_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,156,156,1,952,"A financial penalty of $16,000 was imposed on GrabCar for failing to put in place reasonable security arrangements to protect the personal data of its customers from unauthorised disclosure. Personal data of a customer was disclosed to one other customer via an email sent out by GrabCar.","[""Protection"", ""Financial Penalty"", ""Transport and Storage"", ""PHV"", ""Private Hire Vehicle""]",2019-06-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-Emails--110619.pdf,Protection,Breach of Protection Obligation by GrabCar,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-financial-penalty,2019-06-11,"GrabCar Pte. Ltd [2019] SGPDPC 15 COMMISSIONER FOR PERSONAL DATA PROTECTION [2019] SGPDPC 15 Case No DP-1801-B1526 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And (1) GrabCar Pte. Ltd. (UEN No. 201427085E) … Organisation DECISION 1 GrabCar Pte. Ltd [2019] SGPDPC 15 GrabCar Pte. Ltd. Tan Kiat How, Commissioner — Case No DP-1801-B1526 11 June 2019 1 This case concerns the unauthorised disclosure of the names and mobile phone numbers of 120,747 GrabCar Pte. Ltd. (the “Organisation”) customers in marketing emails sent out by the Organisation (the “Incident”). On 5 January 2018, GrabTaxi Holdings Pte. Ltd., a related corporation of the Organisation, 1 notified the Personal Data Protection Commission of the Incident on behalf of the Organisation. The Commissioner’s findings and grounds of decision based on the investigations carried out in this matter are set out below. Material Facts 2 The Organisation is part of the Grab Group, which offers, among other things, ride- hailing transport services, food delivery and payment services on its mobile platform. As part of its marketing strategy, the Organisation regularly conducts marketing campaigns to reach out to targeted customers. These frequently involves sending emails offering special promotions to selected customers. 3 On 17 December 2017, the Organisation sent out 399,751 marketing emails to a targeted group of customers as part of a marketing campaign (“Marketing Campaign”). Out of the emails sent on that date, 120,747 emails contained the name and mobile phone number2 of another customer, i.e. the email was sent to User A’s (the intended recipient) email address but User B’s (the mismatched customer) name and mobile phone number was reflected in the email as that of the intended recipient (the “Mismatched Emails”). 4 Shortly after the Mismatched Emails were sent out, the Organisation’s Customer Experience team reported an increased number of customer queries regarding the unauthorised disclosure of their personal data to other customers. The Organisation commenced investigations immediately thereafter. It determined that the Incident was caused by the 1 The Legal and Compliance team for the Grab Group in Singapore sits within GrabTaxi Holdings Pte. Ltd. A customer’s mobile phone number is linked to their account and a customer’s email address could be linked to several mobile phone numbers. As such, the customer’s mobile phone number was included in the marketing emails to allow users to easily identify which of their accounts would be applicable for the promotion. 2 2 GrabCar Pte. Ltd [2019] SGPDPC 15 erroneous assembly of customer information from different database tables that could, in turn, be traced to changes that had been made to the structure of its customer database since the previous marketing campaign. 5 The Organisation maintains a set of user attributes, i.e. data points that describe every customer such as registration date, bookings and rides, in a database table (the “Main Table”). Each customer is assigned a unique “passengers_id” number in the Main Table. For the purpose of illustration, the Main Table would have appeared as follows: 6 passengers_id name passenger_email passenger_mobile_no 12354567 Sally Goh sal.g@amail.com 81456789 22558866 John Tan jt@amail.com 84567894 76543211 Alex Lee al@amail.com 91111212 On 24 November 2017, as part of the Organisation’s email verification efforts, 3 the Organisation’s Product Analytics team was instructed to add a new user attribute “is_email_verified”. The verified email addresses were placed in a database table (the “Verified Email Database Table”) which was separate from the Main Table. Each customer in the Verified Email Database Table was assigned a unique “verified_email_user_id” number. For the purpose of illustration, the Verified Email Database Table would have appeared as follows: verified_email_user_id Name verified_email 22558866 Luke Kang Luke.k@amail.com 76543211 Mindy Ho Mindy.ho@amail.com 12354567 M. Hafiz Hafizm@amail.com In the above example, only Luke Kang, Mindy Ho and M. Hafiz had verified their emails and would be included in the Verified Email Database Table. Those customers who did not verify their emails would not be included in the Verified Email Database Table. 3 The email verification exercise was undertaken to allow the Organisation to target customers with verified email addresses for future marketing campaigns. 3 GrabCar Pte. Ltd 7 [2019] SGPDPC 15 The “passengers_ids” and “verified_email_user_ids” were created separately but both ID numbers are of the same integer length and comprise entirely of numerals (i.e. without alphabets or other symbols). Unbeknownst to the Organisation at the time, some “verified_email_user_ids” were identical to some “passengers_ids” even though they did not identify the same customer. 