SY 2012-2013, Second Semester
In view of the State’s avowed policy to protect the human right of privacy of communication, Congress enacted the Data Privacy Act of 2012, which was approved by President Noynoy Aquino in August of this year.
WHAT IS THE “DATA PRIVACY ACT OF 2012?
The “Data Privacy Act of 2012” seeks to strike the proverbial balance between privacy of communication and the free flow of information by regulating the processing of personal information and generally prohibiting the processing of sensitive personal information subject to certain exceptions.
The law defines “processing” as “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.” While “personal information” is “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.” Examples of personal information would be one’s full name, social security number, telephone number, home address, parents’ names, and the like.
Personal information is considered “sensitive” if it is (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and (4) specifically established by an executive order or an act of Congress to be kept classified. The processing of these kinds of information is prohibited except in the instances specifically provided for under the law.
The law also enumerates the rights of a “data subject”. A “data subject” is an individual whose personal information is processed.
Another significant aspect of the law is that it prohibits and penalizes the following acts:
(1) The Unauthorized Processing of Personal Information and Sensitive Personal Information;
(2) Accessing Personal Information and Sensitive Personal Information Due to Negligence;
(3) Improper Disposal of Personal Information and Sensitive Personal Information;
(4) Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes;
(5) Unauthorized Access or Intentional Breach of any system where personal and sensitive personal information is stored;
(6) Concealment of Security Breaches Involving Sensitive Personal Information;
(7) Malicious disclosure of unwarranted or false information relative to any personal information or personal sensitive information;
(8) Unauthorized disclosure of personal information;
(9) A combination or series of the above acts
THE WILLING DATA SUBJECT
In the information age, such as the one we are in, everybody could be or is a “data subject”. The information age, so-called because of the proliferation of and rapid advancements in information and communication technology making information quite literally at our fingertips, moves members of the “Me” Generation to be willing data subjects. In fact, what first struck me about this law is how much information we share on the internet that could properly be considered as personal and sensitive personal information.
It is very likely that one need not go beyond our Facebook page to know our full name, age, and marital status. Just a little more snooping around someone’s Facebook wall and you’re bound to find out the owner of that wall’s parents’ names and where he/she went to school. A few more hours on that same wall and I’m pretty sure you’ll find there the exact date when that person was down with the colds or found out she had dengue. You might even find that not a few netizens find pleasure in posting details of their sexual life. These are all personal information and sensitive personal information that the Data Privacy Act of 2012 seeks to protect from the abovementioned acts. And this is just Facebook, who knows how much more information we’re sharing about ourselves on the internet?
The “Me” generation wants an “audience”. We can justify our need to share these information on the World Wide Web. We sometimes call it networking. We sometimes call it marketing. We call it “keeping in touch”. We call it being well-informed. We can even call it a refuge from the stress of our everyday mundane life; after all, in the World Wide Web we are all celebrities. But it all boils down to the question, “what happens to the information we put out there?” An interesting line from an American series on the FBI’s Behavioral Analysis Unit, “Criminal Minds”, is ominous, “THE INTERNET NEVER FORGETS” .
So yes, we may forget a lot of the things that we post on the internet but the internet won’t. What we put out there remains out there and we can hardly control how that information, which we so willingly shared with the world, will be used.
To my mind, in divulging so much personal information about ourselves and generally eradicating the line that separates the personal from the public, we are not just risking the unauthorized use of these information, we are risking our very own safety and security. It doesn’t need a tech-savvy criminal to find a way to use, to our detriment and harm, the information he/she can get about us off the internet.
After several readings of the Data Privacy Act of 2012, the moving power behind the law finally sank. And I found it quite unsettling to know that with the very information that I post on the internet I am thus making my life accessible to any Pedro or Juan who has access to the internet.
However, while I salute the government for recognizing this malady and trying to do something to protect its citizens, I get this nagging feeling that the government may have overstretched their good intentions and created a monster.
HOW DO WE POLICE THE WORLD WIDE WEB?
Does the Philippine government now have the sophistication to enforce the provisions of the Data Privacy Act of 2012? Do they have in place rules and regulations that appreciate the intricacies of the internet and of social media? If this law is any indication, I’d say the answer is in the negative.
If, say, we “Like” or “Re-post” a post on Facebook regarding a friend who announced that she had the colds, have we now committed an “unauthorized processing” of sensitive personal information, which act could subject us to “imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00)”? With the wealth of personal and sensitive personal information on the internet how do we now ensure that our actions do not constitute a violation of the Data Privacy Act of 2012? How do we ensure we remain within the bounds of the law?
