Grab’s personal data processing system halted

The National Privacy Commission (NPC) served a cease and desist order (CDO) to three personal data processing systems of Grab Philippines, Inc., including the selfie verification, the pilot test of in-vehicle audio recording, and in-vehicle video recording.

In a statement, the NPC said these personal data processing systems did not sufficiently identify and assess the risks to the rights and freedoms of the data subjects but only the risks faced by the company were taken into account.

Grab can monitor its employees and also take photos during trips through the video recording system once the driver prompts the emergency button.

The NPC said the firm explained that the materials taken through the three data processing systems will be released upon the request of police authorities should dispute, conflict, and complaint arise.

However, Grab did not put this information through its privacy notice and policy, it said.

The company also failed to mention its legal basis in processing the collected data. The documents submitted to the NPC were also found to be insufficient to establish whether the company's data processing was proportional to its intended purpose; whether the benefits of the processing outweigh the risks involved; nor whether the processing was the best among considered alternatives to achieve the underlying purpose, the privacy body added.

The NPC found these are deficiencies in complying with the Data Privacy Act (DPA) of 2012.

Grab has 15 days to submit their remedial measures directed in the notice of deficiencies issued to grab last January 31, it said.

The privacy body further said the CDO is not a punishment for Grab but will give an opportunity to the company to achieve full compliance to the DPA.

While this Commission believes that the security of passengers and drivers is a primordial concern, their privacy rights must not be disregarded. It must be protected with earnestness by ensuring that the purpose of data processing is clearly stated, the data flow is secured, and the risks are properly identified and mitigated, it added.

Source: Philippines News Agency

Related posts