NPC suspends Grab’s one-sided security systems

Published February 5, 2020, 12:00 AM

by manilabulletin_admin

By Bernie Cahiles-Magkilat

The National Privacy Commission (NPC) has suspended Grab Philippines’ selfie verification, video recording systems for a lopsided one-sided security risk protection only on the side of the company while endangering the privacy of the riding public.

The NPC, chaired by Commissioner Raymund Liboro, issued a Cease and Desist Order (CDO) on February 3, 2020 to Grab Philippines, Inc. after finding deficiencies in complying with the Data Privacy Act of 2012 (DPA) for three personal data processing systems, which may endanger the privacy rights of the riding public.

In a Notice of Deficiencies issued to Grab PH dated January 31, 2020, the NPC found several deficiencies in its selfie verification, pilot test of the in-vehicle audio recording, and pilot test of the in-vehicle video recording.

In the notice, the NPC said Grab PH did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects, saying that “only the risks faced by the company were taken into account” in its Privacy Impact Assessment (PIA).

“The video recording system will also enable grab employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the notice reads.

On the selfie verification, a passenger’s booking cannot be processed unless he or she takes a selfie for verification purposes by Grab.

In a meeting, company representatives said the photo, audio and video files collected through the three systems will be released upon request to police authorities in the event of dispute, conflict or complaint.

The public, however, was not told any of this information through Grab PH’s privacy notice and privacy policy.

The company also failed to mention its legal basis in processing the collected data. The documents submitted to the NPC were also found to be insufficient to establish whether the company’s data processing was proportional to its intended purpose; whether the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.

While the option to withdraw consent was included by Grab PH in the PIA for the in-vehicle audio and in-vehicle video recording systems, the details on how to exercise such right were not sufficiently communicated to passengers through Grab message. It was also unclear if and how the data processing will be affected upon such withdrawal of consent.

Grab PH has 15 days to comply with the remedial measures directed in the NPC’s Notice of Deficiencies.

The NPC also stressed that the lifting of the CDO will be decided by the Commission on a per-system basis. As such, the order is applied separately for each of the systems and takes effect until such time that the company fully implements proper controls to address the deficiencies identified in the notice.

The CDO is not intended as a penalty for Grab Philippines, Inc. but as a means to afford the company reasonable opportunity to achieve full compliance with the DPA, its rules, and related guidelines. The move, in effect, secures the riding public from unwanted privacy exposure and in the same manner enables the company to modify its system to be compliant with the DPA.

“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the NPC said in the CDO.

The power of the NPC to issue a CDO is explicitly provided in Section 7 of the DPA and reiterated in Section 9 of its Implementing Rules and Regulations.

Grab said it will issue a statement on the NPC order including reply to question whether these security risk systems are unique only in the Philippines or have also been implemented in other Grab jurisdictions overseas.

Meantime, Grab issued a statement sofficial statement vowing to fully cooperate with NPC in providing necessary supporting documents to adhere to their standards, implement additional corrective measures, and ensure that NPCs expectations and our approach for safety are mutually understood.

Grab explained that the passenger selfie, audio and video recording pilot systems were were introduced as pioneering safety technology features with the aim of further protecting the ride hailing comm unity. “These features follow the legal criteria for lawful processing of data,” it said.

 
CLICK HERE TO SIGN-UP
 

YOU MAY ALSO LIKE

["business","business"]
[952149,2701490,2701483,2700970,2700789,2701174,2700770]