If the stolen online information from Uber compromised users in the Philippines, the National Privacy Commission (NPC) would have to work with foreign counterparts in holding the ride-hailing service firm accountable for hiding the hack that affected users across the globe.
However, how this would pan out is yet to be seen given that the cross-border implementation of NPC’s enabling law has yet to be tested, according to Privacy Commissioner Raymund Liboro in a recent interview with the Inquirer.
This develops after the newly appointed chief executive officer of Uber Technologies Inc. revealed the company had been hacked in October last year, with “some personal information of 57 million Uber users” compromised.
In a recent company blog post, Uber CEO Dara Khosrowshahi said forensic exports did not see any indication that trip location location history, credit card numbers, bank account numbers, social security numbers or dates of birth were downloaded.
The hackers, however, were able to download names, e-mail addresses and mobile phone numbers of users across the globe and the driver’s license numbers of drivers in the United States. Khosrowshahi said necessary measures had been implemented to mitigate the harm that might have been inflicted by the hacking.
“The law has a long arm statute. Internationally, there had been cross-border incidents that called for cooperation and collaboration among privacy authorities,” Liboro said in a mix of English and Filipino.
“[We] haven’t tested it at this point,” he later added.
When asked who would be held accountable for the deliberate hiding of the hack— whether global firm Uber or its local arm Uber Philippines—he said that they still need to understand Uber’s operations in the country, noting that it was “not yet clear.”
“Right now, we’re really more concerned about mitigating the possible effects on our local users,” he said.
Liboro said NPC was set to meet with US authorities on Dec. 4 to discuss enforcement issues “concerning cross-border data transfers.”
He, however, said the agenda did not include the Uber breach, noting that the meeting was scheduled prior Uber’s statement. He did not say he would bring up the matter during the meeting next month.