The National Privacy Commission (NPC) has issued a cease and desist order (CDO) against Grab’s in-car video and audio recording and selfie-verification pilot runs, saying these are not in compliance with the Data Privacy Act of 2012 and may endanger the privacy of the riding public.
In a Notice of Deficiencies to the ride-sharing firm on January 31, 2020, the agency stated that Grab Philippines “did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects” and that “only the risks faced by the company were taken into account” in its Privacy Impact Assessment (PIA).
“The video recording system will also enable Grab employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the notice reads.
The agency also pointed out that the firm did not mention its legal basis for processing the collected data, and that documents submitted by the firm to establish “whether the benefits of the processing outweigh the risks involved” or “whether the processing was the best among considered alternatives to achieve the underlying purpose” were insufficient.
What’s more, while Grab mentioned in its PIA that riders would be able to withdraw consent for in-vehicle audio and video recordings, the exact details on how to exercise this right were not conveyed to users, and that it is unclear how exactly the data processing will be affected if a rider chooses to do so.
“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the NPC said in its CDO.
“The lifting of the CDO, however, will be decided by the Commission on a per-system basis. As such, the order is applied separately for each of the systems and takes effect until such time that the company fully implements proper controls to address the deficiencies identified in the notice,” the agency said, adding the CDO is not intended as a penalty for the firm, but as a means to “afford the company reasonable opportunity to achieve full compliance with the DPA, its rules, and related guidelines.”
The NPC says Grab has 15 days to comply with the measures directed in its Notice of Deficiencies. Are you concerned with the systems the company is hoping to put in place as well?