8 At the time of the Incident, the procedure for using new user attributes to generate and send marketing emails was as follows: (a) Regional Marketing provides high-level marketing requirements; (b) Product Analytics creates the corresponding database queries (which were SQL commands), that identify and select the attributes to be used in the marketing campaign. This process is subject to some internal tests; (c) Data Engineering executes the database query to produce the data for the marketing campaign. The data file is then uploaded to an emailing system to generate the actual marketing emails for use in the campaign. (d) Regional Marketing “verifies” the final outcome by looking at the marketing emails that have already been sent out, typically by including some test account email addresses in the email blast. 9 In the present case, Product Analytics, who wrote the SQL command for the database query for the Marketing Campaign, wrongly equated “verified_email_user_id” with “passengers_id” and treated them as the unique identifier for a customer. As a result of this error, the SQL command used “verified_email_user_ids” to select the attributes for producing the data to generate the campaign emails. 10 As a result, when the Data Engineering team used the SQL command to produce the data to generate marketing emails for the campaign, email addresses were drawn from the Verified Email Database Table whereas the customer’s name and mobile phone number were drawn from the Main Table on the assumption that the “verified_email_user_id” and “passengers_id” referred to the same customer. The Mismatched Emails were therefore created where the “verified_email_user_id” in the Verified Email Database Table coincided with 4 GrabCar Pte. Ltd [2019] SGPDPC 15 another customer’s “passengers_id” in the Main Table. Using the sample information from the tables at paragraphs 5 and 6 above, the consolidated table would have appeared as follows: passengers name _id 12354567 22558866 76543211 11 Sally Goh John Tan Alex Lee passenger_ verified_email verified_email mobile_no _user_id 81456789 12354567 Hafizm@amail.com 84567894 22558866 Luke.k@amail.com 91111212 76543211 Mindy.ho@amail.com Using the above example, M. Hafiz (who had verified his email address) would have received an email at his verified email address, Hafizm@amail.com, with Sally Goh’s name and mobile phone number because the SQL command for the database query equated “verified_email_user_id” with “passengers_id” and his “verified_email_user_id” is identical to Sally Goh’s “passengers_id”. Similarly, Luke Kang (who had verified his email address) would have received an email at his verified email address, Luke.k@amail.com, with John Tan’s name and mobile phone number as his “verified_email_user_id” is identical to John Tan’s “passengers_id”. Mindy Ho would have received an email at her verified email address, Mindy.ho@amail.com, with Alex Lee’s name and mobile phone number as her “verified_email_user_id” was identical to Alex Lee’s “passengers_id”. 12 Although a total of 399,751 marketing emails were generated and sent in the Marketing Campaign, only customers who had verified their email addresses4 received the Mismatched Emails as they were the only ones that were assigned a “verified_email_user_id”. Emails were not sent to those who did not verify their email address. 13 Following the Incident, the Organisation took the following remedial actions: (a) the Organisation implemented more rigorous data validation and checks to the addition/changing of user attributes process; (b) the Organisation changed its practices to require a third person to perform sanity checks of the data before triggering any new campaigns; and 4 The 120,747 affected individuals. 5 GrabCar Pte. Ltd (c) [2019] SGPDPC 15 the Organisation plans to incorporate privacy by design elements by masking mobile phone numbers (eg. 9*****11) in future marketing campaigns. Findings and Basis for Determination 14 The key issue for determination is whether the Organisation had complied with its obligations under section 24 of the Personal Data Protection Act 2012 (“PDPA”). 15 As a preliminary point, customer names and mobile phone numbers are personal data as defined under section 2(1) of the PDPA as it is clearly possible to identify the individuals from that data. It was also not disputed that the personal data was disclosed mistakenly and without authorisation. Whether the Organisation complied with its obligations under section 24 of the PDPA 16 Section 24 of the PDPA requires an organisation to protect the personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the “Protection Obligation”). 17 The Commissioner finds that the Organisation did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk. As highlighted in Re Flight Raja Travels Singapore Pte. Ltd. [2018] SGPDPC 16 (at [8]): “… when an organisation makes changes to a system that processes personal data in its possession or control, the organisation has to make reasonable arrangements to prevent any compromise to personal data.” [Emphasis added.] 18 First, it is not disputed that the root cause of the Incident was an error with the database query command which erroneously treated the “verified_email_user_id” as the unique identifier when it joined data from two database tables. Essentially, the Organisation consolidated the Verified Email Database and the Main Table by equating the “verified_email_user_id” found in the Verified Email Database Table with the “passengers_id” found in the Main Table and running the command to extract the verified email address of its 6 GrabCar Pte. Ltd [2019] SGPDPC 15 clients from the Verified Email Database and the name and contact number of its clients from the Main Table. The result was that, where the “passengers_id” and the “verified_email_user_id” were coincidentally the same number, the command would have extracted the email address corresponding to the “verified_email_user_id” of a client from the Verified Email Database and matched it with the name and mobile number corresponding to the “passengers_id” of a different client from the Main Table. Therefore, the 1st client would have been sent an email from the Organisation with the name and mobile number of the 2nd client. 