Data Privacy Act and its Grey Areas

 

Background

What is privacy? As defined by Merriam-Webster Dictionary “Privacy is the quality or state of being apart from company or observation; the freedom from unauthorized intrusion.” The right to privacy nowadays seems to be farfetched due to the technological advances we have compared to the time when the 1987 Constitution was enacted.

In the case of Ople vs Torres, “The right to privacy is one of the most threatened rights of man living in a mass society. The threats emanate from various sources – governments, journalists, employers, social scientists, etc”.[1] Although this seems to be the case, the right to privacy has long been protected and recognized under Philippine laws most notably in the Bill of Rights of the 1987 Constitution which provides:

“Sec. 1 No person shall be deprived of life, liberty or property without due process of law, nor shall any persons be denied the equal protection of laws”.

“Sec. 2 The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized”.

“Sec. 3 (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law”.[2]

Aside from the Constitution, it also finds support in the Civil Code which provides that “every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons.” It punishes acts of prying unto the privacy of another’s residence, meddling with or disturbing the private life or family relations of another.[3]

On a similar note, the Revised Penal Code punishes any private individual who in order to discover the secrets of another, shall seize his papers or letters and reveal the contents.[4]

Republic Act 10173 or The Data Privacy Act of 2012

To further bolster our right to privacy and to be up-to-date with the current trend of technology advancement, the Government created R.A. 10173 otherwise known as The Data Privacy Act of 2012. Its policy aims to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth and to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.[5] This has been enacted to supplement and fill the gap of our existing laws related to privacy.

Scope

The Data Privacy Act of 2012 applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9610. as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.[6]

Based on the scope, it may seem to lack transparency because Sec. 4 (a), (b) and (c) of this Act. seems to afford alleged ‘corrupt’ government officials the protection they need.

Dubious Provisions of the R.A. 10173

The Data Privacy Act of 2012 have consequences regarding the right to privacy. In my opinion, the following provisions give rise to gray areas and may subject the RA 10173 to abuse:

“Sec. 5 Protection Afforded to Journalists and Their Sources – Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or report”.[7]

Based on Sec. 5, it benefits the media but on a closer look this would also considered to be prone to abuse. It can be used to cloak or protect their true intent in reporting false information that may even lead to extortion. As the law states, the media may not be compelled to disclose the personal information of their source for they can easily invoke Sec. 5 of RA 10173.

“Sec. 8 Confidentiality – The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession”.[8]

For this part, this provision is too vague. It does not state how the Commission will be able to ensure and safeguard the confidentiality of any personal information that it comes to its possession.

Another provision that caught my attention is Sec. 11 of RA 10173 which states:

Personal information must, be:

“(a) Collected for specified and legitimate purpose determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared and legitimate purposes only”;

“(d) Adequate and not excessive in relation to the purposes for which they are collected and processed”[9]

From what I’ve understood from these two (2) cited provisions above, is that the collection of personal information may be done before or after the purpose for such collection has been determined. This would give rise for the possibility of mishandling personal information. Further, what is the basis for the adequacy of collecting personal information in relation to the purpose for which it is collected. Does it give the discretion on the part of the personal information collector to decide its adequacy?

In addition, under Sec. 14 Subcontract of Personal Information it provides that: “A personal information controller may subcontract the processing of personal information: Provided, That the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with all the requirements of this Act and other applicable laws”.[10]

With regards to Sec. 14, if the personal information controller subcontracts the processing of personal information, is the consent of the data subject necessary? Can the personal information controller forego to disclose that the personal information of the data subject is being processed by another entity? As this questions were not answered by the provisions of R.A. 10173. It is quite unclear whether it would violate the data subject’s right to privacy because as long as the personal information controller was able to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and was able to comply with the requirements of the Act and other laws for processing personal information it cannot be held liable.

Further, under the Rights of the Data Subject, Sec. 16 provides: The data subject is entitled to:

(b) Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:

(4) The recipients or classes of recipients to whom they are or may be disclosed;

(c) Reasonable access to, upon demand, the following:

(3) Names and addresses of recipients of the personal information;[11]

Under the provisions mentioned above, is it necessary for the personal information controller to get the consent of the recipients that the their names and addresses are to be disclosed to the data subject? Would this be a violation of the recipients right to privacy if the personal information controller gave the data subject their information without their consent or prior approval?

In its Definitions of Terms, Sec. 3 provides:

(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

(i) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.[12]

My issue with these two provisions is about an individual’s phone number. Although it is contentious that a mobile or phone number is not within the ambit of personal information considering it is just a mere data. My take on this is that it has to be considered as personal information because it can identify an individual’s identity. The identity of the data subject can be directly ascertained by the entity holding such information.

Conclusion

Looking closely at Republic Act No. 10173 or the Data Privacy Act it seems to lack the teeth the lawmakers intended it would have. As some of its provision are vague, others lacks further description to make the law more understandable.

Although it is not a perfect law, there is an effort on the part of the Government to supplement existing laws to further strengthen and protect our rights to privacy. The Supreme Court has the responsibility to ease such vagueness in interpreting the law.

On a final note, we should make it a habit to be vigilant before giving out any personal information for it is within our control. We should know our rights as data subjects and be inquisitive on how and to what extent/purpose our information is being used.

Sources [1] Ople vs Torres G.R. No. 127685, July 23, 1998

[2] 1987 Philippine Constitution

[3] Art. 26, Civil Code

[4] Art. 290, Revised Penal Code

[5] Republic Act No. 10173 otherwise known as the Data Privacy Act of 2012

[6] Supra

[7] Supra

[8] Supra

[9] Supra

[10] Supra

[11] Supra

[12] Supra

Advertisements
Standard

One thought on “Data Privacy Act and its Grey Areas

  1. Pingback: Students’ Take: MCPIF (SB 53), Data Privacy Act (RA 10173) | Berne Guerrero

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s