Wednesday, May 7, 2014

Grey Areas of R.A. 10173 (Data Privacy Act of 2012)

Vestibulum Eu Orci Lectus Et Lex
(Data Privacy Law and its Grey Areas)

On the view of Justice William Douglas, "Liberty in the constitutional sense must mean more than freedom from unlawful governmental restraint; it must include privacy as well, if it is to be a repository of freedom. The right to be let alone is indeed the beginning of all freedom." As a matter of fact, this right to be let alone is, to quote from Mr. Justice Louis Brandeis "the most comprehensive of rights and the right most valued by civilized men."

Privacy defined as the state of being private. Private derives from privatus, Latin for belonging to oneself, not public or pertaining to the state. It is the right to separate oneself from, or to unite with, others-the right to exclude or include-by one's own voluntary choice.1 It is a very sacred and cherished right in which each individual clamors for protection and preservation of one’s identity from public scrutiny, whether such scrutiny comes from a neighbor’s prying eyes, an investigator’s eavesdropping ears, or a news photographer’s intrusive camera.

Since time immemorial, man has come up with different ways on how to guard such right. Some of those were through the creation of secret pass codes in communication and in several commercial transactions, building of high perimeter fences around each houses, having a vast trained armies, and hiring the best intelligence personnel in prestigious companies and in the government. Different defenses as mentioned for this most precious jewel were refined over several years to ensure that this is not abused nor violated. Laws carrying stricter penalties were passed to make sure that privacy should be amply protected. Even the different constitutions of the world have clearly stipulated the well-entrenched protection on the right to privacy of their constituents.

The constitutional right to privacy protects the liberty of people to make certain crucial decisions regarding their well being without government coercion, intimidation, or interference. Such crucial decisions may concern religious faith, moral values, political affiliation, marriage, procreation, or death. The 1987 Constitution guarantees the right of individuals to make these decisions according to their own conscience and beliefs. The government is not constitutionally permitted to regulate such deeply personal matters.

The right to privacy, as an inherent concept of liberty, has long been recognized as a constitutional right. The concept of liberty would be emasculated if it does not likewise compel respect for his personality as a unique individual whose claim to privacy and interference demands respect. As such it is accorded recognition independently of its identification with liberty; in itself, it is fully deserving of constitutional protection. The language of Prof. Emerson is particularly apt: "The concept of limited government has always included the idea that governmental powers stop short of certain intrusions into the personal life of the citizen. This is indeed one of the basic distinctions between absolute and limited government. Ultimate and pervasive control of the individual, in all aspects of his life, is the hallmark of the absolute state. In contrast, a system of limited government, safeguards a private sector, which belongs to the individual, firmly distinguishing it from the public sector, which the state can control. Protection of this private sector — protection, in other words, of the dignity and integrity of the individual — has become increasingly important, as modern society has developed. All the forces of a technological age — industrialization, urbanization, and organization — operate to narrow the area of privacy and facilitate intrusion into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society."2

The right of privacy protected by the Constitution gained a foothold in Griswold v. Connecticut3 in which the Supreme Court struck down a state statute forbidding married adults from using birth control because the statute violated the sanctity of the marital bedroom. Acknowledging that the Constitution does not mention the word privacy anywhere in its text, the Court held that a general right to privacy may be inferred from the express language of the First, Third, Fourth, Fifth, and Fourteenth Amendments, as well as from the interests protected by them. The Court said that the First Amendment guarantees the right to peaceably assemble, which includes the liberty of any group to associate in private. The Third Amendment prohibits the government from quartering soldiers in a private home without the consent of the owner. The Fourth Amendment forbids the government from performing warrantless and unreasonable searches of any area in which a person maintains a reasonable expectation of privacy. The Fifth Amendment safeguards the right of criminal suspects to keep secret any incriminating evidence that might help the government obtain a conviction against them. The Fourteenth Amendment prevents states from denying its citizens certain fundamental rights that are deemed essential to the concepts of equality or liberty, including the right to autonomy, dignity, and self-determination.