19 Second, the Commissioner finds that the Incident arose in part because of administrative failures. In this regard, the Organisation itself admitted that the technical documentation for the new Verified Email Database Table was not sufficiently clear. If the documentation had been clearer, the employee who wrote the SQL command for the database query might not have made the erroneous assumption and would not have joined the two database tables in that way. 20 Finally, there were shortcomings in the way the Organisation conducted tests. Tests were conducted on non-verified email addresses instead of on both non-verified and verified email addresses. The core team of testers did not discover the mismatch between the customer’s email address and his/her name and mobile number because the test email addresses used were not verified email addresses and were therefore not affected by the erroneous joining. 21 There was another grave error in this case. Investigations disclosed that there had not been proper user acceptance testing of the SQL script before it was deployed into production. Product Analytics conducted technical tests but Regional Marketing was not involved in user acceptance testing. The Regional Marketing team only verified the actual production run of emails, i.e. emails that were already sent to customers. Hence, even if they detected any errors such as the mismatched data, it would have been too late to correct the error. 22 In the circumstances, the Commissioner finds that the Organisation had failed to make reasonable security arrangements to detect errors when preparing the change, i.e. writing the database query, as well as in failing to conduct proper testing before implementing the change. It is therefore in breach of section 24 of the PDPA. 7 GrabCar Pte. Ltd [2019] SGPDPC 15 Directions 23 Having found that the Organisation is in breach of the Protection Obligation under section 24 of the PDPA, the Commissioner is empowered under section 29 of the PDPA to give the Organisation such directions as he deems fit to ensure compliance with the PDPA. 24 In assessing the breach and determining the directions to be imposed, the Commissioner took into account the following mitigating factors: (a) the Organisation was cooperative during the investigation and in line with their implementation of their data breach management plan they notified the Commission voluntarily; (b) the Organisation took immediate effective remedial action in line with their implementation of their data breach management plan; (c) the personal data disclosed compromised only the individual’s name and mobile phone number, which was not of a sensitive nature; and (d) the affected customer’s personal data was only disclosed to one individual, i.e. a customer whose “passengers_id” was identical to the affected customer’s “verified_email_user_id” number. 25 The Organisation made representations to the Commission after the preliminary grounds of decision was issued and requested for a reduction in the financial penalty of $16,000 provided in the said preliminary grounds of decision. The Organisation based this request on their prompt voluntary notification and implementation of a remediation plan, and the financial penalty amounts imposed in previous cases. In particular, the Organisation cited the cases of Re Aviva Ltd [2017] SGPDPC 14, Re NTUC Income Co-operative Ltd [2018] SGPDPC 10, Re Flight Raja Travels Singapore [2018] SGPDPC 16 and Re Challenger Technologies and another [2016] SGPDPC 6. 26 The Organisation’s voluntary notification and accountable practices had already been taken into account in assessing the financial penalty. 8 GrabCar Pte. Ltd 27 [2019] SGPDPC 15 The cited cases are distinguishable from the present case. In Re Aviva Ltd and Re NTUC Income Co-operative Ltd, the financial penalty imposed was $6,000 and $10,000 respectively. The reason that this case warrants a higher financial penalty even though it does not involve sensitive personal data (unlike in the previous two cases), is the much higher number of individuals affected. In this case, a total of 120,747 data subjects were affected, while only 2 data subjects were affected in Re Aviva Ltd and 214 data subjects were impacted in Re NTUC Income Co-operative Ltd. Similarly, only 72 data subjects were impacted in Re Flight Raja Travels Singapore. 28 Re Challenger Technologies and another was one of the first grounds of decisions which were issued. The Commission had taken into consideration the fact that the incident in that case happened in September 2014, only a few months after the coming into force of the PDPA, when organisations may not have understood fully the manner in which they were required to comply with their obligations. After more than 4 years since the PDPA has come into full force, this consideration is no longer applicable and organisations should not be referring to these early cases in estimating the quantum of the potential financial penalties that may be imposed. 