Remember the Nokia tagline? Or do you even still remember Nokia at all? Back in my teenage days, this is the leading brand in the mobile market, or so I thought. I remember back then, cellular sites in our province have a poor signal and we had to go on top of our house just so we could get a good connection. Phone graphics used to be a set alphanumeric characters. Casing defines your phone and your “backlight” makes it cooler.
Much has changed throughout the years. The number of people with mobile devices has grown to the extent that it’s now considered a basic necessity to have a cellular phone. Cell phone has become a status symbol too – Nokia for the poor, Blackberry for the middle class and Samsung and iPhone for the upper class. Today, people go crazy over smart phones where you can do everything at the tip of your fingers – gaming, movie marathon, mobile internet, video calls and a lot more fascinating stuffs that could appear right before your eyes. Then there’s social media. We have access to a variety of networks from a mobile device. Social experience has been effortless with a wifi or LTE. In fact, for some, if not for all, wi-fi has been a “requirement” for a place to hangout with. Indeed, mobile phone has come a long way that it has changed our definition of what it means to be “connected”.
We owe it all to the internet. The impact of the internet has been just as profound as that of mobile device on our daily lives. Students are able to learn on a global scale without even leaving their classrooms. Research works has been easy via Google. Internet allows for quicker transmission and exchange of information. But more importantly, people are able to stay in touch wherever they may be.
But despite how far technology has taken humans and no matter how convenient it may make things, there are cons accompanying this level of access. People become less self-reliant and too dependent on technology. Internet users tend to disregard their etiquette online. People find a medium to release their thoughts and emotions over social media – they will post anything they see and twit everything they feel. Thus, petty fights between friends that could have been resolved by sitting down and talking about it become extreme. Netizens forget to filter what is private and confidential to what is allowed to share. Ruining someone else’s life has been easier; anyone can be placed after the eyes of the judging public in just a single mouse click.
GREAT POWER COMES GREAT RESPONSIBILITY
True enough, the internet is a powerful source of disseminating information and conducting commerce, but some people use it for a wide range of nefarious activity such as hacking, copyright theft, cyber bullying, prostitution, exploitation, defamatory declaration, and a lot more. Given the amplification and scope of internet, society is entitled to protection in relation to any on-line activity. In a sense, this means a regulation to the internet.
It has been a global advocate to provide standard regulation over the abuse of internet. Debates have ensued all over the world about this issue. It is argued that the internet should be regulated by the government just as much as other venues of media and commerce are. For some however, by allowing the government to do so would mean enabling them to control citizen views, much worst to suppress their freedom of speech and expression. Some would say it is not possible to regulate the internet as it is international in nature. But the fact that something is difficult to regulate does not mean that it should not be done. This is where cyber law and privacy law came into the picture.
Two laws regulating the internet have been passed in the Philippines – RA 10175 or the Cybercrime Law and the RA 10173 or the Data Privacy Act. While Cybercrime law has received most of the attention from media and netizens, Data Privacy Act is not that trendy. If only netizens would be aware of it, I believe it would get far more criticism than the cybercrime law because it has far more reaching implications on the internet. The Data Privacy Act is more encompassing in how it regulates the flow of information. It covers data collection, internet privacy, workplace monitoring and other means of disseminating private and sensitive personal information.
DATA PRIVACY ACT OF 2012
The first ever data privacy legislation has been signed into law on August 15 of 2012 by President Benigno Aquino. It was significantly influenced by Directive 95/46/EC of the European Union and the Asia Pacific Economic Cooperation (APEC) Information Privacy Framework.
Republic Act 10173 or the Data Privacy Act of 2012 aims to protect the fundamental human rights of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communication technology in nation-building and its inherent obligation to ensure that personal information in information and communication systems in the government and in the private sector are secured and protected. (Section 2 of RA 10173). It aspires to substantially raise the profile in the Philippines of data privacy and business in the data processing by mandating that all personal information controllers or persons who control the information of others (defined by this act as “Data Subject”), comply with the requirements of this Act before any such collecting, holding, processing or use may take place. It created the National Privacy Commission to administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection (Section 7).
This act applies to the processing of ALL types of personal information and to any natural and juridical person involved in personal information processing with certain exceptions (Section 4 and 5) to wit:
- Information relating to the position or functions of the individual
- Information related to the service performed by an individual under a contract for a government institution
- Information relating to any discretionary benefit of a financial nature given by the government to an individual
- Personal information processes for a journalistic, artistic, literary or research purpose
- Information necessary in order to carry out the function of public authority
- Information necessary for banks and other financial institutions to comply with Anti-Money Laundering Act and other applicable laws, and
- Personal information collected from resident of foreign jurisdiction in accordance with the laws of those foreign jurisdiction which is being processed in the Philippines
- Information regarding the source of any news report of any publication which was related in confidence to the publisher, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation
This Act protects three (3) types of information: personal information (Sec 3-g), privileged information (sec 3-k) and sensitive personal information (Sec 3-11). Nothing in above exceptions enumerated was mentioned regarding the personal information about an individual’s private number or address, thus it falls to those “all” types of personal information which is covered by this Act as prohibited.
