SY 2012-2013, Second Semester
The question that often comes to my mind every time I provide my personal information, especially through internet, is that, am I secured? Will it be used for legitimate purpose? Or will it not violate my right to privacy?
With the advent of RA 10173 or also known as the Data Privacy Act, these queries of mine became clear. I am, indeed, secured. The purpose of the Legislative in passing this law is to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
But before I go any further, let me just discuss the basis for the passing of RA 10173. It is anchored on the Constitutional guarantee of the right to privacy. Article III, Section 3 of the Philippine Constitution provides that:
(1) “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”
RA 10173 is also based on European Council No. 45/2001 in which, it protects the fundamental rights and freedoms of naturalpersons, and in particular their right to privacy with respect to the processing of personal data and shall neither restrict nor prohibit the free flow of personal data between themselves or to recipients.
Scope of application
RA 10173 applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
On the other hand, this Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
Likewise, section 6 of said law provides for the extraterritorial application of RA 10173. However, it seems that debates will likely arise on this matter because of jurisdictional issues. I wonder if the Implementing Rules and Regulations of this law will somehow address such question.
What are the benefits under RA 10173?
Section 5 of the law provides that: “Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.”
This provision affords great protection in favor of the media men, such as publishers, editors and reporters, against unreasonable harassments of being compelled to reveal the source of any news report or information. It likewise provides peace of mind in favor of the source regarding their personal information being disclosed. In this case, the right of the people to information on matters of public concern will not be abridged.
Section 16 of the law enumerated the rights of the data subject. These enumerations point to one thing, there must be consent and notice before an information can be process. Violation of these rights will sanction penalty, which will be discussed later. Noteworthy to point out is subsection (e) of section 16. It provides that:
“Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information”
Whenever the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purpose, the data subject has the right to order such information to be suspended, withdrawn, blocked, removed or destroyed by the information controller. The data privacy has also the right to demand indemnity for the injury caused by such information which is incomplete, outdated, false or unlawfully obtained.
Section 20 ensures security of personal information. It provides:
“The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.”
This provision guarantees that the personal information of the data subject will be protected and secured. This way, it will be easy to disclose your personal information, even privileged information, because you know that it is safe. The law puts a heavy burden on the information controller to ensure that the information obtained will only be used for lawful purposes.
This law, as what Senator Anggara said, will not only boost the confidence of potential investors in the country’s IT-BPO industry, but also the trust of ordinary citizens in e-government initiatives.
What are the contentious provisions of RA 10173?
There are provisions in the law that I find interesting, if not contentious. First, is section 5 of the law which provides that:
” Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.”
It may readily appear that this is a benefit under RA 10173. However, if you read it carefully, such provision will likely invite abuse of right on the part of the media men. The provision may be used as a cloak to protect their evil intent in reporting libelous, false or fraudulent information. As the law states, media men may not be compelled to disclose the personal information of their source. What I am afraid of is that, media men may report libelous, false or fraudulent information, claiming that they gathered it through a reliable source, where in fact such source does not exist. They may not be compelled to disclose it and may easily invoke this provision of law.
Another provision that is noteworthy of mentioning is section 7 which provides that: To administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission, xxxx”
This provision caught my attention and I find it very interesting. It is provided in this section that there shall be an INDEPENDENT BODY that will monitor and ensure compliance of the law. It means that it is not under the direct supervision or control of the President. The commission, being an independent body, has a wide discretion regarding its obligation as mandated by the law. It means that the President or any other government official, for that matter, may not use their powers in influencing the commission in order to achieve their fraudulent and evil intent. As what happened during the impeachment of Chief Justice Corona, wherein the government used its machinery to obtain information, regardless if it is in violation of the right of CJ Corona. With this provision, we may safely say that we are more secured now compared to what happened to CJ Corona.
The law enumerated different kinds of penalties for violation of the RA 10173. the acts punishable under this law are the following:
1. The unauthorized processing of personal information or personal sensitive information – penalties are imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.
2. Accessing Personal Information and Sensitive Personal Information Due to Negligence – penalties are imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
3. Improper Disposal of Personal Information and Sensitive Personal Information – penalties are imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection.
4. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes – penalties are imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws.
5. Unauthorized Access or Intentional Breach – penalties are imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
6. Concealment of Security Breaches Involving Sensitive Personal Information – penalties are imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach.
7. malicious disclosure – penalties are imposed on any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her.
8. Unauthorized disclosure – penalties are imposed on any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject.
Having these penal provisions of the law, the data subject is well protected with regard to his personal information.
It is in my humblest opinion that this law will tend not just to increase confidence of the potential investors, especially IT-BPO industry, but also it boost the assurance of the general public that their personal information will not be used to unlawful purposes. It also bolsters the constitutional guaranteed right to privacy. The challenge now to the legislative and the government officials, who have the obligation of ensuring compliance of this law, is with regard to its Implementing Rules and Regulations and the long-term administration of this law. They must craft the IRR carefully in order to attain the significant objective of this law.
The 1987 Constitution of the Philippines
“I think it’s fair to say that personal computers have become the most empowering tool we’ve ever created. They are tools of communication, they’re tools of creativity, and they can be shaped by their users” -Bill Gates
Indeed, computer is the most powerful tool that man has ever created. With the help of the internet, this powerful tool may be used in different ways, in communication or even boosting one’s economy and it may even be the channel or forum for every individual to express their feelings or sentiments. However, this great convenience comes with greater responsibility and duty, not only to be mindful of the rights of other people but also, the duty of the government in coming up with a protection for every individual. By that, the Legislative body of the Philippines had passed several laws seeking to protect the rights of Filipino netizens and providing for a penalty for those who will commit a crime through the use of the ICT. For one, RA10173 or the Data Privacy Act of 2012 and another would be the controversial Cybercrime law.
