab PH.
(NATIONAL PRIVACY COMMISSION / MANILA BULLETIN)
The NPC in a statement Wednesday said that it issued a notice of deficiencies to Grab PH on January 31, 2020 when they found out that the company had several deficiencies in its verification during the pilot test of the in-vehicle audio recording and in vehicle video recording.
Aside from this, the NPC also said the Grab PH was not able to express clearly the potential risks the company’s data processing system posed to Grab users’ personal information and that “only the risks faced by the company were taken into account” in their privacy impact assessment (PIA).
The NPC had a meeting with representatives from the company wherein Grab PH supposedly assured that they will release the photo, audio and video files to the police if and when there is a “dispute, conflict or complaint.”
“The video recording system will also enable employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the NPC notice read.
The NPC said the problem lies in the fact that the public, or Grab patrons were not sufficiently informed that such data processing will be done and that this was allegedly not conveyed properly through Grab PH’s privacy notice and privacy policy.
Furthermore, should a Grab user opt to withdraw consent to the data processing of his or her photo, video or audio file, it was unclear to the NPC how the company will deal with such a predicament.
Also, the NPC said that the company did not mention their legal basis for processing the collected data and the documents which Grab PH submitted were reportedly not sufficient to support the company’s stand to be allowed to process such data; whether it is “proportional to its intended purpose,” and whether “the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.”
Upon receipt of the said order from the NPC, Grab PH was given 15 days to comply with the Notice of Deficiencies. The NPC will then decide whether to lift the CDO or not but stated the the commission will decide the matter on a “per-system basis”, meaning three separate decisions on the three systems that Grab PH has for photo, audio and video.
“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the NPC said in the CDO they sent to Grab PH.