The law further listed down the criteria where processing of personal information is permitted (Section 12). At least one of the following conditions must exist:
- There is consent from the data subject
- The processing of personal information is necessary and is related to the fulfilment of a contract
- The processing is necessary for compliance with legal obligation
- The processing is necessary to protect vitally important interest of the data subject
- The processing is necessary in order to respond to national emergency
- The processing is necessary for purposes of legitimate interest except where such interest are overridden by fundamental rights and freedom of the data subject
The processing of sensitive personal and privileged information is generally prohibited unless (Section 13):
- The data subject has given his consent and in case of privileged communication, all parties to the exchange have given their consent
- The processing is provided for by existing laws and regulations
- The processing is necessary to protect the life and health of the data subject or another person even without the consent of the data subject
- The processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations provided it is not transferred to third parties not member of the organization
- The processing is necessary for purposes of medical treatment
- The processing is for the protection of lawful rights and interests of natural or legal persons in court proceeding
The unauthorized processing of personal and sensitive personal information is punishable by this Act (Section 25). Even due to negligence, punishment has been imposed on any persons who, due to negligence, provided access to personal or sensitive personal information without being authorized by this Act or any existing law (Section 26). The improper disposal of personal and sensitive personal information (Section 27), processing for unauthorized purposes (Section 28), intentional breach (Section 29), concealment of security breaches (Section 30), malicious disclosure (Section 31), unauthorized disclosure (Section 32) and a combination or series of acts mentioned shall be punishable by imprisonment and a fine.
WHAT’S IN IT FOR ME?
The Act is expected to strengthen the country’s booming Information Technology-Business Process Outsourcing (IT-BPO) industry. With the data security provisions, this Act puts in place measures to protect and preserve the integrity, security and confidentiality of personal data collected by government and private entities in their operations, thus attracting more investors and partners. But the Act has been so worded to govern even an ordinary individual in their everyday errands. For instance, when I post on Facebook that my friend Karen Tom is getting married on October 25, 2013 in L’Orchard, Taytay Rizal, will I be violating RA 10173? Is this the type of personal information that is prohibited by this Act? Based on this Act, personal information refers to ANY information from which the identity of an individual is apparent or can reasonably and directly be ascertained by the entity holding the information. By the posting of my friend’s name, it is clearly being identified as referring to the data subject thus would fall under personal information. Evidently, it is not one of the conditions permitted by law: the data subject has not given her consent and it is neither for any legitimate or authorized purposes. Thus, I already violated The Data Privacy Act. If that is so, there will be a vast offenders of this Act online. But isn’t that absurd that such plain act would make a person liable for a fine or worst be imprisoned?! It is well-settled rule in statutory construction that we are not to give a statute a meaning that would lead to absurdities. Where a law appears arbitrary when applied in a particular case because of its peculiar circumstances, the courts are not bound to apply it in a slavish obedience to its language.
Doing away with internet, the Data Privacy Act also covers other type of medium of communication like the mobile phone. Did you ever have an experience where you received a text message from a stranger and when you asked where he got your number, he will tell you it was given by your common friend. Can you sue the “common friend” for violation of RA 10173? Is the mere act of giving your number to a total stranger falls under “unauthorized processing of personal information” which gives you a right to pursue a legal action? Processing as defined by RA 10173 refers to ANY operation or any set of operations performed upon personal information including, but NOT LIMITED to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. It says “not limited to” thus the mere act of giving falls under the term processing as herein defined. Then we will have to look into the reason behind why such information was given. If the information has been dispersed for any purposes as allowed under Section 12 and 13 of this Act, then the processing of the personal information is lawful. But when it is merely for personal use, then it is a prohibited disclosure of personal information. Thus, in the given case, I could sue the “common friend” for violation of RA 10173 since he gave my number without my consent to a total stranger with no lawful purpose. What if it was given to a long lost friend or acquaintance or someone you wish to be connected with but couldn’t because you don’t have the information? Will the case be different? Wouldn’t you be glad if that common friend will give your number to the long lost friend even without having to ask you first? Will that be an exception since in the first place you know the person to whom the information was given? Data Privacy Act did not qualify. Ubi lex non distinguit, nec non distinguere debemus. Where the law does not make any exception, then we should not except something therefrom. Put in another words, where the law does not distinguish, then we should not distinguish. Thus, regardless of whether or not the receiver of the information is stranger to you or not, the act of giving personal information without your consent and is not under any of the conditions allowed by law, is processing an unauthorized information and is therefore punishable under this Act.
