Philippines: Isseud NPC cease and desist order to Grab Philippines

On 3 February 2022, the National Privacy Commission (NPC) of the Philippines issued a cease-and-desist order (CDO) to Grab following an investigation into the company's compliance with the Data Privacy Act of 2012. The investigation identified deficiencies in three personal data processing systems used by Grab PH: selfie verification, in-vehicle audio recording, and in-vehicle video recording. These deficiencies were found to potentially endanger the privacy rights of the riding public. The NPC highlighted that Grab PH's privacy impact assessment primarily considered the company's risks, neglecting the rights and freedoms of data subjects. Furthermore, the company failed to inform the public about these data processing systems through its privacy notice and policy, did not clearly state the legal basis for data processing, and provided insufficient documentation to justify the proportionality and necessity of the data processing activities. Grab PH was given 15 days to address these deficiencies, with the lifting of the CDO to be evaluated on a per-system basis. The NPC's action aims to ensure full compliance with the Data Privacy Act, thereby protecting the privacy of the riding public while allowing Grab PH the opportunity to amend its data processing systems.