In Ople vs. Torres, 4  the Supreme Court traced the constitutional and statutory bases of the right to privacy in Philippine jurisdiction where the right of privacy is recognized and enshrined in several provisions of our Constitution. It is expressly recognized in Article 3 (Bill of Rights) of the 1987 Constitution of the Philippines, some of its pertinent provisions are:
·       Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.
·       Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.
·       Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.
·       Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law.
·       Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.
·       Sec. 17. No person shall be compelled to be a witness against himself.

Aspects of privacy are likewise enshrined and protected in our laws. The Civil Code provides that "every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons" and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another.5 It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, 6 and recognizes the privacy of letters and other private communications.7

The Revised Penal Code makes a crime the violation of secrets by an officer, 8 the revelation of trade and industrial secrets, 9 and trespass to dwelling.10 Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, 11 the Secrecy of Bank Deposits Act 12 and the Intellectual Property Code. 13 The Rules of Court on privileged communication likewise recognize the privacy of certain information. 14

The modern world having the latest innovative and technological development plays a vital role in the society towards economic stability, progress and advancement that has created an impact on the privacy and personal lives of the people today. Due to the high technological improvement driven environment where information about anything and anybody comes in handy, privacy might become a thing of the past if personal information is open to public scrutiny.  If this happens, the provisions on our 1987 Constitution on respect of one’s privacy will be defeated. These changes give reason for the government to act and create laws for the protection and development of the society that our legislatures might have anticipated this, hence the birth of the Philippine Data Privacy Act.

The Philippines is one of the over 80 countries around the world with comprehensive data privacy laws.  The recently enacted by the Congress as approved by the President, REPUBLIC ACT NO. 10173 (Data Privacy Act of 2012) 15 is expected to boost investor confidence in the Philippines, especially in the business process outsourcing space where the confidentiality and security of data and information are top concerns. It is the policy of the State that it recognizes the vital role of information and communications technology in nation building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. 16 The Act seeks to “protect the fundamental human right of privacy of communication while ensuring the free flow of information to promote innovation and growth” and borrows from two statutory models, namely (i) the “European Union Directive on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data”; and (ii) the APEC Data Privacy Framework. In doing so, it adopts the fair information principles on which most countries’ data privacy laws are based.
Some of the law’s essential characteristics are as follows: 17
1.     Principally deals with the processing of Personal Information (Sec. 3g) and Sensitive Personal Information (Section 3l);
2.     It paved the way for the creation of the National Privacy Commission, which has yet to promulgate the Implementing Rules and Regulations (Sec. 7).
3.     The Processing of Personal Information is lawful under the following circumstances:
a.     there is consent of the data subject;
b.     necessary  to the fulfillment of  a contract or of a legal obligation;
c.     in response to national emergency,  public order and safety;
d.     when the life and health, or other vital interests of the data subject are involved;
e.     in pursuit of legitimate interests by the personal information controller or by a third party to whom the data is disclosed provided that the fundamental rights and freedoms of the data are not violated.
4.     On the other hand, processing of Companies who subcontract processing of personal information to 3rd party shall have full liability and can’t pass the accountability of such responsibility (Sec. 14).
5.     Data subject has the right to know if their personal information is being processed. The person can demand information such as the source of info, how their personal information is being used, and copy of their information. One has the right to request removal and destruction of one’s personal data unless there is a legal obligation that required for it to be kept or processed. (Secs. 16 and 18)
6.     If the data subject has already passed away or became incapacitated (for one reason or another), their legal assignee or lawful heirs may invoke their data privacy rights. (Sec. 17)
7.     Personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law. (Secs. 20 and 21)
8.     In case a personal information controller system or data got compromised, they must notify the affected data subjects and the National Privacy Commission. (Sec. 20)
9.     Heads of government agencies must ensure their system compliance to this law (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner. (Sec. 22)
10.  Contracts, which involve the access of sensitive personal information from one thousand (1,000) or more individuals, shall register their Personal Information Processing System with the Commission (Sec. 24).
11.  Penalties of imprisonment ranging from three (3) years to six (6) and a fine not less than One Million Pesos (Php1,000,000.00) but not to exceed Five Million Pesos (Php5,000,000.00) shall be imposed on the processing of personal information and sensitive personal information based on the following acts:
a.     Unauthorized Processing (Sec. 25);
b.     Accessing due to Negligence (Sec. 26);
c.     Improper disposal (Sec. 27);
d.     Processing for Unauthorized Purposes (Sec. 28);
e.     Unauthorized Access or Intentional Breach (Sec. 29);
f.      Concealment of Security Breaches (Sec. 30);
g.     Malicious Disclosure (Sec. 31); and
h.     Unauthorized Disclosure (Sec. 32).
12.  An accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall be applied if the offense is committed by a public officer (Sec. 36).

