Aquino, Ma. Carolina

SY 2012-2013, Second Semester


Impact of the Data Privacy Act

Section 5 of our Constitution provides:

“The maintenance of peace and order, the protection of life, liberty, and property, and promotion of the general welfare are essential for the enjoyment by all the people of the blessings of democracy.”

Section 1. of the Bill of Rights under the Constitution provides:

“No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.”

We as individuals have the right to keep even the most general facts known to a numerous people known to us be kept in secret from others. Even our real name is not something that we want to be known by all the people we interact with.

If ten years ago, a person attracted to you may get your contact number from a phone directory using a school book to get your identity, today, with the use of a computer system, such information and even a lot more than that could be obtained by one click from the web.

Three years ago, I got a phonecall asking me if I were interested to acquire a discount card from certain shops. He confirmed some information from me and I was shocked to hear him enumerate such information. I asked my caller where he had obtained those data and he answered that they came from their database.

A number of complaints arises from telecommunications companies for making unsolicited telephone calls to individuals who do not wish to receive marketing calls.

Personally, I do not like my personal information to be available to every person who feels that he or she has an obligation whether personal, official, financial to transact with me.

Although, there are times when it is convenient knowing that information are just within your reach, but I only consider it advantageous when I get benefited by it. Like when I get interested to a guy who happens to be someone I have no knowledge of. What I do is, click on his name on the web and when I get lucky, I could even get information about that guy’s family. I could even checked out the guy’s background, if he is from a family of criminals or politicians.

Going to social networks have its advantages too. By just looking at a guy’s profile, you could easily get his personal information and even identify if he is a discrete gay.

But most of the time, though, having your personal data taken by others without your knowledge is really exasperating.

My uncle got a call from a person claiming to be an agent of a certain company. This agent informed my uncle that he just won a prize of a car and asked confirmation on some information. My uncle, believing of his luck in winning a car went to Subic, Zambales to claim it. Only to realize that he was deceived by the caller. Of course, he was not able to locate the prank caller to get some retributions.

This is just one of the numerous problems being encountered with the electronic system in data storage and processing that is widely used today.

Our government, even with the new laws being passed and implemented for privacy protection cannot give us assurance that our personal information will be secured from mishandling or misuse. We don’t even know when interference in our private life by others come in. Spread of personal data goes through the circuit and reaches to all parts of the world. Violations of our private life occur countlessly everyday that they even become part of our daily transactions.

The management of our personal information, although required by law for some legal purposes, alarms us when a private entity is tasked to do it in behalf of the government.

The following are cases filed before the foreign courts on issues related to violations of data privacy law:

Google was penalized to pay $22.5million to the Federal Trade Commission (FTC) after the erroneous statements Google made in its online privacy statement including a false information of tracking cookies which was not corrected by the said company . It is the second time that FTC has ordered data privacy violation by the said company. This is just an example of how the US government is in implementing its data protection regulations, and it is planning to push through tougher laws on privacy protection (Google Case Exposes Weak US Data Privacy Laws. http://www.spiegel.de/international/europe/americans-may-have-to-wait-for-europe-for-better-data-protection-a-849372.html).

A class action lawsuit was filed against Facebook for violating privacy right of users by displaying ads with users’ “names, photographs, likenesses and identities” and by clicking a “Like” button, a user would be automatically associated with the ad campaign without compensation and without his consent.

Proposed settlements have been filed before the court which has not decided rendered its decision yet due to the complexity in the issues involved, including how much each of the 125 million class members would get evenly from the settled amount. (Facebook Tries to Settle ‘Sponsored Stories’ Class Action . . . Again. October 23, 2012. http://www.adlawbyrequest.com/articles/data-privacy/)

In the United Kingdom, there was a case wherein employees in the childcare litigation unit accidentally sent through a fax machine information on a case regarding child sex abuse to wrong recipients who are members of the public. Personal data were included in the misspent information. The county council was fined by the Information Commissioner for data protection breaches (BBC News UK, Data Protection Act fines issued by commissioner, November 24, 2010. http://www.bbc.co.uk/news/uk-11821203)

