The National Privacy Commission (NPC) has issued a Cease and Desist Order (CDO) to Grab Philippines, Inc. (Grab PH) after finding deficiencies in complying with the Data Privacy Act of 2012 (DPA) for three personal data processing systems, which may endanger the privacy rights of the riding public.

In a Notice of Deficiencies issued to Grab PH dated 31 January 2020, the NPC found several deficiencies in its selfie verification, pilot test of the in-vehicle audio recording, and pilot test of the in-vehicle video recording.

In the notice, the NPC said Grab PH did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects, saying that “only the risks faced by the company were taken into account” in its Privacy Impact Assessment (PIA).

“The video recording system will also enable grab employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the notice reads.

In a meeting, company representatives said the photo, audio and video files collected through the three systems will be released upon request to police authorities in the event of dispute, conflict or complaint.

The public, however, was not told any of this information through Grab PH’s privacy notice and privacy policy.

The company also failed to mention its legal basis in processing the collected data. The documents submitted to the NPC were also found to be insufficient to establish whether the company’s data processing was proportional to its intended purpose; whether the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.

While the option to withdraw consent was included by Grab PH in the PIA for the in-vehicle audio and in-vehicle video recording systems, the details on how to exercise such right were not sufficiently communicated to passengers through Grab message. It was also unclear if and how the data processing will be affected upon such withdrawal of consent.

Grab PH has 15 days to comply with the remedial measures directed in the NPC’s Notice of Deficiencies. The lifting of the CDO, however, will be decided by the Commission on a per-system basis. As such, the order is applied separately for each of the systems and takes effect until such time that the company fully implements proper controls to address the deficiencies identified in the notice.

The CDO is not intended as a penalty for Grab Philippines, Inc. but as a means to afford the company reasonable opportunity to achieve full compliance with the DPA, its rules, and related guidelines. The move, in effect, secures the riding public from unwanted privacy exposure and in the same manner enables the company to modify its system to be compliant with the DPA.

“While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated,” the NPC said in the CDO.

The power of the NPC to issue a CDO is explicitly provided in Section 7 of the DPA and reiterated in Section 9 of its Implementing Rules and Regulations.

###