E-hailing firms must protect data

I was interviewed by The Star and Free Malaysia Today on an e-hailing firm’s new user requirement to submit “selfie” for verification purposes.

In The Star’s article titled “E-hailing firms must protect data“, it was reported-

Weak enforcement of the Personal Data Protection Act (PDPA) has made it vital for e-commerce firms and e-hailing providers to protect such information, according to the Bar Council.

Its Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said there had not been much news on the enforcement of the Act .

There were cases of companies being fined, but high-profile cases such as the data breach involving telecommunications companies two years ago have yet to be resolved,’’ he said.

Welcoming the requirement of selfie verification on e-hailing passengers as an effective mechanism to protect the drivers, he said those concerned with data privacy breaches could not do much if they wanted to use the service.

Foong’s comments were in light of the concerns over data privacy following a law introduced by the Transport Ministry in July last year, requiring passengers to submit their identity credentials upon registration with any e-hailing platform

While in Free Malaysia Today’s article titled “Password better than selfie for Grab driver safety, says consumer group“, it was reported-

Foong Cheng Leong, a lawyer, says the requirement does not run afoul of the Personal Data Protection Act 2010 as it involved obtaining the user’s consent.

“The use of Grab or any ride-hailing service is optional. Those who do not wish to submit their picture may opt not to use the service.”

In addition to the above, I would like to add that the submission of “selfie” can be a concern if there is a high risk that the data is misused. The selfie can be paired with other data for profiling purposes. Such data can be used for surveillance purpose, matching with other data, etc.

Perhaps such providers should announce how, in detail, personal data is protected, where exactly it will be stored, what measures are taken to ensure data is safe, and report whenever there is a data leakage or third party request. Most data users publish such information on their privacy policy. However, most data users publish very general information and the bare minimum, as required by the Notice & Choice Principle provided by the Personal Data Protection Act 2010.

Since it is mandatory for e-hailing users, the only choice available for users now is to not use such e-hailing services unless there is a change in policy. Users should consider filing a complaint to the Personal Data Protection Commissioner or Transport Ministry over the new rules.





Leave a Reply

Your email address will not be published. Required fields are marked *