A woman whose name and address were disclosed by the Department of Social and Family Affairs (DSFA) to the Market Research Bureau of Ireland (MRBI) when a representative of the MRBI went to her home to interview her complained of a breach of the Data Protection Act 1988 for giving out her data without her prior consent. In the course of the investigation, it was confirmed that MRBI was commissioned by the DSFA to make survey under an agreement that data provided in interviews would be protected and would not be disclosed by the Department. Section 2(5) of the Data Protection Act of 1988 provides that the Department is not prohibited to use personal data to conduct its research even without the data subject not being informed in advance, provided that no individual would be prejudiced. (“Department of Social and Family Affairs market research survey on customer satisfaction by an agency did not breach Data Protection provisions”. http://www.dataprotection.ie/viewdoc.asp?DocID=109)

In response to those rampant misuse of private data, national laws protecting the integrity, transfers, restrictions, requirements and outsourcing arrangements have been issued to ensure that the government and private companies comply with the strict requirements of the law.

The office of the Data Protection Commissioner of Ireland is one of the international organizations which is very committed in carrying out its mandates in protecting personal privacy of individuals. It gives short outlines of individual’s rights under the Data Protection Acts and gives a summary of procedures in filing complaints and the sequence of events involved in the investigation. It also shows online the cases filed before it and the decisions rendered. (Data Protection Commissioner. http://www.dataprotection.ie)

The National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce is drafting the Mobile Application Transparency Code of Conduct which covers best privacy practices in using the mobile system.

The following issues were considered in the latest draft:

  • scope of Mobile Devices
  • type of data to be covered
  • Whether to subject third-party service providers to the Code
  • Whether to require mobile app providers to provide a “Short Notice” in addition to other Notice
  • elements to be included in the Notice
  • Whether to require the companies to establish a mechanism for consumers to access data (Privacy Stakeholders Meet Again Over Mobile Privacy Best Practices. December 3, 2012. http://www.adlawbyrequest.com/articles/data-privacy/)

The Data Protection Authority of the German Federal State of Schleswig-Holstein (the Unabhaengiges Zentrum fuer Datenschutz Schleswig-Holstein – “ULD”) recently published on its web site a white paper that covers data privacy aspects of Cloud Computing. The German Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) implements the EU Data Protection Directive. Regardless of whether the Cloud Computing provider is located inside or outside of the European Union, the ULD demands that companies using Cloud Computing services must take adequate measures to safeguard the integrity and security of the personal data processed. For example, companies must include contractual provisions with Cloud Computing service providers in accordance with the criteria for data controller/data processor relationships (Auftragsdatenverarbeitung) set forth in Section 11 BDSG – regardless of the location of the Cloud Computing provider or the services.(Germany: Cloud Computing May Violate German Data Privacy Laws. July 23, 2012. http://www.mondaq.com/article.asp?articleid=105920).

All European Union (EU) member states and companies therein must comply with the European Data Protection Directive 1995 which protects individuals of their right to the secured processing and free flowing of personal data. It is conveyed in the directive that it is “generally regarded as legal to hold and use data on individuals for marketing purposes if the data was in the public domain or if data subjects were informed of purpose of data collection and did not object to possibility of direct marketing.” Under the directive, individuals could also access their personal data, request corrections and object to direct marketing. (Marketing and data protection legislation. http://en.wikipedia.org/wiki/Marketing_and_data_protection_legislation)

In Asia, current changes have been introduced to data protection laws:

South Korea — The new Protection of Personal Information Act (PPIA) came into force on 30 September 2011 in South Korea. The new PPIA is not a consolidation of all existing relevant data privacy laws in South Korea but will co-exist with pre-existing data privacy laws such as the Act on Promotion of Information and Communication Network Utilization and Information Protection which protects the privacy of personal data obtained by information communication service providers.