29 The Commissioner hereby directs the Organisation to pay a financial penalty of S$16,000 in accordance with this direction, failing which interest at the rate specified in the Rules of Court in respect of judgment debts shall accrue and be payable on the outstanding amount of such financial penalty until the financial penalty is paid in full. YEONG ZEE KIN DEPUTY COMMISSIONER FOR COMMISSIONER FOR PERSONAL DATA PROTECTION 9 ",Financial Penalty,7e78075cc7309a399647c800c3e751c80479ea85,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]" 2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,157,157,1,952,Directions were issued to GrabCar for failing to put in place reasonable security arrangements for GrabHitch drivers to protect the personal data of passengers that used GrabHitch services. Personal data of some GrabHitch passengers were disclosed by GrabHitch drivers without consent on social media.,"[""Protection"", ""Directions"", ""Transport and Storage"", ""PHV"", ""Private Hire Vehicle""]",2019-06-11,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Grounds-of-Decision--Grabcar-Pte-Ltd-GrabHitch--110619.pdf,Protection,Breach of Protection Obligation by GrabCar,https://www.pdpc.gov.sg/all-commissions-decisions/2019/06/breach-of-protection-obligation-by-grabcar-directions,2019-06-11,"PERSONAL DATA PROTECTION COMMISSION [2019] SGPDPC 14 Case Nos DP-1702-B0508/DP-1703-B0613 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Grabcar Pte. Ltd. [UEN 201427085E] … Organisation ________________________________________________________ DECISION ________________________________________________________ Grabcar Pte. Ltd. [2019] SGPDPC 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 Yeong Zee Kin, Deputy Commissioner – Case Nos DP-1702-B0508/DP-1703B0613 11 June 2019 Introduction and facts of the cases 1 This decision addresses, in the main, the obligations of an online ride- sharing platform and drivers who use the platform to provide carpool rides to passengers. Grabcar Pte Ltd (the “Organisation”) operates an online platform through the Grab mobile application (the “Grab App”) which enables individuals to book taxis or private cars for transportation services. The Grab App also provides a carpooling option, referred to in the app as “GrabHitch”. GrabHitch matches a passenger with a driver who is willing to give a lift to the passenger on the way to the driver’s destination in return for a fee. The Organisation states on its website,1 “GrabHitch is a social carpooling platform powered by everyday, non-commercial drivers giving you a lift along the way to cover petrol costs.”2 2 This decision relates to separate complaints by two passengers (the “Complainants”) who used GrabHitch to book carpool rides. The carpool rides were provided by two different drivers (the “Drivers”) on separate occasions. 1 www.grab.com/sg/hitch/ The Organisation’s website also states that GrabHitch is provided in compliance with the Road Traffic (Car Pools) (Exemption) Order 2015. 2 2 Grabcar Pte. Ltd. [2019] SGPDPC 14 Nevertheless, the two complaints are dealt with together in this decision as they both relate to similar issues, in particular, to the issue of disclosure of passengers’ personal data without consent by GrabHitch drivers. 3 The substance of each complaint was, in essence, that the Complainant’s personal data had been disclosed without consent on social media by the Driver who gave a ride to the Complainant. The details of the complaints are summarised below: (a) The first complaint alleged that the Driver involved had posted various data relating to the first Complainant on a public Facebook Group named “GrabHitch Singapore Community” (“GHSC”). These data included screenshots of messages between the Driver and the Complainant which had been sent through the Grab App and a typewritten post by the Driver which set out details of a dispute between the Driver and the Complainant and which identified the Complainant by name. The dispute in this case related to whether the Complainant should contribute to the payment of ERP charges and investigations revealed the reason that the Driver had made the posting was to seek views from other carpool drivers on how best to handle disputes relating to ERP charges. (b) The second complaint alleged that the Driver involved had posted various data relating to the second Complainant on a closed Facebook Group named “Uber/Grab SG Partners” (“UGSGP”). These data included (i) screenshots of messages between the Driver and the Complainant which had been sent through the Grab App and which included the Complainant’s mobile phone number; (ii) screenshots of 3 Grabcar Pte. Ltd. [2019] SGPDPC 14 the Grab App which showed the name of the Complainant and the Complainant’s pick-up and destination points; (iii) a screenshot of the Complainant’s Facebook Page which included her photograph, name and workplace; (iv) a typed out post by the Driver which detailed his dispute with the Complainant and disclosed the Complainant’s pick-up and destination points; and (v) a partial screenshot of SMS messages sent between the Driver and the Complainant, which included the Complainant’s mobile number. The Driver’s post in this case was about his dispute with the second Complainant on the payment of GrabHitch charges. It appeared that the Complainant had insisted that she pay for the ride by card through the Grab App although the app indicated that the complainant was to pay for her ride in cash. Investigations revealed that the reason that the Driver had posted the above information was because the Organisation could not contact the Complainant to inform her of the situation and because the Driver was of the view that this was a case of non-payment. 4 Investigations also revealed that similar postings had also been made by other drivers on GHSC. Generally, these postings disclosed information such as passengers’ names, photographs, ride details and the details of disputes between the drivers and their passengers. 5 The Organisation did not create or operate either the GHSC or UGSGP Facebook pages and investigations did not reveal any apparent link between the persons operating those pages and the Organisation. 4 Grabcar Pte. Ltd. [2019] SGPDPC 14 Issues arising 6 Under section 13 of the Personal Data Protection Act 2012 (the “PDPA”), organisations are prohibited from collecting, using or disclosing personal data about an individual unless the individual’s consent is obtained or collection, use or disclosure without consent is authorised or required under the PDPA or any other written law. 7 In addition, under section 24 of the PDPA, organisations are required to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised disclosure and various other listed risks. 