Vestibulum Eu Orci Lectus Et Lex
(Data Privacy Law and its Grey Areas)
On the view of Justice William Douglas,
"Liberty in the constitutional sense must mean more than freedom from
unlawful governmental restraint; it must include privacy as well, if it is to
be a repository of freedom. The right to be let alone is indeed the beginning
of all freedom." As a
matter of fact, this right to be let alone is, to quote from Mr. Justice Louis
Brandeis "the most comprehensive of rights and the right most valued by civilized
men."
Privacy defined
as the state of being private. Private derives from privatus, Latin for
belonging to oneself, not public or pertaining to the state. It is the right to
separate oneself from, or to unite with, others-the right to exclude or
include-by one's own voluntary choice.1 It is a very sacred and
cherished right in which each individual clamors for protection and
preservation of one’s identity from public scrutiny, whether such scrutiny
comes from a neighbor’s prying eyes, an investigator’s eavesdropping ears, or a
news photographer’s intrusive camera.
Since time immemorial, man has
come up with different ways on how to guard such right. Some of those were
through the creation of secret pass codes in communication and in several commercial
transactions, building of high perimeter fences around each houses, having a
vast trained armies, and hiring the best intelligence personnel in prestigious
companies and in the government. Different defenses as mentioned for this most
precious jewel were refined over several years to ensure that this is not
abused nor violated. Laws carrying stricter penalties were passed to make sure
that privacy should be amply protected. Even the different constitutions of the
world have clearly stipulated the well-entrenched protection on the right to
privacy of their constituents.
The constitutional right to privacy protects the
liberty of people to make certain crucial decisions regarding their well being
without government coercion, intimidation, or interference. Such crucial
decisions may concern religious faith, moral values, political affiliation,
marriage, procreation, or death. The 1987 Constitution guarantees the right of
individuals to make these decisions according to their own conscience and
beliefs. The government is not constitutionally permitted to regulate such
deeply personal matters.
The right to privacy, as an
inherent concept of liberty, has long been recognized as a constitutional
right. The concept of liberty would be emasculated if it does not likewise
compel respect for his personality as a unique individual whose claim to
privacy and interference demands respect. As such it is accorded recognition independently of its
identification with liberty; in itself, it is fully deserving of constitutional
protection. The language of Prof. Emerson is particularly apt: "The
concept of limited government has always included the idea that governmental
powers stop short of certain intrusions into the personal life of the citizen.
This is indeed one of the basic distinctions between absolute and limited
government. Ultimate and pervasive control of the individual, in all aspects of
his life, is the hallmark of the absolute state. In contrast, a system of
limited government, safeguards a private sector, which belongs to the
individual, firmly distinguishing it from the public sector, which the state
can control. Protection of this private sector — protection, in other words, of
the dignity and integrity of the individual — has become increasingly important,
as modern society has developed. All the forces of a technological age —
industrialization, urbanization, and organization — operate to narrow the area
of privacy and facilitate intrusion into it. In modern terms, the capacity to
maintain and support this enclave of private life marks the difference between
a democratic and a totalitarian society."2
The right of privacy protected by the
Constitution gained a foothold in Griswold v. Connecticut3 in
which the Supreme Court struck down a state statute forbidding married adults
from using birth control because
the statute violated the sanctity of the marital bedroom. Acknowledging that
the Constitution does not mention the word privacy anywhere in its text, the Court held
that a general right to privacy may be inferred from the express language of
the First, Third, Fourth, Fifth, and Fourteenth Amendments, as well as from the
interests protected by them. The Court said that the First Amendment guarantees the right to peaceably assemble, which includes
the liberty of any group to associate in private. The Third Amendment prohibits the government from quartering soldiers in a
private home without the consent of the owner. The Fourth Amendment forbids the government from performing warrantless and
unreasonable searches of any area in which a person maintains a reasonable
expectation of privacy. The Fifth
Amendment safeguards the right of
criminal suspects to keep secret any incriminating evidence that might help the
government obtain a conviction against them. The Fourteenth Amendment prevents states from denying its citizens certain fundamental
rights that are deemed essential to the concepts of equality or liberty,
including the right to autonomy, dignity, and self-determination.
