Situational Gray Areas of R.A 10173, Data Privacy Act
Technology has been progressing as time passes by. The emergence of technologies has contributed to the growth and innovations of a certain country. Here in the Philippines, one can see the improvements of technologies that are used in everyday living. For instance, we have what we call CCTVs for a certain business, for transportation, for protection property against villains, for surveillance and the like. We have what we call WIFI connections so that one could have access to the internet even if one is in the bus, in the coffee shop, or in the school for faster research work.
The use of social network sites has been rampant. People devote their time browsing the net to gain information. Information may be gathered to the internet, or a friend, to a colleague, to the television and the like. In spite of this, the use of information can be a positive point or a negative point. Information is power. If there is power, there is money. Information can be converted to money.[i]But what happens when one maliciously uses these technologies to malign people, to abuse the rights of the people, to hurt people, to oppress people, to stalk people?
What happens when one gains an access of personal information of someone who does not want to make it known to the public or who does not want to consent to? In connection with this, there is a law providing for the protection of personal information. Thus, R.A. 10173[ii], AN ACT PROTECTING PERONSAL INFORMATION IN INFORMATON AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES was passed last July 25, 2011 for the protection of fundamental right of privacy, as well as of communication to promote innovation and growth and it took effect on August 15, 2012. This law is intended for the interest of the government sector and private sector. Thus, there is a need to understand this law. The Congress has taken steps to ensure that personal information should be safeguarded against anomalies Thus, one has to keep himself abreast of the issues that are present especially this law that the researcher-writer is tackling right now.
In reading R.A. 10173, one will realize the immensity and profundity of this work. The researcher-writer really needs to immerse himself in order to clearly understand the richness of this work. This article is made not to criticize the Congress for doing this act. This is to enlighten and to improve the said law in order to protect the personal information of someone as well as to give insights regarding the said law.As a result of this, the researcher-writer will be providing for the situational gray areas of R.A 10173.
The question is, may a cracker be considered liable and be penalized for unauthorized access or intentional breach even if he is in good faith for the protection of national interest and government sector as well as private sector?
The law does not even give any definition who a cracker is and a hacker is. The researcher-writer deems it best that a hacker and a cracker should be distinguished for the purpose of clarity. In simplest manner, a hacker is a bad person who maligns and uses his skill in an evil manner while a cracker is the counterpart of hacker. A cracker uses his expertise to protect the person and to uphold confidentiality insofar as personal information is concerned. For instance, a cracker has done unauthorized access or has done intentional breach; will he still be penalized under the said law? The law should have expounded more of the persons. This can be gleaned from sec. 12[iii] of the said law. Thus a cracker should not be liable for any unauthorized access or intentional breach since his act passes the criteria for lawfully processing personal information which is permitted by the said law.
Another gray area is sec. 4[iv]. This provides for the scope of the said law. The law provides that this Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines. But the question is, what if the person involved in personal information processing uses eguipments that are not located in the Philippines? The scope of the act does not cover it. Thus, one can clearly say that the Act has its weakness; therefore, this must be acted upon by the authorities. The thing that needs to be done is to put salt on the wound.
The law provides in sec. 27[v] that a person may be penalized if one disposes, discards, abandons the personal information in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection. In connection with this, may the garbage collector be held liable if he abandons the garbage or trash? Since the law states that a person may be penalized for abandoning personal information, then, the garbage collector may be penalized for abandoning the said trash if he fails to get the trash or garbage. The law particularly, sec. 27 should have explained articulately regarding the said law. But the questionis, how is the proper way of disposing the personal information of an individual? The said law does not provide for the proper disposal of a personal information.
Another gray area is regarding sec. 3 (b)[vi]. It states that consent shall be freely given, evidenced in writing, electronic or recorded means. What if the said written authorization is forged or falsified? How can the personal information controller know that the written authorization is not forged or falsified? How can he know that the said information is genuine document Thus, there will be a violation of right to privacy if a personal information is transmitted from a certain person to another. Article 3, sec. 3 of the 1987 Constitution provides that the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as provided by law. But how can an individual be assured that his personal information is protected if this is the case? Therefore, personal information cannot be secured if this will be the case. As a result there can be no consent freely given by a person or data subject. There will be intrusions of privacy. If there is no consent, then it is against his will. The right to be left alone is at risk.
Another big question relevant to this topic is, what is a personal information? The law provides:
“Sec. 3 (g).Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”
The law also provides what a sensitive personal information is, to wit:
Sec. 3, (l).Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
If personal information and sensitive personal information will be at the hands of the authorities, how can one be assured of that the said information be protected against anomalies? What happens when the personal information controller does not notify the data subject that he has given the said personal information and sensitive personal information? Can one easily prove that a personal information controller has violated the giving of personal information and sensitive personal information? It is really hard to prove that a personal information controller has divulged or violated the giving of a personal information or sensitive personal information.
What if an individual is a close friend of the personal information processor and the close friend would like to get the personal information as well as the sensitive personal information of his enemy? If the personal information processor is given the power to keep the records or documents which are considered personal information or sensitive personal information, then the law is giving them the power to know the all the facts and information of a certain person.
