Popular ride-hailing app Uber recently admitted concealing a massive data breach in 2016 that affected up to 57 million of its users (drivers and riders), including Filipinos. While its full extent remains unclear today, the breach and the dearth of information surrounding it should be a proper cause for concern. Uber has a significant presence in the country with around 66,000 registered vehicles and around 600,000 users.
The country’s National Privacy Commission has committed to continue its investigation of the matter and claims to be working with the data protection authorities of other countries like Australia and the United States.
Meanwhile, this presents a perfect opportunity for the public to take a long hard look at what this incident reveals about our data and the world they exist in at the moment:
- We really know nothing about how our personal data is used. There’s nothing quite like a massive data breach to remind us how much personal data we readily give to companies and governments, and how little we really know about it. With Uber, the statement of its current CEO casually mentions “trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth”, implying that, although these were not among the data downloaded sans authorization, the company has these information in its database. Odds are, most people won’t recall giving Uber access to such information.
- We don’t hold companies accountable enough. Most, if not all, companies only care about people’s personal data as long as they serve the corporate interest and keep government regulators at bay. Ideally, all data controllers and processors should have sufficient and robust data protection frameworks in place andproperly integrated into their operations. Nonetheless, data subjects must be proactive in knowing who collects and processes their data, and how such data are used. By demanding accountability from companies, especially those that make decisions about people using their data, people can reclaim ownership and control over their information.
- Data protection is not a localized concern. The Philippines has a data protection law in place, implemented by a fairly young privacy commission. Uber, though, is based in the United States where there is no data protection law at the federal level. If you think about it, most of the services we use daily like Google, Facebook, Apple, and Uber are headquartered outside the country. With our lives being increasingly tied to these global corporations and with data flowing more freely than ever among different areas and jurisdictions, effective cooperation and coordination between nations and their respective data protection authorities is critical. Ultimately, for governments to fail in this aspect could mean failure to fulfill their mandate altogether.
All these lessons serve to underscore a glaring lack of transparency in many data processing operations here and abroad. As a result, people are often left in the dark, unaware of their rights as data subjects and the remedies available to them under existing data protection laws. Countries like the Philippines are luckier than others. It now has a data protection authority, which could serve as a proxy when holding big businesses and government agencies accountable for the abuse or misuse of the personal data they all collect. That said, if the underwhelming result of the “Comeleak” (Comelec breach of 2016) investigation is any indication, public participation in the development of the data protection landscape remains imperative. This, if the people are to succeed in (re)claiming their privacy rights and in compelling entities to fully integrate data protection into their respective systems and organizations.
It is time, to echo a common refrain, to take the power back.