In Ople vs. Torres, 4 the Supreme Court traced the
constitutional and statutory bases of the right to privacy in Philippine
jurisdiction where the right of privacy is recognized and enshrined in several
provisions of our Constitution. It is expressly recognized in Article 3 (Bill
of Rights) of the 1987 Constitution of the Philippines, some of its pertinent
provisions are:
· Sec.
1. No person shall be deprived of life, liberty, or property without due
process of law, nor shall any person be denied the equal protection of the
laws.
· Sec.
2. The right of the people to be secure in their persons, houses, papers, and
effects against unreasonable searches and seizures of whatever nature and for
any purpose shall be inviolable, and no search warrant or warrant of arrest
shall issue except upon probable cause to be determined personally by the judge
after examination under oath or affirmation of the complainant and the
witnesses he may produce, and particularly describing the place to be searched
and the persons or things to be seized.
· Sec.
3. (1) The privacy of communication and correspondence shall be inviolable
except upon lawful order of the court, or when public safety or order requires
otherwise as prescribed by law.
· Sec.
6. The liberty of abode and of changing the same within the limits prescribed
by law shall not be impaired except upon lawful order of the court. Neither
shall the right to travel be impaired except in the interest of national
security, public safety, or public health as may be provided by law.
· Sec.
8. The right of the people, including those employed in the public and private
sectors, to form unions, associations, or societies for purposes not contrary
to law shall not be abridged.
· Sec.
17. No person shall be compelled to be a witness against himself.
Aspects of privacy are likewise enshrined and
protected in our laws. The Civil Code provides that "every person shall
respect the dignity, personality, privacy and peace of mind of his neighbors
and other persons" and punishes as actionable torts several acts by a
person of meddling and prying into the privacy of another.5 It also
holds a public officer or employee or any private individual liable for damages
for any violation of the rights and liberties of another person, 6
and recognizes the privacy of letters and other private communications.7
The Revised Penal Code makes a crime the
violation of secrets by an officer, 8 the revelation of trade and
industrial secrets, 9 and trespass to dwelling.10 Invasion
of privacy is an offense in special laws like the Anti-Wiretapping Law, 11 the Secrecy of Bank Deposits Act 12 and
the Intellectual Property Code. 13 The Rules of Court on privileged
communication likewise recognize the privacy of certain information. 14
The modern world having the latest innovative
and technological development plays a vital role in the society
towards economic stability, progress and advancement that has created an impact
on the privacy and personal lives of the people today. Due
to the high technological improvement driven environment where information
about anything and anybody comes in handy, privacy might become a thing of the
past if personal information is open to public scrutiny. If this happens,
the provisions on our 1987 Constitution on respect of one’s privacy will be
defeated. These changes give reason for the government to
act and create laws for the protection and development of the society that our legislatures
might have anticipated this, hence the birth of the Philippine Data Privacy Act.
The
Philippines is one of the over 80 countries around the world with comprehensive
data privacy laws. The recently enacted by the Congress as approved by the
President, REPUBLIC ACT NO. 10173 (Data Privacy Act of 2012)
15 is
expected to boost investor confidence in the Philippines, especially in the
business process outsourcing space where the confidentiality and security of
data and information are top concerns. It is the policy of
the State that it recognizes the
vital role of information and communications technology in nation building and
its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured
and protected. 16 The Act seeks to
“protect the fundamental human right of privacy of communication while ensuring
the free flow of information to promote innovation and growth” and borrows from
two statutory models, namely (i) the “European Union Directive on the Protection of Individuals with Regards to the Processing of
Personal Data and on the Free Movement of Such Data”; and (ii) the APEC Data
Privacy Framework. In doing so, it adopts the fair information principles on
which most countries’ data privacy laws are based.