Personally, I believe the law stands the test of necessity. I believe that there should be a law that protects our personal information. However, I am extremely skeptical of its effectiveness in protecting the right it seeks to protect and penalizing the acts it seeks to correct. I will not be surprised to know that very few “data subjects” are knowledgeable of their rights under the Data Privacy Act of 2012. I am also quite certain that, given our general lack of familiarity with this new law, taken together with the vagueness and overreach of the provisions, we could very likely be both victim and violator at the same time.
Atty. Jose Jesus Disini, “a legal expert on information technology” himself, had this to say about the law, “it is difficult to understand what its saying, and I had to read it four to five times before I had a framework on how it works”  (http://pcij.org). If a known legal expert is having a hard time understanding the Data Privacy Act of 2012, I do not see how the billions of Facebook users and other netizens could ever be faulted for their lack of understanding of this law. If “ignorance of the law excuses no one from compliance therewith” then we’re in big trouble, my fellow netizens and Facebook/Twitter/other social media users.
It is true that rights mean nothing until we fight for them. But how do we fight for a right we do not know nor understand? It is quite possible that our rights under the law has already been or is currently being violated but without knowledge and understanding of our rights, we may be hard-pressed to enforce them and petition the government and the courts to bring the violators to justice.
Therefore, if anything, the law succeeds in inspiring vigilance over the information we put out there. However, the law is equally effective in discouraging the use or access of any and all forms of social media. Which brings me to an interesting point, the irony that is the Data Privacy Act of 2012.
KILLING THE RIGHT IT SEEKS TO PROTECT
The Dr. Jovito R. Salonga Center for Law and Development of the College of Law in Siliman University, in their website, defines the right to privacy as “the right to be left alone”  (http://salongacenter.org). Many netizens, however, might feel that it is exactly their right “to be left alone” which the law curtails. Immersed as we are in this “Me” Generation wherein everybody is looking for an audience it might take a little stretch of imagination to understand why the information that the law seeks to protect NEEDS to be protected.
Furthermore, because of the vagueness of it provisions, its metes and bounds are not well-defined, so to speak. This creates a dangerous scenario, possibly more dangerous than the evil it seeks to slay. Atty. Disini describes the law as “more encompassing” than the infamous “Cybercrime Law” “in how it regulates the flow of information.”
Thus, we find here a classic case of desiring one thing and achieving the complete opposite thereof. While the moving spirit behind the law is commendable enough, if stripped to its bare policies the law could in fact turn out to be the very curtailment of the right its seeks to protect.
OUR FIRST LINE OF DEFENSE
Given the foregoing, I submit, therefore, that our first line of defense against the unauthorized access and use of our personal information is still the responsible use of the internet and social media. It is our bounden duty as actors in the World Wide Web to ensure the security of the information we put out there. It is first and foremost the duty of the source, the data subject. to make a conscious decision to sift which information is to be shared, to whom, how, when, and where.
 Criminal Minds – Season 5, Episode 22: The Internet Is Forever; Original Air Date: May 19, 2010
On 12 November 2012, Sen. Miriam Defensor-Santiago, filed Senate Bill 3327, “An Act Establishing a Magna Carta for Philippine Internet Freedom, Cybercrime Prevention and Law Enforcement, Cyberdefense and National Cybersecurity” or the “Magna Carta for Philippine Internet Freedom”. Said law is touted as the much-improved version, and is set to replace, the embattled Republic Act No. 10175 or the “Cybercrime Prevention Act of 2012″. The big question then is, “is this proposed law actually a better one than the TRO’d R.A. 10175?”
Let us begin by understanding the rationale behind laws/bills that seek to “police” cyberspace.
Act No. 3815, as amended, more popularly known as the Revised Penal Code (RPC), took effect on January 1, 1932. Back then, the Bill Gates and Steve Jobs of the world were only beginning to “produce a machine that can perform automatic calculations and is programmable” . In other words, our 1930s lawmakers could not have contemplated computers, or certainly not the computers of today, when they enacted the RPC. They could not have foreseen the far-reaching effects and ubiquity that these machines would achieve some eight decades later. They could not have foreseen the rise of the information and communications technology (ICT) and the power and influence of the Internet.