8 In the circumstances, two main issues arise: (a) whether the Drivers are “organisations” under the PDPA and if so, whether they had contravened section 13 of the PDPA in relation to the disclosure of the Complainants’ personal data on the GHSC and UGSGP Facebook pages; and (b) Whether the Organisation had contravened section 24 of the PDPA with respect to the protection of the Complainants’ personal data. First Issue - Are the Drivers “organisations” under the PDPA? GrabHitch drivers provide carpool rides in a personal capacity 9 The PDPA applies to organisations as defined under the PDPA. It is 5 Grabcar Pte. Ltd. [2019] SGPDPC 14 clear from the definition of “organisation” in section 2 of the PDPA that an individual may be an “organisation” for the purposes of the PDPA. However, section 4(1) of the PDPA further provides that Parts III to VI of the PDPA (which includes section 13) do not impose any obligations on any individual acting in a personal or domestic capacity. 10 GrabHitch drivers provide carpool rides on a non-commercial and non- profit basis in accordance with the Road Traffic (Car Pools) (Exemption) Order 2015 and as such are not required to obtain a Private Hire Car Driver’s Vocational Licence. In this regard, paragraph 3(1) of the said Order states that: “Subject to sub‑paragraph (2), the provisions specified in the Schedule do not apply to a person who uses a private motor car for the carriage of a passenger for hire or reward in the case where — (a) (b) (c) (d) (e) (f) (g) the person does not solicit for the passenger on a road or at a parking place or a public stand; the carriage of the passenger is incidental to the person’s use of the private motor car; the person informs the passenger, before the start of the carriage, of the person’s destination; the person agrees with the passenger, before the start of the carriage, on the date of, pick‑up and drop‑off points of, and the payment (whether in cash or in kind) for, the carriage; the amount or the value of any benefit in kind that the person collects from the passenger as payment does not exceed the cost and expenses incurred for the carriage of the passenger; if there is more than one passenger, the aggregate of the amount or the value of any benefit in kind that the person collects from each of the passengers as payment does not exceed the cost and expenses incurred for the carriage of all the passengers; and there is nothing in or on the private motor car displaying or referring to the fares for hiring the private motor car.” 6 Grabcar Pte. Ltd. 11 [2019] SGPDPC 14 Consistent with this, the Organisation has a Driver’s Code of Conduct for GrabHitch Drivers (the “Code of Conduct”) which sets out the terms on which a GrabHitch Driver may offer carpool rides. The Code of Conduct provides that: “Specific for carpooling, as mandated by the Law: i The motor vehicle used must be registered and insured in the name of the Driver and used by the Driver or any person by the Driver’s authority expressly provided to the Company, the insurer of the vehicle and the relevant authorities ii The motor vehicle must not be used for the carriage of goods other than samples, any instructional purposes for reward, or the carriage of passengers for hire or reward purposes. These mean the Driver must:  Not solicit for passengers on a road or parking place or public stand  Ensure the carriage of the passenger is incidental to the Driver’s use of his vehicle  Inform the passenger before the start of the carriage, of the Driver’s destination  Agree with the passenger, before the start of the ride, on the date, pick-up and drop-off points, and the payment (whether in cash or in kind) for, the carriage  Ensure that the amount or the value of any benefit in kind that the Driver collects from the passenger as payment does not exceed the cost and expenses incurred for the carriage of the passenger  Ensure that if there is more than one passenger, the aggregate of the amount or the value of any benefit in kind that the person collects from each passenger as payment does not exceed the cost and expenses incurred for the carriage of all the passengers; and 7 Grabcar Pte. Ltd.   12 [2019] SGPDPC 14 Ensure that there is nothing in or on the motor vehicle that displays or refers to the fares for the hiring of the motor vehicle Not exceed the local limit (if available) of car pool trips in each day on any motor vehicle” GrabHitch drivers agree to the Code of Conduct by virtue of their agreement with the Organisation as set out in the “Terms and Conditions for Singapore GrabHitch Drivers” (the “GrabHitch Terms”). In particular, in agreeing to the GrabHitch Terms, GrabHitch drivers agree that they “have read, understood, accepted and agreed with [the GrabHitch Terms], the conditions set out in the Driver’s Registration Form and the Driver’s Code of Conduct.” 13 In respect of the limit on carpooling trips that may be offered by a GrabHitch driver, the Organisation indicates the following in the “Frequently Asked Questions” section of its website (“FAQ”): “How many trips can I offer a day as a Hitch driver? Based on current carpooling regulations, non-commercial drivers can only complete 2 trips in a calendar day. While we appreciate your enthusiasm for carpooling, please note that 2 trips a day limit is set by LTA regardless of whichever platform you use. We hope that you won’t put yourself and your riders at risk as your insurance may not cover if you do more than 2 trips a day in total, combined across all platforms. For drivers who are worried their insurance does not cover GrabHitch rides, remember we are the ONLY carpooling service who has purchased additional insurance for extra coverage provided no regulations are breached.” 