Some of the
law’s essential characteristics are as follows: 17
1. Principally
deals with the processing of Personal Information (Sec. 3g) and Sensitive
Personal Information (Section 3l);
2. It
paved the way for the creation of the National Privacy Commission, which has
yet to promulgate the Implementing Rules and Regulations (Sec. 7).
3. The
Processing of Personal Information is lawful under the following circumstances:
a. there
is consent of the data subject;
b. necessary
to the fulfillment of a contract or of a legal obligation;
c. in
response to national emergency, public order and safety;
d. when
the life and health, or other vital interests of the data subject are involved;
e. in
pursuit of legitimate interests by the personal information controller or by a
third party to whom the data is disclosed provided that the fundamental rights
and freedoms of the data are not violated.
4. On
the other hand, processing of Companies who subcontract processing of personal
information to 3rd party shall have full liability and can’t pass the
accountability of such responsibility (Sec. 14).
5. Data
subject has the right to know if their personal information is being processed.
The person can demand information such as the source of info, how their
personal information is being used, and copy of their information. One has the
right to request removal and destruction of one’s personal data unless there is
a legal obligation that required for it to be kept or processed. (Secs. 16 and
18)
6. If
the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data
privacy rights. (Sec. 17)
7. Personal
information controllers must ensure security measures are in place to protect
the personal information they process and be compliant with the requirements of
this law. (Secs. 20 and 21)
8. In
case a personal information controller system or data got compromised, they
must notify the affected data subjects and the National Privacy Commission.
(Sec. 20)
9. Heads
of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Sec. 22)
10. Contracts,
which involve the access of sensitive personal information from one thousand
(1,000) or more individuals, shall register their Personal Information
Processing System with the Commission (Sec. 24).
11. Penalties
of imprisonment ranging from three (3) years to six (6) and a fine not less
than One Million Pesos (Php1,000,000.00) but not to exceed Five Million Pesos
(Php5,000,000.00) shall be imposed on the processing of personal information
and sensitive personal information based on the following acts:
a. Unauthorized
Processing (Sec. 25);
b. Accessing
due to Negligence (Sec. 26);
c. Improper
disposal (Sec. 27);
d. Processing
for Unauthorized Purposes (Sec. 28);
e. Unauthorized
Access or Intentional Breach (Sec. 29);
f. Concealment
of Security Breaches (Sec. 30);
g. Malicious
Disclosure (Sec. 31); and
h. Unauthorized
Disclosure (Sec. 32).
12. An
accessory penalty consisting in the disqualification to occupy public office
for a term double the term of criminal penalty imposed shall be applied if the
offense is committed by a public officer (Sec. 36).
Even the said law has already been approved
by the President with the full force and effect of a statute, there are still
so many vague and grey areas in this new law that will not protect the right of
the people in their privacy. Many of the sections of the law gives the reader
more unclear concepts such as:
·
Section
3 (b) of R.A. 10173, where it talks about the “Consent of the
Data Subject”. It states that the consent must be freely given, it must be in
writing and authorized, and an agent may also give it in behalf of the data
subject. The big question is what about if forgery happens? How can they make
sure that the written authorization is not forged? If this will happen, the
consent is not freely given and against the will of the person. Critics argue
that the potential for abuse and invasion of privacy is even greater with the
use of biometrics since it is vulnerable to identity fraud. 18 The
citizen is no longer in control of his personal information. It is clear that mere consent will
suffice to get information but what about if the information is transferred
from one person to another.
·
Section
4 of the said law discusses that it applies to personal
information controllers and processors who, although not found or established
in the Philippines, use equipment that are located in the Philippines, or those
who maintain an office, branch or agency in the Philippines. But what if the
perpetrators are those not found in the Philippines neither uses equipment that
are located in the country and do not maintain an office, branch or agency in
the Philippines? Are they exempted even though they are processing personal
information of a Filipino citizen?