What is the difference between personal information and sensitive personal information? Why did the authorities need to distinguish them? What is the purpose of distinguishing them? Is it not that an information regarding race, religion, health or life is also called personal information? The law should have merged them so that there may be only one and to prevent any confusion or absurdity of the said law. The law must also ensure compliance of confidentiality about the personal information and sensitive personal information.
Another gray area is sec. 17.[vii]. How can the personal information processor seize the personal information for being passed to another if the purpose of the said information has been fulfilled or accomplished? How can one stop the individual from transmitting the personal information to another person? This shows that the intrusion of the right to privacy is clearly violated. How can the Commission maintain the principle of confidentiality under sec. 8 which provides that the Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession.
Personal information cannot be protected if this will be the case because those who got the information may have the capacity of spreading the information other than the intended purpose of the said information. If this will be the case, then intrusion of privacy will be rampant. The personal information cannot be protected. Thus, there will be rampant unauthorized usage of personal information or sensitive personal information.
Another gray area is sec. 12 (a)[viii]. How can one be assured that a data subject has really given his consent? What if the data subject is induced by someone? What if the data subject is compelled by someone? The protection of privacy can be easily violated. How can the data information processor know that the individual is not forced or compelled to get his personal information? The data information processor can be easily deceived if this will be the case. Moreover, the data subject can be also deceived by another individual. It is easy to induce a person to give their personal information. The person inducing the data subject can easily have an access of the personal information? This shows that sec. 12 of the said lacks the criteria for lawful processing of personal information.
The same thing is true with sec. 9 which provides that the Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf or under their direction, shall not be civilly liable for acts done in good faith in the performance of their duties. However, he or she shall be liable for willful or negligent acts done by him or her which are contrary to law, morals, public policy and good customs even if he or she acted under orders or instructions of superiors. What happens when a Privacy Commissioner or when a Deputy Commissioner is induced by a person? Will they be considered liable for their actions? The answer is in the negative because they were compelled to do things which are beyond their control however, they must be be able to prove it to the court that they are not really guilty beyond reasonable ground.
Another gray area is sec. 23 (b) (1).[ix] This talks about the deadline for approval or disapproval. It states that in case there is no action by the head of the agency, then such request is considered disapproved. This runs counter the responsibility mandated to the National Privacy Commission which provides, to wit:
Sec.7. (a) Ensure compliance of personal information controllers with the provisions of this Act;
(f) Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;
(k) Provide assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person;
(l) Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
(n) Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;
(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.
Therefore, the law must provide that there must be a notice whether or not an access by agency personnel to sensitive personal formation is approved or disapproved. The National Privacy Commisson must provide due diligence in doing their duties and responsibilities because they carry in them a noble task. Besides, the purpose of the said law is to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
How can they serve the country if they cannot serve the needs of the people? Thus, there must be a notice that such is approved or disapproved. By knowing the notice, people may be able to know that status of their appeal. This is one way of providing due diligence so that they can really serve the government sector and the private sector. This is also necessary to perform their duties and responsibilities well so much that by providing notice, people may have an idea that their
It is a fact that the law adapts to the society. The law now may not be applicable in the future. One thing is for sure. The past is there for us to learn from them. The present is there for us to live and imbibe the law. The future is there for us to anticipate it. As technology progresses, the law will also continue progressing as time passes by. But one has to take into consideration that although the law may be harsh, it is still the law. Dura lex sed lex. A hard law is law.
The Congress really gives its time and effort in protecting the rights of personal information in so far as the government sector and private sector is concerned. This goes to say that the law will be in its flying colors. The law is made for man, not that man is made for law.
With the advancement of technology, one can easily get an individual’s personal information or sensitive personal information if he does not render it with personal care. Another thing is that one must think first if the person wanting to get the personal information of someone would really handle it with care. The data information processor may be liable or penalized if he does not give or provide due diligence.
Quoting the case of Tanada v. Tuvera[x], Laws must come out in the open in the clear light of the sun instead of skulking in the shadows with their dark, deep secrets. Mysterious pronouncements and rumoured rules cannot be recognized as binding unless their existence and contents are confirmed by a valid publication intended to make full disclosure and give paper notice to the people. The furtive law is like a scabbarded saber that cannot feint, parry or cut unless the naked blade is drawn.
[i] Atty. Berne Guerrero, in his lecture notes delivered to the law students at the Arellano University School of Law last May 6, 20a14.
[ii] http://www.gov.ph/2012/08/15/republic-act-no-10173/.(Last accessed,May 5,2014).
[iii] Sec. 12, (e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate;
[iv]This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
[v]Sec. 27. Improper Disposal of Personal Information and Sensitive Personal Information. – (a) The improper disposal of personal information shall be penalized by imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
b) The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
[vi]Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
[vii]Sec. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.
[viii]Sec. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
[ix] SEC. 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information. – (a) On-site and Online Access – Except as may be allowed through guidelines to be issued by the Commission, no employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a security clearance from the head of the source agency.
(b) Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive personal information maintained by an agency may not be transported or accessed from a location off government property unless a request for such transportation or access is submitted and approved by the head of the agency in accordance with the following guidelines:
(1) Deadline for Approval or Disapproval – In the case of any request submitted to the head of an agency, such head of the agency shall approve or disapprove the request within two (2) business days after the date of submission of the request. In case there is no action by the head of the agency, then such request is considered disapproved;
[x]146 SCRA 446.