How about credit card companies? Have you ever received a phone call from credit card agents to offer you their product or persuade you to avail of it? Credit card companies have a database containing personal information of users. Say I have a Citibank Card but the Standard Chartered will call me to offer their products. Where or to whom did the Standard Chartered Company get my number when I didn’t sign up for any application to them? Did that give me a legal right to pursue an action against the giver or the credit card companies who maintain such database? Or would they fall under the condition “for the purpose of the legitimate interests pursued by the personal information controller” thus be allowed? Frankly speaking, those agents could be really annoying if they keep calling you every now and then. And if I were to challenge this Act, I would love to sue them for violation of RA 10173!
Seriously, I could cite more instances where processing of personal and sensitive personal information in our daily lives could be violated under the Data Privacy Act. But would they really fall under the prohibition? The elementary rule in statutory construction is that when the words and phrases of a statute are clear and unequivocal, apply Verba Legis – their meaning must be determined from the language employed and the statute must be taken to mean exactly what it says. The basic premise of the Act is that there must be consent and the data subject must at least be aware that the information pertaining to him has been processed. This Act demands that there must be consent. But we have to bear in mind that not everyone can give valid consent. Minors, as a general rule, cannot give knowing consent. According to our Civil Code, consent given by minor is voidable, meaning it is valid until annulled. Consequently, when you give the number of a minor with no lawful purpose and she consented to it, such is voidable and could therefore be annulled by the guardian or by herself when she turns to majority.
Even assuming arguendo that the act of giving someone’s number without his consent is a violation of Data Privacy Act, the problem would arise as to its implementation. What proof will satisfy the court that the unauthorized person really provided the information? Consent according to this act should be evidenced by written, electronic or recorded means. So if I personally or verbally dictate someone’s number, I could contest that there is no evidence to prove that I violated this Act. Furthermore, it would open the floodgates to fraud. If I have an enemy, I could easily buy a new sim card and then text someone and give my enemy’s name as the source. Then he could be punished in this Act in an instant. Is a text message, being electronic, sufficient evidence??
Data Privacy Act allows the dissemination of personal, sensitive personal and privilege information even without the consent of the data subject, if it falls under the conditions enumerated by this Act. The enumeration is exclusive. Expressio unius est exclusion alterius. If the statute enumerates the things upon which it is to operate, everything else must necessarily, and by implication, be excluded. The Data Privacy act enumerates those conditions and situations where the processing of personal and sensitive personal and privileged information is allowed. Beyond those conditions, then there is a violation. And we have seen from the scenarios I presented above that there will be many instances in our daily lives where we have violated this act. Then we ought to be punished. But is that really the intent of the law??
The intent of the law is the spirit which gives life to a legislative enactment. The cardinal rule in the interpretation of all laws is to ascertain and give effect to the intent of the law. The spirit or the intention of the statute prevails over the letter thereof. Thus, to address the issue of intent of this Act, we may need to refer to the history or to the law where this act was founded. As already mentioned, this Act was significantly influenced by Directive 95/46/EC of the European Union and the APEC Information Privacy Framework. This Act was reportedly pushed by members of the business outsourcing community in order to protect the privacy of their clients. Thus, it was designed to protect information and communication systems in the government and private sector. It is enacted to usher in an IT revolution in the country. This mainly caters to IT businesses or organizations, whether in the government or private sector, to provide security measures and protocols in the regulation of information obtained from their line of work.
Article 10 of the Civil Code of the Philippines provides that “In case of doubt in the interpretation or application of laws, it is presumed that the lawmaking body intended right and justice to prevail”. Conscience and equity should always be considered in determining the intention of a statute. In a case where someone has to go to prison cells for a violation by the mere act of giving someone else’ number without the data subject’s consent and not under any of the purposes enumerated, is mischievous and unconscionable.
WHAT THE FUTURE HOLDS
Privacy law is dynamic and in the Philippines largely unexplored field of legal practice. Truly, there are varying perspectives on this act but I think it is yet to be proven because it is too early to determine its pros and cons since it just have been approved. At this stage, proper implementation is crucial. The burden lies with the government’s responsibility of applying the intent of such act in order to attain its aspirations of growth and promote innovation for the purpose of nation building. But it is our duty as clever citizens in this digital age to choose wisely what to share, where we choose to share it and why we choose to keep it public. Keep in mind that our freedom of expression and speech is not absolute, it has its limitations. Let us be mindful of our limitations.
“Keep your mouth shut and people will never know just how ignorant you are. Open it and you remove all doubt”