·
Section
5 of the Data Privacy Act of 2012 provides protection
afforded to journalists and their sources, “nothing in this act shall be
construed as to have amended or repealed the provisions of Republic Act No. 52,
which affords the publishers, editors or duly accredited reporters of any
newspaper, magazine or periodical of general circulation protection from being
compelled to reveal the source of any news report or information appearing in
said publication which was related in any confidence to such publisher, editor
or reporter.” Assuming that the collection of personal information was declared
for the purpose of systematic identification of all prisoners in the country,
where each was given identification number. A prisoner escaped and was
identified. Due to the personal information he submitted, possibly credit card
number, the Personal Information Controller tracked him down. And here comes a
journalist, willing to do anything to obtain an exclusive on this matter,
successfully bribe the Personal Information Controller as to the whereabouts of
the fugitive. The next day, he publishes his interview with the fugitive. His
defense would be Section 5, that he cannot be compelled to reveal the source of
any news report that was related to him under the guise of confidentiality. Is
this proper and fair?
·
Section
6 explains on the “Extraterritorial Application” of the law
but it has also a weakness or loophole which is another infringement of privacy.
This particular section discusses that the law will only apply to entities that
has link or, in any other way, has connection with our country, the
Philippines. So, for example, when an entity that has no connection in the
Philippines, processes personal information about a Filipino citizen then they
will not have recourse.
·
Section
8 of the same law that pertains to the process of
the personal information that it shall be allowed subject to compliance and it
must be collected for specific purpose. Who will decide if the purpose is
legitimate? How can they tell that this purpose is legitimate and not be used
for some other illegitimate purpose? Are there reasonable standards to tell if
it is legitimate or not?
·
Section
11(a) of R.A. 10173 states that personal information must
be, “collected for specified and legitimate purposes determined and declared
before or as soon as reasonably practicable after collection, and later
processed in a way compatible with such declared, specified and legitimate
purposes only.” Under this section, there are two ways for collecting personal
information, one, collecting after the purpose of such collection has been
determined, and the second one, collecting before the purpose of such
collection has been determined. The tricky part here is that data collection
may happen even before the specific and legitimate purpose has been known and
determined, provided it must be processed in a way compatible with such
declared, specified and legitimate purposes only. Notwithstanding, this might
portray a dangerous precedence which could paved way to cases of mishandling of
data that could lead to violation of right to privacy, right against
unreasonable searches and seizures, right to liberty of abode, right to form
unions and associations, and the right against self-incrimination.
·
Section
13 (a) explains that “the processing of sensitive personal
information and privileged information shall be prohibited, except in the
following cases: (a) the data subject has given his or her consent, specific to
the purpose prior to the processing, or in the case of privileged information,
all parties to the exchange have given their consent prior to processing.” As
pointed out earlier under Section 11, the data subject may consent to the data
collection even before the specified and legitimate purposes have been
determined. However, since this section deals with sensitive personal
information and privileged information, there is a requirement of prior
consent, from both parties involved, in the case of privileged communication. I
find the usage of the word “consent” vague, although it was defined under Section
3 (b). Consent is given freely for a specific purpose and can be given on
behalf of the data subject. It connotes approval or permission to use data
after knowledge of the purpose of processing such sensitive personal
information. There is a bit of a gray area here, suppose the data subject
consented to the use of the personal information for purpose 1 and but did not
consent to the usage for purpose 2, what happens now? Another
question is how can they make sure that this information are totally secured
and cannot to be used in a non intended purpose? What is the scope of the word
“specific purpose”? To what
extent this purpose will be used that will not be a violation of the right of
the person in their privacy? How can the government make sure that such
information in their hands are safe and can only be used in legitimate purpose
and to which the law allows?
·
Section
17 of R.A. 10173 that is all about “Transmissibility of
Rights of the Data Subject” answers the question of transferability, but how
can they prove the authenticity of the consent of the transferred information?
How they can disapprove the use of the information if the information is
already transferred and out of their hands? These questions alone are clear
violation of the right of privacy. The transfer of personal information without
consent is a clear infringement of their right to be left alone.
