An Act Requiring Transport Network Vehicle Service Providers to Limit The Personal Information Accessible to Users in a Justified Operational Limitation Overview form or Otherwise Through Censorship In Partial fulfilment for the requirements in the course Transportational Law Submitted to: Atty. Bellatrix Legaspi-Francisco Far Eastern University - Institute of Law Submitted by: Joseph Lorenzo V. Espino 2014675191 I. Introduction In recent years, ride-hailing applications or Transport Network Vehicle Services ("TNVS") have revolutionised the way we travel. This has largely made transportation more convenient and efficient. However, much like most convenient and efficient applications, there comes a risk of privacy. Most, if not all, of these TNVS applications collect data about their users. Data such as names, mobile numbers, and sometimes even photos, are shared to third-parties and are even retained in the application of their users. This can leave users vulnerable, not only to third parties, but also to each other. Because users are often not aware of the extent and nature of the data they share, they are vulnerable to exploitation. (A) As the status quo becomes more digitized, data privacy is made all the more important. This means constantly being conscious about how data is used, stored, and accessed in our day-to-day lives, as well as spotting vulnerabilities, where our data may be exploited. (B) These vulnerabilities even extend to TNVS applications like Grab, Lalamove, and Angkas. Where the personal information of users and drivers are shared with each other and retained in the applications of one another. (C) One possible way to prevent this continuous vulnerability is to require TNVS providers to limit the access to these information through automatically removing them after the transaction has been completed. A. The Status Quo At a time when data is the new currency, we are made aware of the reality that we have to protect our information from those who want to steal it or use it for malicious purposes.1 A survey conducted by Cisco, a California-based tech firm, said that nearly 80% of companies in the Philippines have experienced a data breach in the year 2022. These companies further conveyed that the cybersecurity incidents have netted a loss of $100,000 to $500,000.2 This shows that it is important, now more than ever, to secure our digital presence. Coincidentally, in February 2022, the National Privacy Commission (“NPC”) commissioned a survey which showed that there is a remarkable increase in the public awareness and knowledge of data privacy. According to the NPC, public awareness grew from 13% in 2017 to 25% in 2021.3 However, while most Filipinos know the importance of protecting our data, we must ask the questions of (1) ‘why do we have to protect our data?’ and (2) ‘how do we protect our data?’. 1. Why do we have to protect our data? Protecting data is crucial to ensure the privacy, security, and well-being of individuals, organizations, and society as a whole in today's digital age.4 Cybersecurity risks such as unauthorized access, theft, manipulation, and destruction all start from socially engineered attacks that are based on information attackers gather about the target. An article on Cybersecurity 101 by Crowdstrike, the author enumerates the 10 most common types of cyber attacks, where at least 6 of the listed most common types of attacks are based on or related to 1 William D. Eggers, “Data as the new currency” 24 July 2013 https://www2.deloitte.com/us/en/insights/deloitte-review/issue-13/data-as-the-new-currency.html 2 Elijah Rosales, “Nearly 80% of Philippine firms hit by data breach” 30 Nov, 2022, https://www.philstar.com/business/2022/11/30/2227344/nearly-80-philippine-firms-hit-data-breach 3 “Filipinos more aware of data privacy - NPC” 1 Feb 2022, https://www.bworldonline.com/corporate/2022/02/01/427056/filipinos-more-aware-of-data-privacy-npc/ 4 Vesa Hyseni “Why is Data Protection Important?” 10 Nov, 2021 social engineering (These attacks are: malware, phishing, spoofing, identity based attacks, supply chain attack, and insider threats).5 These attacks are often based on information attackers had already previously acquired about their targets. An example of this is Smishing (or SMS-Phishing), where attackers would send malicious links to the mobile numbers of their victims. These attacks are sometimes taken a step further by addressing the victim by his or her name.6 Unfortunately, these attacks are becoming more frequent and sophisticated with each passing day. Therefore, the need to protect data privacy is made ever more important. 