8 Grabcar Pte. Ltd. 14 [2019] SGPDPC 14 Based on the foregoing, I find that GrabHitch drivers provide carpool rides in their personal capacity. This is especially so given that GrabHitch drivers: (a) are not allowed to solicit for passengers on the road, parking places or public stands; (b) are to ensure that their carrying of a passenger is merely incidental to their use of the vehicle; (c) can only collect payment for the trip on the basis of a recovery of costs and expenses for each trip; and (d) 15 are only allowed to offer two carpool trips in each calendar day. In the circumstances, GrabHitch drivers who are providing carpool rides in accordance with the applicable terms and conditions (as detailed above) are not subject to the PDPA. Accordingly, the Drivers cannot be in breach of section 13 the PDPA. It goes without saying that had any of the Drivers exceeded the daily limit of two carpooling trips, they would not be considered to have provided the carpool rides in a personal capacity. Second Issue - Did the Organisation contravene section 24 of the PDPA? 16 Although the Organisation itself had not disclosed the Complainant’s personal data, the Organisation is also required to put in place reasonable security arrangements to protect the personal data of passengers using the Grab App. In this regard, personal data obtained through the Grab App would be in 9 Grabcar Pte. Ltd. [2019] SGPDPC 14 the possession or under the control of the Organisation. This includes personal data such as the name and mobile phone number of the Complainant and any other information which was associated with, and related to, the Complainant, such as the Complainant’s pick-up point and destination. However, personal data from the second Complainant’s Facebook page would not be regarded as being in the possession or under the control of the Organisation. 17 In relation to the protection of passengers’ personal data from unauthorised disclosure to third parties, the Organisation sets out the following in the Code of Conduct: “You are prohibited from posting passenger details in public forums including social media sites or sharing contact details. This is a violation of the Personal Data Protection Act.” 18 This is the sole measure which the Organisation had put in place to prevent unauthorised disclosure of passengers’ personal data on public forum sites which GrabHitch drivers may use. Investigations revealed that the two Drivers in question were unaware of the restriction in the Code of Conduct against posting passenger details on social media sites. 19 I find that merely including this restriction in the Code of Conduct is insufficient as a reasonable security arrangement to protect passengers’ personal data. The Organisation makes its platform available to facilitate the hitching of rides or carpooling as part of its suite of commercial services. It has foreseen the risk that GrabHitch Drivers may post passenger details on social media sites as evidenced by its Code of Conduct. It could have done more to inform GrabHitch drivers of the range of acceptable and unacceptable conduct. However, apart from this entry in the Code of Conduct, there is nothing to indicate that this provision had been drawn to the attention of GrabHitch drivers 10 Grabcar Pte. Ltd. [2019] SGPDPC 14 or that they understood the importance of protecting passengers’ personal data. Furthermore, as GrabHitch drivers are not subject to the PDPA, they may not be familiar with its provisions and the obligations imposed thereunder on organisations. 20 As has been held in Re Habitat for Humanity Singapore Ltd [2018] SGPDPC 9 and Re National University of Singapore [2017] SGPDPC 5, reasonable security arrangements can include policies and practices as well as training. The Organisation ought to have put in place more detailed guidance for GrabHitch drivers to educate them about the need to handle the personal data of their riders, obtained through the Grab App, with care. As GrabHitch drivers are occasional drivers who may not be aware of the Organisation’s obligations under the PDPA, the Organisation would have done well by introducing some form of online training for them. At the very least, the abovementioned restriction in the Code of Conduct could have been proactively highlighted to GrabHitch drivers. In its representations, the Organisation asserted that requiring it to train GrabHitch drivers would be onerous. This assertion was not substantiated and probably was premised on the assumption of a classroom style training. Training is a means of communication and instruction that may take various forms and is one of the security arrangements that may be implemented by the Organisation to meet its obligations under the PDPA. It is ultimately up to the Organisation to determine the appropriate security arrangements it ought to implement to comply with its PDPA obligations. In the circumstances, I have acceded to the Organisation’s request to amend the initial Directions issued in the preliminary Grounds of Decision to remove the direction to train GrabHitch Drivers and instead leave it to the Organisation to ensure that it implements reasonable security arrangements to prevent the misuse and unauthorised disclosure of passengers’ personal data. 11 Grabcar Pte. Ltd. [2019] SGPDPC 14 Representations made by the Organisation 21 The Organisation has made representations dated 21 November 2018 in respect of the Commission’s preliminary findings, asserting that they should not be found in breach of section 24 of the PDPA. Their central argument is that a GrabHitch driver does not drive in a “personal or domestic” capacity and should be considered an “organisation” that is required to comply with the PDPA in their own right. In support of this assertion the Organisation has highlighted the following factors: (a) By driving individuals who are not friends or family, the GrabHitch driver’s activities move out of the private sphere and into the public. Accordingly, GrabHitch drivers are not driving in a “personal or domestic” capacity. (b) GrabHitch drivers “maintain independence” from the Organisation in deciding on the precise details involved in the provision of GrabHitch services (e.g. how often they drive, where to go, how much payment to collect). GrabHitch drivers therefore “determine the purposes and means of processing the personal data” of the passengers, which is a defining characteristic of an organisation. 