Even the said law has already been approved by the President with the full force and effect of a statute, there are still so many vague and grey areas in this new law that will not protect the right of the people in their privacy. Many of the sections of the law gives the reader more unclear concepts such as:
·       Section 3 (b) of R.A. 10173, where it talks about the “Consent of the Data Subject”. It states that the consent must be freely given, it must be in writing and authorized, and an agent may also give it in behalf of the data subject. The big question is what about if forgery happens? How can they make sure that the written authorization is not forged? If this will happen, the consent is not freely given and against the will of the person. Critics argue that the potential for abuse and invasion of privacy is even greater with the use of biometrics since it is vulnerable to identity fraud. 18 The citizen is no longer in control of his personal information. It is clear that mere consent will suffice to get information but what about if the information is transferred from one person to another.
·       Section 4 of the said law discusses that it applies to personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines. But what if the perpetrators are those not found in the Philippines neither uses equipment that are located in the country and do not maintain an office, branch or agency in the Philippines? Are they exempted even though they are processing personal information of a Filipino citizen?
·       Section 5 of the Data Privacy Act of 2012 provides protection afforded to journalists and their sources, “nothing in this act shall be construed as to have amended or repealed the provisions of Republic Act No. 52, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor or reporter.” Assuming that the collection of personal information was declared for the purpose of systematic identification of all prisoners in the country, where each was given identification number. A prisoner escaped and was identified. Due to the personal information he submitted, possibly credit card number, the Personal Information Controller tracked him down. And here comes a journalist, willing to do anything to obtain an exclusive on this matter, successfully bribe the Personal Information Controller as to the whereabouts of the fugitive. The next day, he publishes his interview with the fugitive. His defense would be Section 5, that he cannot be compelled to reveal the source of any news report that was related to him under the guise of confidentiality. Is this proper and fair?
·       Section 6 explains on the “Extraterritorial Application” of the law but it has also a weakness or loophole which is another infringement of privacy. This particular section discusses that the law will only apply to entities that has link or, in any other way, has connection with our country, the Philippines. So, for example, when an entity that has no connection in the Philippines, processes personal information about a Filipino citizen then they will not have recourse.
·       Section 8 of the same law that pertains to the process of the personal information that it shall be allowed subject to compliance and it must be collected for specific purpose. Who will decide if the purpose is legitimate? How can they tell that this purpose is legitimate and not be used for some other illegitimate purpose? Are there reasonable standards to tell if it is legitimate or not?
·       Section 11(a) of R.A. 10173 states that personal information must be, “collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.” Under this section, there are two ways for collecting personal information, one, collecting after the purpose of such collection has been determined, and the second one, collecting before the purpose of such collection has been determined. The tricky part here is that data collection may happen even before the specific and legitimate purpose has been known and determined, provided it must be processed in a way compatible with such declared, specified and legitimate purposes only. Notwithstanding, this might portray a dangerous precedence which could paved way to cases of mishandling of data that could lead to violation of right to privacy, right against unreasonable searches and seizures, right to liberty of abode, right to form unions and associations, and the right against self-incrimination.
·       Section 13 (a) explains that “the processing of sensitive personal information and privileged information shall be prohibited, except in the following cases: (a) the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing.” As pointed out earlier under Section 11, the data subject may consent to the data collection even before the specified and legitimate purposes have been determined. However, since this section deals with sensitive personal information and privileged information, there is a requirement of prior consent, from both parties involved, in the case of privileged communication. I find the usage of the word “consent” vague, although it was defined under Section 3 (b). Consent is given freely for a specific purpose and can be given on behalf of the data subject. It connotes approval or permission to use data after knowledge of the purpose of processing such sensitive personal information. There is a bit of a gray area here, suppose the data subject consented to the use of the personal information for purpose 1 and but did not consent to the usage for purpose 2, what happens now? Another question is how can they make sure that this information are totally secured and cannot to be used in a non intended purpose? What is the scope of the word “specific purpose”?  To what extent this purpose will be used that will not be a violation of the right of the person in their privacy? How can the government make sure that such information in their hands are safe and can only be used in legitimate purpose and to which the law allows?
·       Section 17 of R.A. 10173 that is all about “Transmissibility of Rights of the Data Subject” answers the question of transferability, but how can they prove the authenticity of the consent of the transferred information? How they can disapprove the use of the information if the information is already transferred and out of their hands? These questions alone are clear violation of the right of privacy. The transfer of personal information without consent is a clear infringement of their right to be left alone.
·       Chapter 8 of the law provides for the penalties for the Unauthorized Processing of Personal Information and Sensitive Personal Information (Section 25), Accessing Personal Information and Sensitive Personal Information Due to Negligence (Section 26), Improper Disposal of Personal Information and Sensitive Personal information (Section 27) and other violations of the law. If a person’s right to privacy was violated by virtue of this law and all the necessary pieces of evidence are electronic evidence, then how can that person support his allegation? The Rules on Electronic Evidence specifically states in Section 2 that it shall only apply to all civil actions and proceedings, as well as quasi-judicial and administrative cases. The victims have no other recourse because they do not have enough evidence to support their allegations. How they can protect their right if doesn’t have any evidence that will support their allegations?