Thus, our RPC has not provided for penalties for violations of rights committed with the use of a computer or through the internet. And following the Latin maxim, nullum crimen, nulla poena sine lege, which means “there is no crime where there is no law punishing it”, without a provision in our law penalizing computer- or internet-related violations of rights then there is no crime and the victim is, at least under our penal laws, without recourse (they can always, of course, file a civil case).
Such a deficiency in our penal laws coupled with the ease afforded by the ICT and the Internet to commit crimes and evade detection is said to be the raison d’être for laws such as the Data Privacy Act of 2012, Electronic Commerce Act of 2000, and the more recent Cybercrime Prevention Act of 2012, and even the proposed Magna Carta for Philippine Internet Freedom.
President Benigno Aquino rationalized the enactment of R.A. 10175 with the oft-quoted line from Eleanor Roosevelt, “With freedom comes responsibility”.  This new law “establishes a legal framework to identify, investigate, and punish crimes committed through online and computer platforms” . In his sponsorship speech of said law, Sen. Edgardo Angara reminded us of the incident sometime in May 2000 when the Philippines gained notoriety after “one of the most destructive viruses of all time was traced to a then 23-year old computer science dropout in Manila” . The infamous “I LOVE YOU” virus caused US$10 billion in software damage and lost businesses and spread to over 55 million computers worldwide. However, since there was then no law governing such activities, “we were unable to bring to justice a wrongdoer who caused harm to millions of people and companies around the world” . In July 2000, the Electronic Commerce Act of 2000 was enacted to fill this void in our legislation but “eleven years later, the rapid rate of technological development has outpaced our capacity to effectively police a borderless realm” . Thus, says Sen. Angara, “Internet usage has skyrocketed in the absence of any appropriate legal framework” . Under this backdrop, he paints an ominous picture, “30 Million Filipinos who use the Internet regularly can become the next victim of cybercrime” .
Others are of the opinion, however, that the real reason behind the enactment of laws such as R.A. 10175 is the strong BPO lobbying in the country. It has been said that the BPO industry has received demands from their foreign clients for a “strong legal environment that can secure their data from being stolen and sold” .
Regardless of what our lawmakers’ motives are for passing R.A. 10175, I am of the opinion that a “Cybercrime Law” is long overdue. Cyberspace is a fertile ground for violations of people’s rights and victims of such violations must be given recourse in law. Our rights must be protected, wherever we may be, yes, even in Cyberspace; for in using the Internet and becoming a resident of Cyberspace we do not then shed our integrity and our rights as human beings. Otherwise put, being a participant in Cyberspace is not a license for other such participants to violate my Constitutionally-protected rights.
The more bloody discussion then is the “HOW?”.
What is “wrong” with R.A. 10175?
Our legislators have attempted to answer the question of “how do we ‘police’ cyberspace?” with the enactment of R.A. 10175. However, if the uproar that met such law is any indication, it seems this was a case where the cure was worse than the disease. Protesters left and right assail the law’s vague provisions whose net effect, it is claimed, is a “chilling effect” upon the freedom of expression. In particular, some of the contentious provisions of the law are:
Sec. 4(c)(4) Libel. The unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code, as amended, committed through a computer system or any other similar means which may be devised in the future.
The law’s provision on on-line libel has met rigorous opposition. On the one hand, it is attacked for being inconsistent with the Philippines’ state obligations under the International Covenant of Civil and Political Rights (ICCPR) in light of the UN Human Rights Committee’s considered view that “criminal libel in the RPC is incompatible with freedom of expression” . Other camps are attacking the said provision for its lack of a clear definition of the crime of libel and the persons liable so that virtually anyone and everyone can be charged with a crime “even if you just like, re-tweet or comment on an online update or blog post containing criticisms” .
Personally, I do not believe that there is anything to protect about libelous speech. The children’s rhyme “sticks and stones may hurt my bones but words will never hurt me” is not entirely true. A person’s honor and reputation so valued and painstakingly built for years can very easily be destroyed by a malicious and derogatory comment. The risk is multiplied a million-fold considering how a statement/comment can spread like wildfire with such ease and speed through the Internet. The problem, however, is that the definition of libel under the RPC, from which the definition of on-line libel is based, is so worded that it does have the effect of suppressing Constitutionally-protected speech. It does inspire the exercise of prior restraint. With most people unable to determine when their statements could be considered libelous, the law could effectively silence even legitimate grievances.