22 As a preliminary point, I would highlight that the Organisation’s obligation to protect personal data under section 24 in its possession or control remains whether or not GrabHitch Drivers drive in a personal or domestic capacity or in a capacity as organisations as defined under the PDPA. As such, the position adopted by GrabHitch that GrabHitch drivers are required to comply with the PDPA in their own right, does not address the finding that the 12 Grabcar Pte. Ltd. [2019] SGPDPC 14 Organisation is in breach of its obligation to protect personal data under section 24 of the PDPA. 23 It bears further repetition that in my view, the Organisation’s measure of merely stating in its Driver’s Code of Conduct that GrabHitch drivers are prohibited from posting passenger details as set out at [17] above is insufficient to fulfil the Organisation’s section 24 obligations, whether or not GrabHitch drivers are to be treated as organisations in their own right. 24 Turning to the specific positions taken by the Organisation as set out at [21] above, the first factor raised by the Organisation does not accord with the basic nature of the GrabHitch service, which is fundamentally a carpooling activity facilitated by the Grab App. Carpooling is a ride-sharing practice that private drivers engage in on a purely voluntary basis, and is best characterised as a social activity aimed at defraying the costs involved in owning and maintaining a private car and reducing road congestion. Human life is filled with interactions with people who are not friends or family, and it does not follow that the mere fact of interaction with strangers should elevate an act (in this case, carpooling) from the private to the public sphere. 25 In fact, the Organisation, in the FAQ material published on its own website3, seems to recognise that GrabHitch drivers are engaged in an activity that is fundamentally private in nature: 3 Quoted portions retrieved from https://www.grab.com/sg/hitch/, accessed 10 December 2018. 13 Grabcar Pte. Ltd. [2019] SGPDPC 14 “Why should I sign up with GrabHitch? What’s in it for me? As a Hitch Driver, you get to benefit in 3 big ways: Cover your petrol costs, make new friends and contribute to a car-lite Singapore! All these at your convenience! How is being a GrabHitch driver different from being a GrabCar driver? They’re not the same at all! GrabCar drivers are commercial, professional drivers who have to register a business, purchase commercial insurance, convert their car to a commercial vehicle at the LTA and then sign up in person at the Grab office. Since Hitch Drivers are everyday, non-commercial private car owners who are not driving as a profession, the sign up process is way easier. No need for commercial vehicle conversion nor insurance, simply launch the Grab app, take a couple of photos and submit them for verification. And you’re done! Am I still considered a Hitch Driver if I don’t drive regularly? Of course you are! As a social initiative, we wouldn’t want to stress you out by imposing any penalty for irregularity. So please go ahead and enjoy driving GrabHitch at your convenience! Why can’t I get a GrabHitch driver as easily as GrabCar or GrabTaxi? GrabHitch is meant as an advance booking service as we are powered by non-commercial, everyday drivers who give Hitch Riders a lift at their convenience. Hence, there may not always be any available Hitch Drivers who are heading the same way as you do at your specified time. To secure a higher chance of being matched, book as early as you could, even up to 7 days in advance! What else should I take note of as a Hitch Rider? 1. We are all about social carpooling and social carpooling is 14 Grabcar Pte. Ltd. [2019] SGPDPC 14 about being SOCIAL. Take the front seat and make new friends! Learn how to Hitch the right way here. 2. Your Hitch Driver is not a commercial driver like our GrabCar partners so they appreciate if you could treat them the same way you would treat a friend giving you a (discounted) lift to your destination! 3. Book in advance to maximise the chances of you getting a match! We can’t emphasise this enough but really, it helps to be a little kiasu. Book the night before for a morning commute or 2 hours ahead of your evening ride home.” [Emphasis added.] 26 As repeatedly stressed in the Organisation’s materials quoted above, as compared to professional GrabCar drivers, the GrabHitch service is one that is non-commercial, only provided at the drivers’ own convenience, and primarily motivated by a desire to be social and to reduce the need for car usage. For all intents and purposes, a GrabHitch driver is no different from a driver offering a lift to a roadside hitchhiker out of goodwill. It is thus apparent from the published material that a GrabHitch driver engages in the activity in a purely personal capacity. It is also apparent, their present representations regarding this matter notwithstanding, that the Organisation recognises this. In fact, the private and casual nature of being a GrabHitch driver appears to be a main selling point for the Organisation. 