“Gray Areas in Republic Act 10173: The Data Privacy Act of 2012”

by encinasnice

The Right to Privacy

 Privacy, as defined in Wikipedia, is the ability of an individual or group to seclude themselves of information about themselves and thereby express them selectively. The word was derived from the Latin word privo which means “to deprive”. [1] Simply put, it’s the right of a person to completely control the disclosure of any information which pertains to them and protect themselves from any unlawful or unjust encroachment of such. The Right to Privacy is a fundamental human right recognized in the UN Declaration of Human Rights as explicitly stated on the Universal Declaration of Human Rights under Art. 12 thereof;

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”[2]

In the Philippines, the recognition of every person’s right to privacy is embodied in Art. III Bill of Rights, Sec. 3 of the 1987 Constitution, which states;

“The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.”[3]

As apparent with the above cited laws which both affirms the importance of a person’s right to privacy and recognizes the same as a basic human right which every individual is entitled to and cannot be deprived thereof without just cause, the protection and preservation by the State of the person’s right to privacy along with the accompanying rights directly or indirectly connected thereto, is of utmost necessity for the preservation of every citizen’s dignity as a human being. Various international agreements, foreign laws, treaties, have been promulgated to safeguard and ensure that this fundamental right will not be violated. However, at the advent of the technological age, and the inevitable use of technology in human communication and transactions, it’s becoming more and more challenging to guarantee the protection of the right to privacy since various technological advancement, the Internet most particularly, has opened countless avenues for information or data to be distributed largely to an undeterminable number of people all over the world wide web, and synonymously, the whole world. These avenues, where information are readily available for everyone regardless of content, has posed a great threat to the effectiveness of the duly established laws for the protection of the right to privacy. There have been many instances where various breaches on the right to privacy have been blatantly made through the use of these technologies, had remained unpunished for either there were no laws promulgated that contemplates of the possibility of such breach or the old established law against breach of privacy cannot be made applicable to the particular circumstances of those cases. Thus, to answer to the call of times, there have been countless new laws that have been promulgated by different States all over the world, which particularly applies for the protection of a person’s right to his privacy in the age of information technology.

The Data Privacy Act of 2012

In the Philippines, the legislature had also recognized the necessity of promulgating these new statutes that would be applicable to the changing needs of times. To ensure that the age-old and long standing fundamental right of a person to his privacy is to remain protected, the Philippines have adopted its first data privacy law, Republic Act No. 10173, or the Data Privacy Act of 2012. It’s intended to protect the integrity and security of personal data in both private and public sectors. Prior to the promulgation of the Act, there was no law in the Philippines that deals unambiguously with the issue of personal data privacy. Although the Philippine Constitution and various Philippine jurisprudence recognizes and protects a person’s right to privacy, they only safeguard the right of a person’s privacy and the protection of personal information in a general manner. They do not directly address the issue of data privacy and are insufficient if not, inapplicable in addressing head on the various issues and dangers posed on personal data privacy. There was also an absence of a government agency that oversees the protection of these personal data. Therefore, the promulgation of the Data Privacy Act of 2012 is considered as a huge leap made by the Philippines towards the integration of the law with technology, and the fortification of the privacy of a person’s personal information. It’s also been said to bring the Philippines up to par with international standards of data protection.

Republic Act 10173 is a new law that has only been in effect for a little more than a year. As previously mentioned, it is the pioneer law in the Philippines which directly addresses the issues of data privacy, there is bound to be some gray areas or unclearly defined portions of this relatively new law that would raise questions as to its applicability to various situations or circumstances that relates to the issues and protection of personal data privacy of Filipino Citizens in general. This blog aims to provide and tackle those possible situational gray areas of this particular Act. To start this off, a brief background about this law, additional to what I have previously provided above, is necessary to further have a clear comprehension of this particular legislation, imperious to understanding its use or application. The Data Privacy Act of 2012 is an act protecting individual personal information and communications systems in the government and the private sector. Its scope, as found on Section 4 of this Act, covers,

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines. [4]

The coverage of its application can be subdivided into two parts. First, the processing of all types of personal information and second, it applies to any natural and juridical persons involved in personal information processing including those personal information controllers and processors, who although not found in the Philippines use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines provided that the requirements under Section 5 of the same Act, which affords protection to for publishers, editors, or duly accredited reporters of any periodicals of general circulation, from being compelled to reveal the source of any news report or information appearing in said publication which was related in confidence to such publisher, editor, or reporter, is complied with. Along with its scope, the Act also expressly enumerated those items of information to which the Act would not be applicable. Under again on Section 4 thereof;

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.[5]