2. How do we protect our data? There are many ways to protect our data in the digital realm. The National Privacy Commission (“NPC”) published an article “Beginner’s Guide to Personal Data Privacy” where the NPC provides 30 useful tips to protect your own data. A few of these tips include: ● Don’t click on pop-ups or virus warnings - one of the ways attackers may gain access to your data is through getting you to click on links or pop-ups, be conscious of these and avoid clicking them. ● Clean up third-party Apps - ensure that permissions to third party apps in different social media accounts are limited to only those you trust. ● Don’t be too public - it is important to always know the information you let out, it is advised that we limit details that we share in social media.7 Moreover, another important way to protect data is through merely being conscious about the information that individuals share, as well as the extent of consent individuals give when they agree to the terms and conditions of services they sign for. B. Transport Network Vehicle Services TNVS Providers took the nation by storm when Grab and Uber launched in the Philippines in 2015.8 As of writing, many more TNVS providers have joined the market, including Angkas, Joyrider, Lalamove, etc.. TNVS providers connect users with drivers through applications installed in the mobile devices. This made transportation convenient and efficient for everybody. However, with this, came many issues such as safety, security, and fairness of pricing. While many of these issues have either been addressed or currently being addressed by the state through the Land Transportation Franchising and Regulatory Board (“LTFRB”), an issue that has yet to be addressed is one of data privacy. When users create accounts for these applications, they give out information about themselves. These include personal information9 and sensitive personal information,10 according to the Data Privacy Act. While the Data Privacy Act provides for obligations to personal information controllers,11 as well as requiring the consent of data subjects before any form of data collection takes place,12 This law does not enforce the obligation to protect data privacy rights upon users or mere consumers. Therefore, since mere consumers have to obligation nor incentive to protect these data, they must not be granted access to information that they no longer need. However, (1) by design, certain applications allow users to access a 5 Kurt Baker “10 Most Common Types of Cyber Attacks” 13 February 2013, https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-types-of-cyberattacks/ 6 “MS-ISAC Security Primer - Spear Phishing” www.cisecurity.org, https://www.cisecurity.org/insights/white-papers/ms-isac-security-primer-spear-phishing. July 2018 7 National Privacy Commission, “A Beginner’s Guide to Personal Data Privacy” 8 S.27 17th Cong. (2019) 9 Data Privacy Act, R.A. 10173 § 3 (g) 10 Data Privacy Act, R.A. 10173 § 3 (i) 11 Implement Rules and Regulations of R.A. 10173 § 21 (b) 12 Data Privacy Act, R.A. 10173 § 12 (a) large repository of data, and (2) the privacy policies of these applications are vaguely written in such a way that it does not specify the extent by which users consent to their data being shared. 1. The App In looking at certain popular applications like Lalamove, Angkas, and JoyRide, there is a common problem - these applications store the personal information of riders in the applications of users and vise-versa, even months after their rides have been completed. Fortunately, Grab explicitly provides that they no longer grant access to information of past transactions, 72 hours after they have been completed. Nevertheless, a) Lalamove, b) Angkas, and c) JoyRide still do. a) Lalamove In Lalamove, users can trace back all their past transactions and still find the complete names of the riders and/or drivers that provided their services. More than that, they also have photos of when their items were picked up and dropped off, in cases where the service was a delivery of items. Comparatively, riders are also able to access this list of information of their past transactions they’ve completed. b) Angkas In the Angkas app, users may also view all their past rides, including the photos and complete names of their rides. c) JoyRide In JoyRide, when users go to the “History” portion of their transactions. They will find an extremely long list of their past rides. Though, more than just the rides, users will find the photos of their drivers and the full name of the drivers as well. Similarly, drivers may also see the names and locations of their past deliveries. 2. The Policy Below is a comparison of the privacy policies of Lalamove, Angkas, and Joyride. A few things they would generally have in common are: a) They are all allowed to share data with third parties, without specifying who these third parties are; b) They process and store a lot personal data, without identifying explicitly which personal data they are processing and storing; c) They retain data for as long as it is relevant for the purpose of why the data was collected d) A user must accept the terms or they will be denied service from the TNVS provider. e) None of the policies provide for informing users who has access to their data. Lalamove13 What is collected 13 LALAMOVE MALAYSIA SDN BHD (“LALAMOVE”) Angkas14 JoyRide15 “Personal Data” means Personal Data information about you, While using our Service, from which you can be we may ask you to Lalamove Privacy Policy, Last Accessed: April 13, 2023: https://www.lalamove.com/malaysia/kualalumpur/en/privacy 14 Angkas Privacy Policy, Last Accessed: April 13, 2023: https://angkas.com/privacy-policy/ 15 JoyRide Privacy Policy: Last Accessed April 14,2023: https://joyride.city/privacy-policy/#:~:text=Joyride%20Technologies%20Inc%20may%20disclose,in%20connection %20with%20the%20Service respects your right to privacy and we keep your Personal Data secure and we will only use your personal information in the manner in which you want us