Sec. 12. Real-Time Collection of Traffic Data. — Law enforcement authorities, with due cause, shall be authorized to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system. xxx
This provision is problematic because the law does not provide for a definition or mechanism for determining due cause. As has been pointed out in our Technology and the Law class, a law that infringes on the right to privacy, such as the above provision, should be narrowly construed but here there is nothing to construe. This provision could easily be abused, either intentionally or negligently, by law enforcement authorities. Instead of protecting people’s rights it could actually bring about more violations of such rights.
Sec. 19. Restricting or Blocking Access to Computer Data. — When a computer data is prima facie found to be in violation of the provisions of this Act, the DOJ shall issue an order to restrict or block access to such computer data.
At first blush, the above provision seems innocuous enough. After all, it provides for prima facie determination which is not inconsistent with the due process clause in our Constitution. However, again, our discussion in our Technology and the Law class has brought to fore the problem with this provision. A prima facie evidence is “that which is standing alone, unexplained or uncontradicted, is sufficient to maintain the proposition affirmed” . Under the Rules of Court, a prima facie evidence that is not rebutted or controverted will be given due course. This is what makes the above provision questionable because the law failed to provide for a mechanism or procedure by which owners of computer data may present rebuttal or controverting evidence.
To summarize what I have to say about R.A. 10175 is that: it is (1) vague and (2) it violates the right to due process. It failed to define the parameters of certain important concepts and failed to lay down the procedure for the protection of our right to due process. Reading this law felt like reading a “framework” or a “draft” of a law. It appears that many of the issues it sought to address and many of its provisions have not been completely fleshed out. The law felt “unfinished”.
That being said, as to the question of whether SB 3327 is better than R.A. 10175, I answer in the affirmative. Here’s why.
Salient features of SB 3327
Sec. 33. Internet Libel, Hate Speech, Child Pornography, and Other Expression Inimical to the Public Interest
Yes, there is still a provision on Internet libel, which works for me. As I have pointed out above, I believe there should be one. However, unlike its predecessor, the provision on Internet libel under SB 3327 has more specifically defined which acts are punishable and which are not. Under Sec. 33.A.2 Malice as an essential element of internet libel, it went a step further than the definition of liber under Arts. 353 and 355 of the RPC by defining more precisely the element of malice in Internet libel. The proposed law also makes the positive identification of the subject an essential element of Internet libel (Sec. 33.A.3), which to my mind is an added safeguard against possible abuses of the provision on Internet libel. Even better, the law has enumerated the acts which would not constitute Internet libel. As it stands, this enumeration seems comprehensive enough to cover Constitutionally-protected free speech. The proposed law also establishes Truth as a defense, to wit: “Internet libel shall not lie if the content of the expression is proven to be true, or if the expression is made on the basis of published reports presumed to be true, or if the content is intended to be humorous or satirical in nature, except if the content has been adjudged as unlawful or offensive in nature in accordance with existing jurisprudence.” (Sec. 33.A.5). These provisions should assuage the fears of netizens in regard to Internet libel’s proneness to abuse.
An entirely new provision in the proposed law is that on Internet hate speech, which should be applauded. Hate speech is that which includes “communications of animosity or disparagement of an individual or a group on account of a group characteristic such as race, color, national origin, sex, disability, religion, or sexual orientation” . While Internet hate speech is currently not a particularly big problem in the Philippines, the proposed provision demonstrates foresight and will serve as, hopefully, a sufficient deterrent against any such future acts.
The proposed law has also specifically defined “Privacy”, which definition goes a step further than that guaranteed and protected by the Constitution to include “informational self-determination”. “Informational self-determination” is a person’s right to “determine what personal data is disclosed, to whom, and for what purposes it is used” . This is an important concept that is often overlooked. There appears to be a general belief that we lose the right to the personal information we put on-line. The same is not true, of course, and we have R.A. 10173, the Writ of Habeas Data, and now this proposed law to assure the public that if their right to informational self-determination is in any way violated the law has given them ample remedies.
Also included under the right to privacy protected by this law is that of ensuring that “information is not disclosed to anyone other than the intended parties”. This is usually included in contracts as confidentiality clauses and will now, if SB 3327 is approved, be put into law and read into every contract and transaction.
Sec. 8. Right to freedom of speech and expression on the Internet
Another commendable provision of the bill is that on freedom of speech and expression. Although admittedly, the 1987 Constitution’s provision on freedom of expression should be broad enough to include speech and expression on the Internet, this provision in SB 3327 puts in place a mechanism and standard for preventing the abuse of such rights. Thus, while every person has the right to publish material on or upload information to the Internet, the State and/or person adversely affected by the exercise of such right is not without recourse. The exercise of one’s rights are not always without consequences injurious to other people’s rights; thus, we have the principle of abuse of rights found under the Civil Code. In recognition of this truth, SB 3327 empowers the State to restrict access to information on the Internet or to remove published material or uploaded information from the Internet but only under specific conditions found under Sec. 8(4)(a).