Truly, handling of privileged or sensitive personal information must be with utmost care, for the very reason that invasion of one’s privacy runs counter to the basic rights that an individual possesses under our Constitution.  To avoid being subjected to the penalties as prescribed by R.A. 10173, one must uphold the right of utmost privacy, respect the sanctity of personal information and adhere to policies laid down by our State in the carrying out of its duties to afford protection and general welfare to its people. Remember, negligence in the handling of personal information is made punishable under this Act.  Furthermore, those who handle personal information should keep in mind that where personal information is concerned, there should be no room for any mistake, intentional or otherwise, that negligence relative to data handling is a grave offense and no amount of reason could stand as a matter of defense. With the passing and approval of this Act, an individual is vested with rights which he can enforced in case of breach of privacy, i.e. the right to know if his/her personal information is being processed and how it is being used as well as the right to demand removal or destruction of his/her stored personal data from a system unless there is a legal basis for such information to be kept or processed. I praise the President and the Congress for being prudent enough which paves the way to the birth of this law that protects, not just the interest of its inhabitants but importantly, it gives life to the mandate of our Constitution on respecting and upholding one’s privacy.

[1] Sciabarra, Chris. (n.d). Citing Websites. In Privacy and Civilization. Retrived May 4, 2013, from

[2] Morfe vs. Mutuc 22 SCRA 424 (1968).

[3] Griswold vs. Connecticut 381 U.S. 479, 85 S.1678, 14 L. Ed. 2d 510 (1965).

[4] Ople v. Torres 354 Phil. 948 (1998).

[5] Article 26 of the Civil Code provides:
“Art. 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons. The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief:
(1) Prying into the privacy of another’s residence;
(2) Meddling with or disturbing the private life or family relations of another;
(3) Intriguing to cause another to be alienated from his friends;
(4) Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.”

[6] Article 32, Civil Code.

[7] Article 723, Civil Code.

[8] Article 229, Revised Penal Code.

[9] Articles 290-292, Revised Penal Code.

[10] Article 280, Revised Penal Code.

[11] R.A. 4200.

[12] R.A. 1405.

[13] R.A. 8293.

[14] Section 24, Rule 130 [C], Revised Rules on Evidence.

[15] Section 1 Republic Act 10173- Data Privacy Act of 2012
[16] Section 2 Republic Act 10173- Data Privacy Act of 2012

[17] Caroline Corro R.A. 10173 or the Data Privacy Act of 2012. July 2013

[18] Senate Economic Planning Office, December 2005, Citing Websites. In Policy Insights: National Identification System: Do we need one? 
Retrieved May 4, 2013 from

No comments:

Post a Comment