An in-app safety function that collects your audio recordings – should you be required to consent to it, and if so how?
Two main issues arise: opt-out and deemed consent by notification, and exceptions to consent.
Grab AudioProtect works like this: during a Grab ride, the driver’s and the passenger’s app records audio, which is encrypted and stored locally in the user’s device for 5 days, purportedly not accessed by Grab unless a safety incident is reported.
Grab says that users should have received in-app messages and push notifications about this. It was initially offered on an opt-in basis. Later, it was changed to opt-out.
This The Straits Times article by Esther Loi reports that users interviewed do not recall receiving notifications and felt “uncomfortable and displeased” with the arrangement.
I shared my views on how generally, the Personal Data Protection Act 2012 (PDPA) of Singapore could regulate personal data collection in such arrangements. 2 broad themes arise for consideration.
First, on opt-out arrangements, section 15A of the PDPA allows for deemed consent by notification under certain conditions.
If an organization has (i) assessed, and eliminated, mitigated, or reduced the likelihood of occurrence, of any potential adverse effects to the individual, (ii) given sufficient notice of certain information, and (iii) given reasonable time for opt-out, then there can be deemed consent. It is of course a question of fact, on a case by case basis, whether these conditions are met in any specific situation.
Second, there can be an exception to consent if the “collection, use or disclosure … is necessary for any investigation or proceedings.”
An investigation is that relating to, among other things, (a) a breach of an agreement, or (b) a contravention of any written law. Thus, it is plausible that an organization may be entitled to collect, use or disclose personal data without consent if necessary to investigate, for instance, any possible criminal conduct, or any conduct which amounts to a breach of an agreement (which may include a code of conduct).
Apart from the law, there’s a trust issue: even if an organization is entitled by law to proceed without consent, or based on deemed consent, it would want to ensure that its customers are, depending on the circumstances, sufficiently informed in such a way that it can maintain the trust of its customers.
Would in-app messages in the context of a harried user rushing to use a service suffice? What can demonstrate the claims that there is in fact no access to the recordings unless a safety issue reported? As my colleague pointed out, who knows if eg confidential/privileged conversations may have been collected and accessed.
As for me, I disabled the function after I learnt about it. At some point, some in-app push notification appeared and I must have accidentally pressed something, because at my last Grab ride, I noticed the microphone icon again.
I just turned it off again.