Publicly Private: On Strengthening Your Right to Privacy.

“The internet was meant to make the world a smaller place, yet the world seems smaller without it.” ~ Dr. Will Caster (Johnny Depp), Transcendence

(I didn’t like the movie but) I agree.

People have grown too dependent to the internet in terms of data or information collection, storage, processing or dissemination. It seems that the internet culture cannot be undone. Privacy in the web is almost impossible. The ugly side is that, privacy of persons are usually violated. Social networks are good catalysts of information source. Anything posted in the internet spreads like salt in water.

While lawmakers then penned more laws to deal with paper transactions such as the Law on Negotiable Instruments or Revise Penal Code’s Libel on newspapers and broadsheets, it appears inevitable for the lawmakers now to be more creative in making laws that will be more adoptive to the fast-paced technological advancements. Some of the laws passed that deal with the technological changes are: RA 4200 or the Wiretapping Act, RA 8792 or the E-Commerce Law, RA 10175 or the Cybercrime Prevention Act of 2012 and RA 10173 or the Data Privacy Act.

This paper seeks to focus on RA 10173 or the Data Privacy Act of 2012.

Legislative History

When I first heard the Title of the law, The Data Privacy Act, I do not get the idea of it. For me, there is nothing catchy about its title, there is nothing interesting or seemingly important about it. Good thing I am a law student and enrolled in Technology and the Law, under Atty. Guerrero. No joke. The study of such law opened my eyes to the possibility of committing a legal violation which will prevent my dream of ATTY. But the hazard of the uninteresting title doesn’t only extend to me or my classmates, but to all the citizens of the Philippines or anyone protected by the said law. Without such understanding, one’s right to privacy could be violated every day and be not acted upon.

Here’s what I found out from the reliable internet-based gazette:

What was then Senate Bill 2965, now RA 10173 or the Data Privacy Act of 2012 was signed by President Benigno “Noynoy” Aquino on the 15th day of August, 2012, published on the 24th of August, 2012 and took effect on the 8th of September 2012. It is actually not the first among the many countries in the world to pass a law on the protection of a person’s privacy.

The Legislative Intent

In the Case of Ople v. Torres[1], it was held by the Supreme Court that:

The right to privacy is one of the most threatened rights of man living in a mass society. The threats emanate from various sources – governments, journalists, employers, social scientists, etc.

 

We would understand that the discussion of the High Court in this case gave paramount importance to the protection of one’s right to privacy, as reiterated in the Declaration of Policy, Section 2 of the law,

SEC. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

and anchored on Section 3 of the Article III (Bill of Rights) of the Philippine Constitution.  In the Bill of Rights it was given that:

Section 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.

Prior to the passage of the Republic Act 10173, Article 26 of the New Civil Code of the Philippines already provided for the same protection of human privacy. It says:

Article 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons.

These laws and jurisprudence are the sufficient reasons for the relevancy of the Data Privacy Act in the Philippine Legal System.

Applicability

Sections 4 and 6 provide for the applicability of the Data Privacy Act. The pertinent provisions mentioned the scope, limitations and jurisdictional application of the law. The following are:

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:

(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;

(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and

(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and

(c) The entity has other links in the Philippines such as, but not limited to:

(1) The entity carries on business in the Philippines; and

(2) The personal information was collected or held by an entity in the Philippines.

Situational Gray Areas

Every law passed undergoes deliberation handled by the courts of justice through application of the same in everyday life situations. Although there are laws that have been long passed and still no cases had been applied to them, legal enthusiasts, lawmakers, lawyers, law students and even the public see loopholes to these laws. With the undeniable significance of the Data Privacy Act in the Philippine legal system, the following are some clouded areas in RA 10173 that seem questionable:

  1. Section12 of the law provides that:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a)    The data subject has given his or her consent;

The consent spoken of in this provision may safely be said to pertain to the allowance of the data subject to the “processing” of data, which was defined in Section3(j) of the law, as:

(j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

In a sense, a data subject may give a conditional or qualified consent:

  1. Conditional if, consent was given in consideration of a favor, a happening of an event of fulfillment of a condition.
  2. Qualified if, consent was given to processing of some data with the exclusion of the others.

The problem here lies when in the following hypothetical situations:

  1. If A gives consent to the processing of a data in an unlawful condition.
  2. If A gives consent to the processing of data for only a limited time, B processed data within the given period but long term results would occur to be prejudicial to A.
  3. Can an agent give consent for the processing of a data personal to the principal?
  4. If A gives consent to the processing of 1 data provided in a personal information sheet but one data leads to another? Say for example, A gives consent to the processing of the fact that A lives in Mindoro but B disclosed to C that A lives in ORIENTAL Mindoro. Will B be liable under RA 10173?
  5. Another “processing” in Section 12 can be questionable. Section 12(c) provides:

 

Section 12 (c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;

 

In the following hypothetical situation:

 

VIP, an international artist will have a concert in the Philippines so VIP checked in to Hotel A. Before the concert, VIP found out that he has a mouth blister so dentist of Hotel A was called. During the procedure, while VIP’s mouth is open and could not talk, the dentist took a photo of VIP’s mouth and put on record cavities of VIP. The record was given to the hotel dental clinic secretary.

