Grab Philippines Inc. has been asked to suspend its three verification systems which were found to be violating the privacy of its riders.
The National Privacy Commission (NPC) in a statement said has issued a cease and desist order (CDO) to Grab Philippines after finding deficiencies in complying with the Data Privacy Act of 2012 (DPA) for its selfie verification, pilot test of the in-vehicle audio recording and pilot test of the in-vehicle video recording.
In a Notice of Deficiencies issued to Grab on Jan. 31, 2020, NPC said the ride-hailing service provider did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects.
It said only the risks faced by the company were taken into account in its Privacy Impact Assessment (PIA).
“The video recording system will also enable grab employees to monitor the situation live from the Grab office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button,” the notice said.
NPC has given Graph 15 days to comply with the remedial measures directed in the NPC’s Notice of Deficiencies. The lifting of the CDO, however, will be decided by the Commission on a per-system basis.
This means the order is applied separately for each of the systems and takes effect until such time that the company fully implements proper controls to address the deficiencies identified in the notice.
NPC said Grab in their meetings defended the photo, audio and video files collected through the three systems are to be released upon request to police authorities in the event of dispute, conflict or complaint.
But the public was not told any of this information through Grab’s privacy notice and privacy policy.
NPC said the company also failed to mention its legal basis in processing the collected data.
It said documents Grab submitted were insufficient to establish whether the company’s data processing was proportional to its intended purpose; whether the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose.
In compliance with the CDO, Grab said it has suspended the audio and video recording and selfie verification features but said these were .introduced following the legal criteria for lawful processing of data.
“However, we recognize the mandate of the NPC to protect user privacy. Passenger selfie feature and audio and video recording pilot have been temporarily suspended as we work with NPC to address their concerns,” Grab said in a statement.
“We will fully cooperate with NPC in providing necessary supporting documents to adhere to their standards, implement additional corrective measures, and ensure that NPCs expectations and our approach for safety are mutually understood.” Grab added.