Situational Gray Areas        

Going back to its scope, the act applies to any natural and juridical persons involved in processing of all types of personal information. Personal information as defined in this Act, refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. [6] The act has provided such a broad definition of personal information, that it raises numerous questions as to what exactly are the different and specific types of information that the law contemplates as information that will be protected under this particular Act. One prime example is a person’s cellular phone number. If we consider the nature of a person’s specific cellular number, it is to something that is personal to the user or the subscriber, unequivocally, it can be said that it is a form or material of information that could directly and certainly identify an individual, thus, falling within the definition provided by the RA 10173 on personal information. It being a personal information, and not being under any of the exceptions provided by the same act thereby making it within the scope of the law, a question is now raised on whether or not an unauthorized disclosure or a mere giving away of a person’s number by another to another individual or a third party constitutes a violation of the cellphone number owner’s right to privacy? Can an individual, relying on the provisions of RA10173, take appropriate legal action against the person who disclosed his cellular number to a third party?    We have established that a person’s cellular number is personal information, does it also automatically mean that the individual who gave away the cellular number of another will be considered as a personal information controller, as defined under Section 2(h) of RA 10173 as “a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. “[7] thereby given appropriate responsibility as to the transmission of another person’s personal information and is subject to the provisions of the Act regarding the disclosure of the same ? The answer to this can be qualified since the law provided for the exception to the term. It excludes those persons or organization that performs functions that are instructed by another person or organization, and those individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affair. [8] As can be taken from these exclusions, a logical interpretation regarding this issue can be made, that the disclosure of an individual’s cellphone number by another will not be a violation of the right to data privacy of the former if the latter has processed the information with regards or in connection with individual’s personal, family and household affair. If that’s the case now, then how about the practice of telecommunications companies in the Philippines of divulging the phone numbers of their post-paid subscribers to various sellers or profit oriented establishments for marketing purposes of the latter. As a post-paid subscriber myself, I often receive these products or services marketing through text in my post-paid account, something that I don’t experience or receive in my pre-paid cellular number. It’s clear then the disclosure or processing of post-paid subscribers cellular numbers information without the consent of the subscribers, are not for the allowed personal uses of information but rather for commercial purposes, wouldn’t that constitute now as a violation of RA 10173 by telecommunications companies? Unfortunately, there has yet to be a jurisprudence nor any decisions made by the judiciary that would settle once and for all these questions regarding the applicability of RA 10173 on this particular issue.

            Section 13 of RA 10173 provides for the guidelines in the proper processing of sensitive personal information and Privileged information, it expressly states that the processing of information under those categories shall be prohibited, except in cases where; (a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing; (b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information; (c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; (d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing; (e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or (f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority. [9]Sensitive information under Sec 3 (i) of RA 10173 refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.

As expressly stated under item A of Section 13, the consent of the data subject, specific to the purpose must be given before sensitive information pertaining to the data subject is processed. Consent of the subject is defined under Sec. 3 (b) of the same act as referring to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. It shall be evidenced by written, electronic or recorded means, and may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.[10] Now, let us consider a scenario or situation where a person, from here on to be referred to as A, posted on his twitter account about him being a member of a church organization, and B, one of his followers, retweeted to his own set of followers that particular tweet which contained or reveals the detail regarding A’s religious affiliation, an information which is considered under RA 10173 as sensitive information. Does this act of B already constitute a violation of the law since he failed to ask the consent of A if he could retweet or technically, rebroadcast the tweet which contains sensitive information? If we follow the strict and literal interpretation of the law, then B will be guilty of breaching the Data Privacy Act since he shared publicly, sensitive information pertaining to A without the consent of the latter. However, wouldn’t it be just absurd if B would be penalized under those circumstances?

Conclusion

            The pioneer law in the Philippines on data privacy, or RA 10173, is not without flaw, one of the main criticisms it has received is how vague and broad the wordings of the Act are, which makes it harder to ascertain its coverage and applicability thereby making it more susceptible to misinterpretation and misapplication. The Philippine legal system still has a long way to go when it comes to ensuring that its people right to privacy is safeguarded even in the age of technological revolution, where it has become increasingly rougher to protect this fundamental right because of the availability of technological systems which allows for rapid exchanges of data or information between persons and other entities Thus, it is my hope that this act pertaining to data privacy rights of Filipino citizens and those other individual or entities expressly provided therein, is to be more developed in the upcoming years and further legislation pertaining to data privacy will be promulgated by the legislature to guarantee that every citizen cannot be denied of this imperative human right, for the preservation of both the State and its people’s integrity.

[1] http://en.wikipedia.org/wiki/Privacy#History_of_privacy

[2]UN General Assembly, Universal Declaration of Human Rights, 10 December 1948, Art 12

[3] 1987 Philippine Constitution, Article III, Section III.

[4] RA 10173 Data Privacy Act. Sec. 4

[5] RA 10173 Data Privacy Act. Sec. 4

[6] RA 10173 Data Privacy Act. Sec. 3(g)

[7] RA 10173 Data Privacy Act. Sec. 3(h)

[9] RA 10173 Data Privacy Act. Sec. 3(i)

[10] RA 10173 Data Privacy Act. Sec. 3(b)