Taiwan — The new Personal Data Protection Act (Act) was enacted in 2010 and is expected to come into force in 2012 when the Enforcement Rules necessary for operation of some sections are passed by the Executive. The Act is comprehensive, applies to both the public and private sectors and is more extensive than the previous act which applied only to the private sector. The revised Act still has no oversight body and does not create a data protection authority. Enforcement of the Act is left to the Ministries responsible for each industry sector.

India — India has in April 2011, issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 pursuant to the Information Technology (Amendment) Act of 2008. The new rules prescribe how personal information may be collected and used by organizations in India.

Malaysia — Malaysia has passed the Personal Data Protection Act (Act) in June 2010 which regulates the processing of personal data in commercial transactions. The Act has not come into force although it has been announced that the Government intends to bring the Act into force in the second half of 2012.

Singapore — Singapore has completed two rounds of public consultations of the Personal Data Protection Bill which is expected to come into force in the second half of 2012. This new Act will also see the establishment of a national Do Not Call Registry and a Data Protection Commission who will be responsible for administering the new act when it comes into force.

Hong Kong — Hong Kong currently has a privacy law in place in the form of the Personal Data Protection Ordinance and has introduced the Personal Data (Privacy) (Amendment) Bill 2011which is expected to come into force in early 2013. The bill seeks to address recent public criticism of the transfer of customer personal data to others for direct marketing purposes and “cross-marketing” activities without consent. (Carol Ko, Data Protection Laws II – APAC Data Privacy Laws Update. September 11, 2012)

In our country , President Benigno Aquino III signed on August 24, 2012 the Republic Act 10173 or the “Data Privacy Act of 2012,” which intends to protect the integrity and confidentiality of personal data in the information and communications systems in the government and private sector and creating the National Privacy Commission for such and other purposes.

It would be a great help if the National Privacy Commission would actively perform its functions in receiving complaints, monitoring compliances and compelling entities to abide by its orders the earliest time possible as there are cases rapidly arising due to the advancement in computer technology and telecommunications networks making the sharing of personal information spread around the world without sweat.

I am not sure if membership in the said Commission has already been established. When I checked the web to get information on the said Commission, I found out that there is nothing posted about it, not even an update on its creation, so I presume that said Commission is not operating yet.

With proper implementation of Data Privacy Act, our Business Process Outsourcing sector will primarily benefit as it its data source will be protected from unlawful use and the media groups will be guaranteed protection from the impact on freedom of the press.

I hope that the outcome of the implementation of our new law will ensure us that our personal data will be treated with security and only for legitimate purposes.


Cybercrime Prevention Act of 2012 Versus Magna Carta for Philippine Internet Freedom

The first time I heard about the Cybercrime Prevention Act was when I was asked by my co-workers on my take about it. Having no time to watch the television more so to read the papers, I had no inkling of the said law so I asked a brief orientation of it, as understood by mycoworkers, being engineers without the interest of reading the entire law.

So they told me about the hot controversies… listening to one of them really convinced me that he was knowledgeable about the law, well, thanks for yahoonews. Then my initial reaction was, what’s wrong with the government restricting your online activities and write ups. Everything is being restricted by a lot of different laws.

Whats new? Every right and freedom that you got must always have boundaries. That’s what I call responsible living.

Arrogant as I am, I even felt that my co-workers didn’t really understand why there was a need to regulate blogging and other online services. Then I heard someone talking about porn movies and internet downloads.

Bingo!

So that was what it was all about! I thought that what they were actually concerned about was their being restricted to watch porn movies and to download files without permission. Remembering their noisy rants about saying goodbye to their favorite sites makes me grin like a joker.

A lot of them even changed their profile photos on facebook showing their support for the amendment of the law. And I even told them that it was a good law then since they would have to be extra careful in entering porn sites.

The debate as argued between engineers and paralegal was actually very childish and subjective. I did not actively participate on it as I thought that the implementation of the law was as necessary as our modern system requires.

When I first read the Cybercrime Act, I did not find anything questionable in it. I even wondered why lots of issues arose in the media when the law was as ordinarily restrictive as any other law.

