The National Privacy Commission (NPC) has announced that it has issued a Cease and Desist Order (CDO) to Grab Philippines, suspending the platform’s selfie verification, audio/video recording systems.
According to the NPC, Grab PH’s selfie verification, pilot test of the in-vehicle audio recording, and pilot test of the in-vehicle video recording had deficiencies in complying with the Data Privacy Act of 2012 (DPA). The agency issued a notice to Grab, detailing that Grab PH “did not sufficiently identify and assess the risks posed by the data processing systems to the rights and freedoms of data subjects,” and stated that, in its Privacy Impact Assessment “only the risks faced by the company were taken into account”.
The NPC notice also mentioned that “The video recording system will also enable grab employees to monitor the situation live from the Grab Office and take photos of what is happening inside the vehicle, once the driver prompts the office through an emergency button.”
Grab PH’s representatives stated that the photo, audio, and video files to be collected will be released upon request to police authorities in case of disputes, conflicts, or complaints. However, the public is unaware of that as those details are not mentioned in Grab’s privacy notice and privacy policy.
NPC also found that Grab failed to mention its legal basis in processing the collected data and that the documents submitted to NPC “were also found to be insufficient to establish whether the company’s data processing was proportional to its intended purpose.” While Grab included an option to withdraw consent for audio/video systems, the process of doing so was also unclear, and how the data processing will be affected upon withdrawal of consent.
The NPC is giving Grab PH 15 days to comply with remedial measures, however, the lifting of the CDO will be decided by the Commission on a per-system basis. To read NPC’s full statement, click here.