to. personally identifiable, including but not limited to your name, official identification card number, birth certificate number, government identifications such as driver’s license, This Privacy Policy passport number, describes how nationality, address, LALAMOVE collects, telephone number, fax uses, processes and number, bank details, discloses your credit and debit card Personal Data through details, race, gender, the use of our website, date of birth, marital web app or mobile status, resident status, app, products, educational features and our other background, financial services. background, personal interests, email “Personal Data” is any address, user location information which can (even if the app is be used to identify you closed or running in or from which you are the background so identifiable. This long as user is online) includes but is not occupation, limited to your name, designation and the nationality, telephone, organization you work number, bank and in and the industry in credit card details, which you work. e-mail address, your image, identity card In addition to the number, driver license Personal Data that you ID, biometric data, will directly provide to race, date of birth, the Company, the marital status, religion, Company may also health information, collect your Personal vehicle and insurance Data from other information. sources such as: How are they collected 1. Application or registration forms or other similar forms which you have filled out; 2. Publicly available documents, such as directories; provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Location Data We may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service, to improve and customize our Service. Tracking & Cookies Data We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service. Joyride Technologies Inc uses the collected data for various purposes: ● To provide and maintain our 3. Company’s social media pages, if you follow, like, subscribe or are a fan of such pages; ● ● 4. Credit reporting agencies; 5. Various entities or divisions affiliated with the Company; ● ● Or from instances such as: 1. When you interact and communicate with the Company during its events or activities; 2. When you enter into contests organized by the Company; or 3. By using the Company’s digital properties, including but not limited to its website, Angkas Application (the “App”) or other user-facing Software where Personal Data may be collected by use of cookies or similar means Rules on retention We will only retain your Personal Data for as long we are either required to by law or as is relevant for the purposes for which it was collected. We will cease to retain Subject to applicable requirements of the DPA and other relevant laws and regulations, Personal Data shall not be retained by the Company for a period longer than necessary and/or proportionate ● ● Service To notify you about changes to our Service To allow you to participate in interactive features of our Service when you choose to do so To provide customer support To gather analysis or valuable information so that we can improve our Service To monitor the usage of our Service To detect, prevent and address technical issues Joyride Technologies Inc will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to your Personal Data or remove the means by which the Personal Data can be associated with you as soon as it is reasonable to assume that such retention no longer serves the purposes for which the information was collected, and is no longer necessary for any legal or business purposes. Disclosure to Third Parties to the purposes for which such data was collected. The Company retains your Personal Data for as long you maintain your account with the Company, for as long as your Personal Data remains necessary for the services or purposes mentioned above or for other legal or business purposes. The period of retention may be extended when circumstances so permit, such as, but not limited to, for purposes of safety, security and fraud prevention and detection. comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. Your Personal Data may be transferred, accessed by or disclosed to third parties for the Purposes and Additional Purposes, subject to a data sharing agreement as required by law. The a) any person to whom Company may engage we are compelled or other companies, required to do so service providers or under law or in individuals to perform response to a functions on its behalf, government agency; and consequently, provide access to or b) government disclose your Personal agencies and statutory Data to such service authorities; providers or third parties. These third c) our auditors, parties include, Your information, including Personal Data, may be transferred to —and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. The Personal Data which you have provided to us will generally be kept confidential, but your Personal Data may be disclosed to the following categories of parties:- Joyride Technologies Inc will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods. consultants, accountants or other financial or professional advisors; d) any other individuals or organizations with your consent or instructions; e) our subsidiaries and our associated companies; f) our service providers and business partners such as our