Then my professor gave the whole class an assignment on our own take in the said law. Oh my! Imagine going through all that technical nonsense again!! The idea makes me nauseous!

So here I am attempting to understand seriously the contents of the controversial Cybercrime Act.

What caught my attention first was the penalties as provided for under Section 8 of the Act. They are even higher than the penalties imposed in the E-Commerce Act which includes hacking. IT students may face imprisonment from 6 to 12 years for experimenting their cybercrime capacity.

Imprisonment is one of the forms of rehabilitation. It involves conditions and treatment programs to change behavior generally.

One does not need such long periods to inculcate to a person the seriousness of the cybercrime he committed in order to reform him. Imagine a person being incarcerated for shouting “Magnanakaw Ka!” on twitter for a longer period than a person who inflicted slight physical injuries against another.

Another example of a stiffer penalty provided by the Act is the penalty for online libel. While the Revised Penal Code provides for the penalty of libel of not more than 4 years and two months in jail, the Act provides 1 degree higher for online libel. Honestly, I thought it was just fair, considering that the spread of an online defamation reaches around the world while a newspaper publication reaches those people within the locality.

But, wait a minute.

For someone like me who loves making rude remarks on my friends’ wall on facebook, am I already a candidate for cybercrime imprisonment award? And for someone who uses the facebook wall as her own personal diary, isn’t the law too harsh if she forgets to guard her tongue in one moment and be liable only because she loves sharing her thoughts to the world?

What do you think motivated our lawmakers to approve of a law as oppressive as the Cybercrime Act? Or if they were not motivated by any personal agenda, did they really understand what it contains?

Another thing about the Act is its provision on online libel which violates the rule against double jeopardy. Funny isn’t it? If you hated your ex-lover that much, then institute online liber case against him and make him pay twice for it. It would be just perfect!

But seriously, our Constitution shields us from a second prosecution for the same offense. We cannot be tried again on the same or similar charges following a legitimate acquittal or conviction. And for sure, online libel is not an exception for this.

If a 19-year old teenager is convicted of such crime in a cybercrime court and was made to be confined in prison for 8 years, and another 9 years of imprisonment of the same crime by another court, the young teenager would have spent his fruitful years in prison. Do you think it is fair for him to be punished like that?

If this happens to me, I think I would commit another crime after the termination of my imprisonment so I could go back to jail for fear of adjusting to the way of life outside of prison walls.

I think this is the time for the fault-finders to celebrate since they do not have to dig up material evidence to convict a person for cybercrime.

Section 4 (a) (3) of the same Act defines data interference as the intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document or data message, without right, including the introduction of viruses.

Let us say that a GSIS employee, in the performance of his duty, without malice or intention, introduced viruses on its central database system, resulting to the deletion of pertinent data of the entire system, will that person be liable of violation of the same section of the Act?

Looking at the elements of data interference as one of the cybercrime offenses makes you think that the person in the above example is guilty of cybercrime. Although he was performing his official duty, the fact that he introduced viruses on the database system, regardless whether or not there was malice on his part or through his reckless act, he is liable. Or you may argue that he is not, since he had the right being an authorized employee having an access on the government computer system.

This is actually confusing. When the law states “without right”, does it refer to having authority on the access of the system or on the introduction of viruses? Although this sounds ridiculous, but, maybe, there is such a thing as the right to introduce viruses for the purpose of crashing the system for public security.

I asked my co-worker who manages the entire network in the office if it is possible for an IT personnel to purposely infect a computer system with viruses as instructed by his superior. And he answered no. If the purpose is to destroy the database then deletion or other similar method should be applied except infection of virus. This is because introduction of virus to a system is an act of violation of their professional ethics.

I was really glad to hear this. But still, the law should have been cleared about this.

Asking around my friends to see their primary concern on the Act was very helpful. I realized that most of them were doubtful about the government’s ability to investigate cybercrimes in order to determine the real perpetrators. I agree with them.