VIP complained that the cavities should not have been recorded since the only issue was the blister. The dentist contended that it was a necessary medical issue and was done because VIP could not give consent to the act done.

Will the dentist be liable under RA 10173?

 

  1. In Section 17, it was provided that:

SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.

In this provision, is the right to give consent, not provided for in Chapter IV,Rights of the Data Subjects but obviously a right of the data subjects, included in the right that may be practiced by the legal heirs and assigns?

In my opinion, the right that Section 17 must pertain to should only focus on the right spoken of in Chapter IVof the law since consent with regard to privacy must be purely personal and not transmissible.

  1. In Section 3, Definition of Terms, the following were defined:

h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

(1) A person or organization who performs such functions as instructed by another person or organization; and

(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

In a hypothetical case, A was tasked to look after a computer shop while the owner is out for errands. C, a customer saved his resume in a computer desktop and also printed the same. If in any case someone was able to steal C’s data, would A, be considered a personal information controller or processor to be liable under RA 10173, when A was only tasked to look after the computer shop and not the information or data stored in the computer? Would the law be technical in applying the law in the sense that A would not be liable being a person not in charge of collection, holding, processing or use of data?

In another case, if a teleserye negligently showed a personal data of the actor or actress in a scene, say for example a phone number or a plate number being that the actual phone used in the show was the real phone of the actress. Will the producers, directors of the staff be liable under RA10173?

Conclusion

Privacy is big deal. One wrong move of a person against someone’s privacy could ruin a career path, social standing, social persona and even the life of the person. The issue of privacy should not be taken for granted. Privacy, being one of the most promising item in the Bill of Rights is obviously of paramount importance. This is the reason why laws like the Data Privacy Act should be well-studied and discussed by the lawmakers. The law’s Implementing Rules and Regulations shall not be half-baked so there would be no scrutiny by the public as to the abuse of power.

I quote again,“The internet was meant to make the world a smaller place, yet the world seems smaller without it.”

This quote reveals the world’s dependence to the internet that without it, information would be limited, up to the extent that educational system may be paralyzed.  But internet, as was mentioned, is not supposed to limit the right of the people who need the internet the same way as everybody else.

 

[1] G.R. No. 127685.  July 23, 1998

Publicly Private: On Strengthening Your Right to Privacy.

“The internet was meant to make the world a smaller place, yet the world seems smaller without it.”

~ Dr. Will Caster (Johnny Depp), Transcendence

(I didn’t like the movie but) I agree.

People have grown too dependent to the internet in terms of data or information collection, storage, processing or dissemination. It seems that the internet culture cannot be undone. Privacy in the web is almost impossible. The ugly side is that, privacy of persons are usually violated. Social networks are good catalysts of information source. Anything posted in the internet spreads like salt in water.

While lawmakers then penned more laws to deal with paper transactions such as the Law on Negotiable Instruments or Revise Penal Code’s Libel on newspapers and broadsheets, it appears inevitable for the lawmakers now to be more creative in making laws that will be more adoptive to the fast-paced technological advancements. Some of the laws passed that deal with the technological changes are: RA 4200 or the Wiretapping Act, RA 8792 or the E-Commerce Law, RA 10175 or the Cybercrime Prevention Act of 2012 and RA 10173 or the Data Privacy Act.

This paper seeks to focus on RA 10173 or the Data Privacy Act of 2012.

 

Legislative History

When I first heard the Title of the law, The Data Privacy Act, I do not get the idea of it. For me, there is nothing catchy about its title, there is nothing interesting or seemingly important about it. Good thing I am a law student and enrolled in Technology and the Law, under Atty. Guerrero. No joke. The study of such law opened my eyes to the possibility of committing a legal violation which will prevent my dream of ATTY. But the hazard of the uninteresting title doesn’t only extend to me or my classmates, but to all the citizens of the Philippines or anyone protected by the said law. Without such understanding, one’s right to privacy could be violated every day and be not acted upon.

Here’s what I found out from the reliable internet-based gazette:

What was then Senate Bill 2965, now RA 10173 or the Data Privacy Act of 2012 was signed by President Benigno “Noynoy” Aquino on the 15th day of August, 2012, published on the 24th of August, 2012 and took effect on the 8th of September 2012. It is actually not the first among the many countries in the world to pass a law on the protection of a person’s privacy.

 

The Legislative Intent

In the Case of Ople v. Torres[1], it was held by the Supreme Court that:

The right to privacy is one of the most threatened rights of man living in a mass society. The threats emanate from various sources – governments, journalists, employers, social scientists, etc.

 

We would understand that the discussion of the High Court in this case gave paramount importance to the protection of one’s right to privacy, as reiterated in the Declaration of Policy, Section 2 of the law,

SEC. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

and anchored on Section 3 of the Article III (Bill of Rights) of the Philippine Constitution.  In the Bill of Rights it was given that:

Section 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.