vendors, consultants, marketing partners, research firms, payment processors and facilitators, data analytics providers and financial and insurance partners; g) if you are a customer, we will share the location of the pick-up and delivery locations with the drivers; h) if you are a driver, we will share your Personal Data with the customer, including your name and photo, vehicle make and model, number plate, location and your average rating; without limitation: 1. Company’s partners, which include parties with whom the Company collaborates with for certain events, programs and activities, and in the implementation of cashless transactions; 2. event management companies and event sponsors; 3. marketing research companies; 4. service providers, including information technology (IT) service providers for infrastructure, software and development work; and 5. professional advisers and external auditors, including legal advisers, financial advisers and consultants, and regulatory entities. 6. Government entities which require disclosure of personal data Your Personal Data may also be shared in connection with a corporate transaction, such as a sale of a subsidiary, division, merger, consolidation, asset sale or in the unlikely event of winding-up of the Company. C. Removal of Stored Information Granting every user access to personal information can be very dangerous. An article published by Norton Securities, one of the global leaders in Cybersecurity providers, explained several ways an attacker can exploit your vulnerabilities through only knowing your name and address. An example given by Norton was using the name and address of the victim to answer security questions. This allows attackers to either redirect mail to a different digital address or to penetrate the security of an email of the victim.16 One of the ways to prevent issues on unnecessary granting access of information is through the practice of (1) security by design in how businesses provide services. The emphasis on privacy can be seen through how some TNVS providers operate. 1. Security by design Security by design is a principle in data privacy which provides that privacy must be incorporated into networked data systems and technologies, by default. Ann Cavoukian, the Information and Privacy Commissioner in Ontario Canada, wrote 7 principles of privacy that promote privacy by design, a few of these principles include: a) Privacy measures must be proactive not reactive17 Data privacy and security must never be an afterthought, and protecting and securing data must not be done only after a breach has occurred. In relation to TNVS providers, it is important that their applications are designed in a way that information of data subjects is outright limited and not only limited upon request. b) End-to-End Security18 End to end means that data is protected from the beginning of when data is provided, such as when users and drivers fill up forms for TNVS operators, up to the point when data is deleted, such as when users deactivate their accounts or when drivers are no longer contracted by TNVS providers. This means that for a TNVS provider to secure data from end to end, there is no point where data subjects are vulnerable to exploitation. TNVS providers may do this by securing personal information and making sure that users who no longer need access to certain information would no longer be given access. II. The Law and the Gap The Data Privacy Act of 2012, as well as its implementing rules and regulations, are the guiding rules, in relation to Data Privacy in the Philippines. Important features of the Data Privacy Law include: (1) definitions of personal information and sensitive personal information (2) consent of data subject, and (3) principles of data privacy. While these features help strengthen the protection of data privacy in the Philippines, (4) the gap exists in situations 16 Kim Porter, Norton Security: “Can Your Identity Be Stolen With Only a Name and Address?” 28 Nov 2017, https://lifelock.norton.com/learn/identity-theft-resources/can-your-identity-be-stolen-with-only-a-name-and-address 17 Ann Cavoukian “Privacy by Design: The 7 Foundational Pirnciples, Implementation and Mapping of Fair Information Practices”, pp. 2 (2010) 18 Ann Cavoukian “Privacy by Design: The 7 Foundational Pirnciples, Implementation and Mapping of Fair Information Practices”, pp. 4 (2010) where TNVS providers may comply with their obligations under the Data Privacy Act but incidentally put its users at a vulnerable situation. 1. Personal Information and Sensitive Personal Information Personal Information19 Sensitive Personal Information20 (g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. (l) Sensitive personal information refers to personal information: (1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified. 2. Consent of Data Subject21 Consent (b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so. 3. Principles of Data Privacy22 SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality. Personal information must, be:, (a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only; (b) Processed fairly and lawfully; (c) Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted; 19 Data Privacy Act, R.A. 10173 § 3 (g) Data Privacy Act, R.A. 10173 § 3 (i) 21 Data Privacy Act, R.A. 10173 § 3 (b) 22 Data Privacy Act, R.A. 10173 § 11 20 (d) Adequate and not excessive in relation to the purposes for which they are collected and processed; (e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and (f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further,That adequate safeguards are guaranteed by said laws authorizing their processing. The personal information controller must ensure implementation of personal information processing principles set out herein. 