Sec. 12. Protection of Intellectual Property and SOTTOing; Sec. 20. Content Fair Use
The past year saw multiple charges of plagiarism against Sen. Tito Sotto, prompting his chief of staff, Atty. Hector A. Villacorta to come out and admit copying from a U.S.-based blog for the senator’s speech. Atty. Villacorta defended his action on the premise that a blog is public domain and, therefore, no plagiarism was committed by him.  His statement is, although downright erroneous, nevertheless, a common misconception. This is, in fact, the defense of choice of people caught lifting off material from the internet without proper attribution. To disabuse ourselves from this mistaken notion, SB 3327 has provided for a provision expressly making any content published on the Internet presumably copyrighted, except when explicitly made otherwise by the author, subject to such conditions under relevant laws. But at the same time the law provides a provision on Content Fair Use.
This is characteristic of the general direction taken by SB 3327, which is to strike a balance between freedom and regulation. Freedoms/rights can be used and abused to the injury of another. This is the argument for the passage of laws that “police” cyberspace. Yes, Internet freedom assures the growth of ideas, innovation, sharing of information but it can just as easily be used to violate copyrights, bully (hence the infamous term, cyber bullying), violate privacy. Therefore, it is beyond contest that we need to update our laws to keep it at pace with the growth of the Internet and the ICT. We need a law that responds to the new issues presented by this creature called the cyberspace. In my opinion, SB 3327 could do just that. One of the complaints about R.A. 10175 is that it dealt with a technical subject written by non-technical persons. SB 3327 does not suffer the same defect. If it succeeds in becoming a law, SB 3327 would have accomplished strides in terms of updating our laws.
Sec. 23. Repeal of the Cybercrime Law
And perhaps the most welcomed provision of this bill is the complete and explicit repeal of the much-criticized R.A. 10175.
To my mind, the filing of SB 3327 is a testament to democracy at work. Our citizens voiced out, in no uncertain terms, their denunciation of R.A. 10175 and our legislators, Sen. Miriam Defensor-Santiago in particular, responded.
However, as in any law, the proof of the pudding is in the eating. It is not entirely impossible nor unheard of that a law that looks good on paper turns out to be a monster to implement. Nevertheless, netizens, like myself, should have high hopes for this bill. Let’s just hope that it gets passed before new developments/advancements in the Internet or in ICT make it obsolete.
 Shrinivas Kanade; Who Built the First Computer; http://www.buzzle.com/articles/who-built-the-first-computer.html
 Greg Poling and Liam Hanlon; Legislative overreach: The Philippine fight over internet freedom; http://www.abs-cbnnews.com/insights/10/02/12/legislative-overreach-philippine-fight-over-internet-freedom; October 2, 2012
 Cybercrime Prevention Act Sponsorship speech of Senator Edgardo J. Angara; http://www.edangara.com/speeches?page=2
 JJ Disini; Cybercrime Act: Features and issues; http://opinion.inquirer.net/38218/cybercrime-act-features-and-issues; October 6, 2012.
 Ina Reformina; SC gets 5th plea vs Cybercrime Act; http://www.abs-cbnnews.com/nation/09/28/12/sc-gets-5th-plea-vs-cybercrime-act
 Karl John C. Reyes; FB ‘likes’, shares could be grounds for libel, says Sen. Guingona; http://www.interaksyon.com/article/44173/fb-likes-shares-could-be-grounds-for-libel-says-sen–guingona; September 27, 2012.
 Margaret Brown-Sica and Jeffrey Beall; Electronic Journal of Academic and Special Librarianship; http://southernlibrarianship.icaap.org/content/v09n02/brown-sica_m01.html#_edn2
 Online Privacy: Towards Informational Self-Determination on the Internet; http://drops.dagstuhl.de/opus/volltexte/2011/3205/pdf/dagman_v001_i001_p001_11061.pdf
 Patricia Denise Chiu; Sotto aide takes blame but denies plagiarism, says blogs meant to be shared; http://www.gmanetwork.com/news/story/270179/news/nation/sotto-aide-takes-blame-but-denies-plagiarism-says-blogs-meant-to-be-shared; August 17, 2012