·
Chapter 8 of the law provides for the penalties for the Unauthorized Processing
of Personal Information and Sensitive Personal Information (Section 25),
Accessing Personal Information and Sensitive Personal Information Due to
Negligence (Section 26), Improper Disposal of Personal Information and
Sensitive Personal information (Section 27) and other violations of the law. If
a person’s right to privacy was violated by virtue of this law and all the
necessary pieces of evidence are electronic evidence, then how can that person
support his allegation? The Rules on Electronic Evidence specifically states in
Section 2 that it shall only apply to all civil actions and proceedings, as
well as quasi-judicial and administrative cases. The victims have no other
recourse because they do not have enough evidence to support their allegations.
How they can protect their right if doesn’t have any evidence that will support
their allegations?
Truly,
handling of privileged or sensitive personal information must be with utmost
care, for the very reason that invasion of one’s privacy runs counter to the
basic rights that an individual possesses under our Constitution. To
avoid being subjected to the penalties as prescribed by R.A. 10173, one must
uphold the right of utmost privacy, respect the sanctity of personal
information and adhere to policies laid down by our State in the carrying out
of its duties to afford protection and general welfare to its people. Remember,
negligence in the handling of personal information is made punishable under
this Act. Furthermore, those who handle personal information should keep in
mind that where personal information is concerned, there should be no room for
any mistake, intentional or otherwise, that negligence relative to data
handling is a grave offense and no amount of reason could stand as a matter of
defense. With the passing and approval of this Act, an individual is vested
with rights which he can enforced in case of breach of privacy, i.e. the right
to know if his/her personal information is being processed and how it is being
used as well as the right to demand removal or destruction of his/her stored
personal data from a system unless there is a legal basis for such information
to be kept or processed. I praise the President and the Congress for being
prudent enough which paves the way to the birth of this law that protects, not
just the interest of its inhabitants but importantly, it gives life to the
mandate of our Constitution on respecting and upholding one’s privacy.
ENDNOTES:
[1]
Sciabarra, Chris. (n.d). Citing Websites. In Privacy and Civilization. Retrived May 4, 2013, from http://www.freeradical.co.nz/content/58/Privacy.php
[2] Morfe vs. Mutuc 22 SCRA
424 (1968).
[3] Griswold vs. Connecticut 381
U.S. 479, 85 S.1678, 14 L. Ed. 2d 510 (1965).
[4]
Ople v. Torres 354 Phil. 948 (1998).
[5] Article
26 of the Civil Code provides:
“Art.
26. Every person shall respect the dignity, personality, privacy and peace of
mind of his neighbors and other persons. The following and similar acts, though
they may not constitute a criminal offense, shall produce a cause of action for
damages, prevention and other relief:
(1)
Prying into the privacy of another’s residence;
(2)
Meddling with or disturbing the private life or family relations of another;
(3)
Intriguing to cause another to be alienated from his friends;
(4)
Vexing or humiliating another on account of his religious beliefs, lowly
station in life, place of birth, physical defect, or other personal condition.”
[6] Article
32, Civil Code.
[7] Article
723, Civil Code.
[8] Article
229, Revised Penal Code.
[9]
Articles 290-292, Revised Penal Code.
[10] Article
280, Revised Penal Code.
[11] R.A.
4200.
[12]
R.A. 1405.
[13] R.A.
8293.
[14]
Section 24, Rule 130 [C], Revised Rules on Evidence.
[15] Section 1 Republic
Act 10173- Data Privacy Act of 2012 http://www.gov.ph/2012/08/15/republic-act-no-10173/
[16] Section 2 Republic
Act 10173- Data Privacy Act of 2012 http://www.gov.ph/2012/08/15/republic-act-no-10173/
[17] Caroline Corro
R.A. 10173 or the Data Privacy Act of 2012. July 2013
http://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-data-privacy-act-of-2012/
[18] Senate Economic
Planning Office, December 2005, Citing Websites. In Policy Insights: National
Identification System: Do we need one?
Retrieved May 4, 2013 from
No comments:
Post a Comment