27 In their representations, the Organisation also seeks to assert that whether LTA regulates GrabHitch drivers or not should be irrelevant to the determination of whether or not the drivers should be considered an organisation. The Organisation states that doing so will mean that only regulated or licensed individuals will be considered organisations. I think that this argument takes the logic too far. There is no intention to link the ambit of 15 Grabcar Pte. Ltd. [2019] SGPDPC 14 organisations under the PDPA to regulated activities. The interpretation that I have adopted is consistent with the scheme that exempts carpooling activities from the requirement of vocational licensing established under the Road Traffic (Car Pools) (Exemption) Order 2015 (the “Exemption Order”). This is also consistent with how the Organisation has pitched GrabHitch through its FAQs and Code of Conduct for GrabHitch Drivers as discussed in [11], [13] and [25] above. 28 It is not because of a supposed lack of regulation that the GrabHitch drivers are not considered organisations. Instead, it is precisely due to the personal and domestic nature of the activity they are engaging in that they are not subject to the same regulations as a commercial private hire car driver. If anything, the exemption of carpooling from the requirements of vocational licensing reflect the inherently private nature of carpooling (and by extension, the GrabHitch service). This is certainly reflected in the Exemption Order, which only applies to “private motor cars”. In addition, under section 3(1)(b) of the Exemption Order “the carriage of the passenger is incidental to the person’s use of the private motor car [emphasis added]” – unlike a taxi or private hire driver, the raison d’etre of the GrabHitch driver is not the provision of transport; in other words, a GrabHitch driver is driving in a purely private capacity and the ferrying of a passenger in the context of a GrabHitch service is incidental to this private capacity. 29 The second factor raised by the Organisation relates to the “independence” of the GrabHitch drivers from the Organisation. The Organisation asserts that because a GrabHitch driver is able to decide when to provide GrabHitch rides, where to go, how payment is made and how much payment to collect, the Organisation has little control over the purposes and 16 Grabcar Pte. Ltd. [2019] SGPDPC 14 manner in which a GrabHitch Driver processes personal data. Following from the above, the Organisation asserts that pursuant to the EU General Data Protection Regulation, the drivers are “data controllers” who are able to “determine the purposes and means of the processing of personal data”. 30 The Organisation appears to have mistakenly equated the GrabHitch driver’s choice over whether to carpool with the control of purposes for, or the manner in, which personal data is collected, used or disclosed. In this regard, I note that the Grab App will automatically transmit the personal data (such as name and mobile number) of the GrabHitch passenger to the GrabHitch Driver. This is how the Organisation programmed the Grab App to work – the GrabHitch drivers have no input into this collection and use of the personal data. In fact, it is the Organisation that discloses the passengers’ personal data to the GrabHitch Drivers in the Organisation’s chosen manner and for the purposes the Organisation deems acceptable. 31 In the circumstances, the Organisation is in control of the personal data that it collects, uses and discloses when passengers wish to use the Organisation’s GrabHitch service. The “independence” of the GrabHitch driver as asserted by the Organisation is not the sole determinant as to whether he is an “organisation” under the PDPA. As I have concluded that the GrabHitch driver is not an “organisation” under the PDPA, it is unnecessary to delve into issues around joint controllership which may arise in respect of drivers for other services that the Organisation provides on its platform. 32 One final point bears highlighting. The activities of the GrabHitch driver are only made possible because of the Grab App. In providing the platform for private individuals (both drivers and passengers) to engage in the 17 Grabcar Pte. Ltd. [2019] SGPDPC 14 sharing economy, the Organisation bears responsibility for the personal data that it collects from passengers and uses to provide its services, and discloses to GrabHitch drivers. 33 In the circumstances, and after considering the representations made by the Organisation, I find that the Organisation is in breach of section 24 of the PDPA. Directions to the Organisation 34 Having found the Organisation to be in breach of section 24 of the PDPA, I am empowered under section 29 of the PDPA to give the Organisation such directions as I deem fit to ensure its compliance with the PDPA. 35 Taking into consideration the relevant facts in this matter, I hereby direct the Organisation to: (a) review and amend the Organisation’s policies and practices to provide detailed guidance for GrabHitch drivers on the handling of the personal data of their riders and to communicate to GrabHitch drivers all relevant policies and practices (including the amended policies and practices) within 120 days of this decision to protect the personal data in the possession or control of the Organisation from unauthorised disclosure by GrabHitch drivers; (b) implement any other reasonable security arrangements as necessary to comply with section 24 of the PDPA; and 18 Grabcar Pte. Ltd. (c) [2019] SGPDPC 14 to inform the Commission within seven days of the compliance with the above directions. 36 Given that only two individuals were directly affected by the unauthorised disclosure of personal data and in consideration of the type of personal data disclosed, I find that a financial penalty is not warranted in this matter. YEONG ZEE KIN DEPUTY COMMISSIONER PERSONAL DATA PROTECTION 19 ",Directions,b13cfd3e762e67fa7f3823843de7d5cae693b203,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"