Take for an example an unauthorized use of your account in a computer café. After logging in and out of your yahoomail, another user was able to access into your account and used it to commit any of the crimes against the Act, then a complaint was filed against you, and your only defense was that you had no knowledge of such act, do you think that the person who committed it could be identified?

If there is anything good that we could get from this law, it is to make us extra careful in allowing others to use our computer or other electronic device.

We could start being cautious with our comments when we are posting them online. We could stop installing unlicensed applications and downloading pornographic movies. Yes, this is really good.

But is it really good?

The Act in its entirety lacks limitations. The definitions of offenses are stated but in general terms and without borders. The powers granted to the authorities are broad that they could be abused.

On the Restricting or Blocking Access to Computer Data provided under section 17 of the Act requires only a prima facie finding of a violation of the provisions of the Act for the DOJ to issue an order to block or restrict access to the computer data.

For a law that punishes crimes twice as high as under the Revised Penal Code and only requiring a prima facie evidence is against public policy and welfare. It is arbitrary and oppressive. It should not be considered as a valid law.

It is like having martial law implemented in online transactions.

If you make a mistake of installing an unlicensed application, or make libelous statement against someone, or trade with Amazon, or engage in online gambling and your enemy catches you doing any of these things, the DOJ may authorize the internet service providers to block such contents if it sees a prima facie violation of any provision of the Act.

For me the hardest part is, not being able to download my favorite Japanese animes and mangas!! Those characters I have been following through for like 15 years will be gone forever. Goodbye Naruto.

But the biggest issue that arises in the implementation of this Act is the government’s attempt to restrain our freedom of expression. Our Constitution assures us of our right to express ourselves. It is the most basic freedom being protected by the State in recognition of our being part of it. Such freedom shall not be suppressed unless such speech will bring about a clear and present danger of evil.

Where is this constitutional guaranty when the DOJ could immediately block the speech if found to be offensive or libelous without trial and hearing? If the government itself prevents us from enjoying our rights, where shall we go for protection?

Then a heroine comes along in the person of Senator Mirriam Defensor-Santiago. I am not saying that I see her with idolizing eyes, but for the purpose of defeating the unconstitutional provisions of the Act, I now salute her with gratitude.

An anti-cybercrime law version 2.0 bill has been filed by Senator Santiago re to replace the controversial Cybercrime Prevention Act.

What is so genius about this bill is the fact that it decriminalizes libel as opposed to the provision under the Cybercrime Prevention Act.It safeguards the rights and freedoms guaranteed by our Constitution.

The said bill treats libel as a civil liability rather THAN A CRIINAL ACT. So one will only be liable to the damage or injury that he has caused to the injured party by his derogatory statement. One does not have to worry of being imprisoned by calling her husband’s mistress “KERIDA” out of fury and post it on any social network’s wall.

Our freedom of expression, privacy and due process and right against illegal searches and seizures are recognized and protected in this bill. It also provides proceedings for taking down websites or networks and prohibits censorship of contents without court order.

The bill is like a work of a genius. Every contentious provisions of the Anti-Cybercrime Law is corrected here.

It also attempts to eliminate the provision relating to double jeopardy and proposes to create another organization for the enforcement of laws governing Information and Communications Technology.

Although I am not sure if creating another office called the Department of Information and Communications Technology is a good idea since it will require a big amount of government fund and besides, there is already the National Privacy Commission created under RA 10173 otherwise known as the Data Privacy Act of 2012 and other government agencies which may work together for the successful implementation of anti-cybercrime law.

Issues on vagueness and generality of the Anti Cybercrime Law have only been resolved here. The bill tries to limit and specifically define cybercrime offenses.

It also covers provisions to ensure the country’s protection against cyber attack by terrorists and other enemy of the states.

Child pornography, child abuse, human trafficking, hacking, piracy and copyright infringement are still considered as criminal acts.

Strict guidelines for securing of warrants, notifications and seizures of date are likewise provided in the bill.

I am so glad lots of people reacted negatively after the approval of the Anti-Cybercrime Act. Otherwise, countless people will suffer the consequence.

Advertisements
1 comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: