The National Privacy Commission (NPC) on Thursday said it will undertake an assessment of the impact of the reported massive data breach of transportation network company Uber Technologies Inc. and the possible effect on local drivers and users.
In a news statement, the privacy agency said it has invited Uber Philippines to a meeting next week to get a full scope of the incident and to comply with the formal breach notification mandated by the Data Privacy Act of 2012.
On Wednesday night Uber Chief Executive Offer Dave Khosrowshahi released a statement owning up to a global data breach affecting 50 million Uber users with international news citing personal information such as names, e-mail addresses and phone numbers of passengers were stolen by hackers as far back as October 2016.
Uber Technologies Inc. concealed the incident for more than a year, and paid off hackers $100,000 to “settle” the issue.
“The NPC is concerned about the possible impact of the breach on our citizens. By virtue of its operations and processing of Filipino end-user data, Uber is considered a personal information controller and must comply with Philippine data privacy and protection laws,” the commission said in the statement.
The agency added the meeting aims to gather detailed information on the nature of the breach, the personal data of Filipinos possibly involved and the measures taken by Uber to address the breach.
In the Data Privacy Act, a personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
Under this Philippine legislation, concealment of security breaches involving sensitive personal information entails a prison term ranging from 18 months to five years and a fine of not less than P500,000.
The maximum penalty will be imposed for offenses that involve the personal data of at least 100 people.
The Data Privacy Act enforces a data breach notification procedure, among the provisions of which is notification to the commission within 72 hours of knowledge of, or, when there is reasonable belief by the personal information controller or processor that a personal data breach has occurred.