4. Gap In relation to these provisions, the law does protect the data subject. It even further grants them rights, such as the right to be informed about his data,23 the right to access his data24, and the right to have his data deleted,25 to name a few. However, when the data subject consents to allowing TNVS providers to share his data in manners that are necessary for the service. This creates an incidental vulnerability to the users and the riders, wherein their data is stored in the devices of users who may be able to exploit this vulnerability. 23 Data Privacy Act, R.A. 10173 § 16 (b) Data Privacy Act, R.A. 10173 § 16 (c) 25 Data Privacy Act, R.A. 10173 § 16 (e) 24 III. The Bill AN ACT REQUIRING TRANSPORT NETWORK VEHICLE SERVICE PROVIDERS TO LIMIT THE PERSONAL INFORMATION ACCESSIBLE TO USERS IN A JUSTIFIED OPERATIONAL LIMITATION OVERVIEW FORM OR OTHERWISE THROUGH CENSORSHIP OF DATA SECTION 1. Short Title. - This Act shall be known as the “Justified Operational Limitation Overview Act of 2023” or the "J.O.L.O. Act of 2023." SECTION 2. Declaration of Policy. - It is hereby declared the policy of the State to protect the privacy and security of personal information of individuals, including those who use transport network vehicle services (TNVS). To achieve this policy, the state must regulate how these applications use, store, and allow access to these information. SECTION 3. Definition of Terms (a) Access - refers to the ability or the opportunity to view or copy certain information or data (b) Drivers or Riders - refers to persons engaged by TNVS providers to operate a motor vehicle, whether a motorcycle, sedan, 6-seater, or 8-seater, in order to transport passengers or items made for delivery. (c) Information or data - refers to personal information and sensitive personal information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably ascertained by a person viewing it. (d) Justified Operational Limitation Overview or (J.O.L.O.)- shall be considered the limited view of information or data. It may be limited to the first name followed by the first letter of the last name (e) Transport Network Vehicle Services or Transport Network Companies - shall refer to entities that provide pre-arranged transportation services in exchange for a monetary or credit compensation, using either a browser or an application installed in a mobile device or other kinds of computer devices, connecting drivers or riders with passengers or users. (f) Users, Consumers, or Passengers - refers to persons contracting the services of TNVS providers in order to either be transported from point to point or to send and/or receive items made for delivery. (g) Transaction - for purposes of this act, a transaction shall refer to the implied or expressed contractual agreement between the user and the TNVS provider for the delivery of an item or items or for the transportation of the user and or other passengers from point to point. A transaction begins from the moment a rider or delivery is booked and it is completed at the moment the item for delivery has been handed over to the intended recipient or the moment the user and or passenger arrives at his intended destination. SECTION 4. Limitation on Accessible Information - 30 days after this act shall take effect, all TNVS provides shall be mandated to limit the accessibility of information seen in the ‘History of Transactions’ portion of their respective applications. The limitation shall be set forth as follows: (a) TNVS Providers shall only make visible the full names of the currently booked driver/rider, as well as the full names of the user. (b) After the transaction has been completed, the name of the user, in the application of the rider/driver, shall be censored by means of J.O.L.O. (c) Similarly, after the completion of the transaction, the name of the driver/rider, in the application of the user, shall also be censored by means of J.O.L.O. (d) Portraying information by means of J.O.L.O. shall mean only showing the first name of the user and the driver, followed by the first letter initial of their last name. SECTION 5. Alternative - Alternatively, TNVS providers may opt to entirely remove the names of past drivers in the applications of the users, as well as the names of past users in the applications of the drivers 72 hours after the completion of the transaction. SECTION 6. Separability Clause. - If any provision of this Act is declared invalid or unconstitutional, the remaining provisions not affected by such declaration shall remain in full force and effect. SECTION 7. Repealing Clause. - All laws, decrees, executive orders, rules and regulations or parts thereof inconsistent with this Act are hereby repealed or modified accordingly. SECTION 8. Effectivity. - This Act shall take effect fifteen (15) days after its publication in the Official Gazette or in a newspaper of general circulation.
