THE massive breach in data held by Uber Technologies Inc., which includes those of Filipinos, has prompted the National Privacy Commission (NPC) to establish links with international authorities.
In a news briefing on Tuesday, NPC Commissioner Raymund E. Liboro lauded the Philippines’s entry into the Asia Pacific Economic Cooperation (Apec) Cross-border Privacy Enforcement Arrangement (PEA).
The Apec Cross-border PEA is a government-backstopped enforcement network that allows greater ease in information and expertise-sharing among select authorities even on ongoing investigations. The Apec Cpea is an initiative that facilitates information sharing among privacy enforcement authorities in Apec economies.
Administrators of the CPEA confirmed the NPC’s status as a PEA of the Philippines, joining eight other economies in Apec.
“Our entry into CPEA opens new doors and opportunities,” Liboro said. “After our acceptance on November 30—roughly the same time of Uber’s announcement [of a breach]—there has been an exchange of communication among the data-protection authorities of Australia, Philippines and the US Federal Trade Commission (US FTC). We’re hopeful as [an Apec] Cross-border PEA new member, that we can be a source of information.”
Melinda Claybough, counsel for International Consumer Protection at the FTC, said at the same briefing that the US FTC has made a public statement that it is taking seriously the data breach of Uber.
“But I can’t share any details on it,” Claybough said. “I can say we look forward to working with NPC and CPEA members by sharing information as part of our investigation. We’ve had a strong track record of working with partners using the CPEA. It provides a mechanism for authorities to talk and share information on what they’re [investigating].”
Claybough was referring to their own investigation into the head unit of Uber.
She added that this cooperation mechanism helped tackle the data-breach investigation of social networking-dating site Ashley Madison.
According to Liboro, the cross-border nature of data merits this kind of collaborative effort among different data-privacy authorities in aid of their respective investigation.
The determination of Uber’s fault, however, appears will be investigated per jurisdiction; Liboro clarified that the US FTC may apply consumer law there, but the NPC will utilize the Data Privacy Act.
Currently, Liboro said the NPC is still in a fact-finding stage in its probe of the extent of the Filipinos’ data covered by Uber Technologies’ admitted data breach and concealment.
The data-privacy commissioner underlined that the office is drafting a compliance order to Uber Philippines to be able to get more information, but pending Uber Philippines’s own audit on the scope and magnitude of the data exposed.