Prior to the passage of the Republic Act 10173, Article 26 of the New Civil Code of the Philippines already provided for the same protection of human privacy. It says:

Article 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons.

These laws and jurisprudence are the sufficient reasons for the relevancy of the Data Privacy Act in the Philippine Legal System.

 

Applicability

Sections 4 and 6 provide for the applicability of the Data Privacy Act. The pertinent provisions mentioned the scope, limitations and jurisdictional application of the law. The following are:

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:

(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;

(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and

(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and

(c) The entity has other links in the Philippines such as, but not limited to:

(1) The entity carries on business in the Philippines; and

(2) The personal information was collected or held by an entity in the Philippines.

 

Situational Gray Areas

Every law passed undergoes deliberation handled by the courts of justice through application of the same in everyday life situations. Although there are laws that have been long passed and still no cases had been applied to them, legal enthusiasts, lawmakers, lawyers, law students and even the public see loopholes to these laws. With the undeniable significance of the Data Privacy Act in the Philippine legal system, the following are some clouded areas in RA 10173 that seem questionable:

  1. Section12 of the law provides that:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a)    The data subject has given his or her consent;

The consent spoken of in this provision may safely be said to pertain to the allowance of the data subject to the “processing” of data, which was defined in Section3(j) of the law, as:

(j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

In a sense, a data subject may give a conditional or qualified consent:

  1. Conditional if, consent was given in consideration of a favor, a happening of an event of fulfillment of a condition.
  2. Qualified if, consent was given to processing of some data with the exclusion of the others.

The problem here lies when in the following hypothetical situations:

  1. If A gives consent to the processing of a data in an unlawful condition.
  2. If A gives consent to the processing of data for only a limited time, B processed data within the given period but long term results would occur to be prejudicial to A.
  3. Can an agent give consent for the processing of a data personal to the principal?
  4. If A gives consent to the processing of 1 data provided in a personal information sheet but one data leads to another? Say for example, A gives consent to the processing of the fact that A lives in Mindoro but B disclosed to C that A lives in ORIENTAL Mindoro. Will B be liable under RA 10173?
  5. Another “processing” in Section 12 can be questionable. Section 12(c) provides:

 

Section 12 (c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;

 

In the following hypothetical situation:

 

VIP, an international artist will have a concert in the Philippines so VIP checked in to Hotel A. Before the concert, VIP found out that he has a mouth blister so dentist of Hotel A was called. During the procedure, while VIP’s mouth is open and could not talk, the dentist took a photo of VIP’s mouth and put on record cavities of VIP. The record was given to the hotel dental clinic secretary.

VIP complained that the cavities should not have been recorded since the only issue was the blister. The dentist contended that it was a necessary medical issue and was done because VIP could not give consent to the act done.

Will the dentist be liable under RA 10173?

 

  1. In Section 17, it was provided that:

SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.

In this provision, is the right to give consent, not provided for in Chapter IV,Rights of the Data Subjects but obviously a right of the data subjects, included in the right that may be practiced by the legal heirs and assigns?

In my opinion, the right that Section 17 must pertain to should only focus on the right spoken of in Chapter IVof the law since consent with regard to privacy must be purely personal and not transmissible.

  1. In Section 3, Definition of Terms, the following were defined:

h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

(1) A person or organization who performs such functions as instructed by another person or organization; and

(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

In a hypothetical case, A was tasked to look after a computer shop while the owner is out for errands. C, a customer saved his resume in a computer desktop and also printed the same. If in any case someone was able to steal C’s data, would A, be considered a personal information controller or processor to be liable under RA 10173, when A was only tasked to look after the computer shop and not the information or data stored in the computer? Would the law be technical in applying the law in the sense that A would not be liable being a person not in charge of collection, holding, processing or use of data?

In another case, if a teleserye negligently showed a personal data of the actor or actress in a scene, say for example a phone number or a plate number being that the actual phone used in the show was the real phone of the actress. Will the producers, directors of the staff be liable under RA10173?

Conclusion

Privacy is big deal. One wrong move of a person against someone’s privacy could ruin a career path, social standing, social persona and even the life of the person. The issue of privacy should not be taken for granted. Privacy, being one of the most promising item in the Bill of Rights is obviously of paramount importance. This is the reason why laws like the Data Privacy Act should be well-studied and discussed by the lawmakers. The law’s Implementing Rules and Regulations shall not be half-baked so there would be no scrutiny by the public as to the abuse of power.

I quote again,“The internet was meant to make the world a smaller place, yet the world seems smaller without it.”

This quote reveals the world’s dependence to the internet that without it, information would be limited, up to the extent that educational system may be paralyzed.  But internet, as was mentioned, is not supposed to limit the right of the people who need the internet the same way as everybody else.

 

Ciara Christia P. Infantado

May 7, 2014

Technology and the Law.

 

[1] G.R. No. 127685.  July 23, 1998