Recently, the Philippines was shaken by the passing of RA10175, also known as Cybercrime Law. Filipinos went hysterical about it and at least 15 petitions were filed before the Supreme Court seeking to declare said law as unconstitutional. On the other hand, the Supreme Court in addressing this problem, issued a 120 day Temporary Restraining Order to stop the implementation of the law.
Is RA10175 BAD?
To help you understand the subject matter of this article and before I dig deeper, let me just express my sentiments about RA10175. Is RA10175 a bad law? I honestly believe that this law is a GOOD law, considering the fact that it seeks to prevent identity theft, fraud and even child pornography. The problem however, which triggered me and the filipino netizens to react, is that the law has loopholes which cannot be left unnoticed because it violates the rights of the people which were secured by the Constitution.
For one, there is a libel provision in the law. Netizens were afraid that the government itself, who must protect their very right to freedom of expression, as mandated by the Consititution, will be the one violating it. The law provides for a heavy penalty for any person who would post, through social networking sites, any libelous statements.
Another issue in this law is the violation of the right of the people to privacy. The Constitution, particularly Section 3 (1), Article III, 1987 Constitution provides:
“The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.
It is clear, therefore, that there must be a lawful order of the court. In this case, however, RA10175 gives the government a blanket authority to collect and seized data prior to the issuance of a court order for the same.
As I go along with the discussion, I will try to compare provisions of RA 10175 and SB 3327 to come up with a conclusion on which of the two is better.
New Life, New Hope!
Worry not my friends and fellow netizens, with the advent of SB3327 an act establishing magna carta for Philippine internet freedom, cybercrime prevention,and law enforcement, cyberdefense and national cybersecurity, which was introduced by Senator Miriam Defensor Santiago, there is a window of opportunity waiting for us. And if this becomes a law, there would be, indeed, new life and new hope for the Filipinos.
Let’s backtrack a little; this senate bill was passed by Senator Santiago to address the problem in RA10175. It is said to be the first law, if ever, to be crafted through crowdsourcing, which she describes as a process of getting the job done by tapping people on the Internet.
According to Santiago, it was concerned netizens that include software designers, information technology experts, academics, bloggers, engineers, lawyers and human rights advocates who went to her with a draft of the MCPIF. She said the group formulated the MCPIF through discussions in an open Facebook group, e-mail, Google Hangout teleconferences and social media channels like Twitter.
After going through the bill, I noticed this outstanding provision waving at me. Section 23 of the bill expressly repealed RA 10175 in its entirety. It only means that, if this would become law, Filipinos should not be afraid anymore. Their rights to freedom of speech and right to privacy are fully protected by the bill. Senator Santiago said:
“While it is important to crack down on criminal activities on the Internet, protecting constitutional rights like free expression, privacy and due process should hold a higher place in crafting laws.”
Another provision that caught my attention is section 6 paragraph 2. It states that no person shall be deprived of internet access until and unless there is an order issued by a court of competent jurisdiction. This provision clearly upholds our Constitutional guaranteed right to due process. Section 1 of Article III of the 1987 Constitution provides:
“No person shall be deprived of life, liberty or property without due process of law”
Contrary to the provision of RA 10175, particularly section 19 thereof, it provides that when a computer data is prima facie found to be in violation of the law, the DOJ has the power to issue an order to restrict or block access to such computer data. The provision of the law gives the government the blanket authority and wide discretion to determine whether or not there is violation of the law. It gives the DOJ a power that may be abused if not used or exercised properly.
Another interesting provision of the bill is section 36 thereof. The proposed bill took a big step in decriminalizing libel through the use of internet. The provision provides that libel will only give rise to civil liability and the amount shall be commensurate to the damages suffered. Unlike in RA 10175, libel is a criminal offense and the penalty to be imposed of is one degree higher than that provided in the Revised Penal Code. This is absurd and alarming at the same time, the only qualifying circumstance for the higher penalty is the use of information and communication and technology.
Worthy to note is section 33 (A.4) and (A.5). Netizens, especially journalist, would have the freedom to express their sentiments against the government without the threat of being prosecuted or to be held liable for their acts. Section 33 (A.4) provides for the exceptions to internet libel. Some are: a.) Expressions of protest against the government; b.) Expressions of dissatisfaction with the government, its agencies or instrumentalities, or its officials or agents, or with those of foreign governments. On the other hand, if in case an individual is prosecuted or being held liable for internet libel, Section 33 (A.5) comes into play. This particular provision provides netizens with a defense. Internet libel will not lie not lie if the content of the expression is proven to be true, or if the expression is made on the basis of published reports presumed to be true, or if the content is intended to be humorous or satirical in nature, except if the content has been adjudged as unlawful or offensive in nature in accordance with existing jurisprudence.
Furthermore, a prosecution under the proposed bill will bar any further prosecution of the act as a violation of the Revised Penal Code and other special laws. This is expressly stated in Section 40 of said bill. Contrary again to Section 7 of RA 10175 in which prosecution under the said law shall be without prejudice to any liability for violation of any provision of the Revised Penal Code, as amended, or special laws. The provision of the proposed bill upholds the rule on double jeopardy which is mandated by our Constitution. Section 21 Article III of the 1987 Constitution provides:“No person shall be twice put in jeopardy of punishment for the same offense.”
“A proposed bill creates no right and imposes no duty legally enforceable by the Court. A proposed bill, having no legal effect, violates no constitutional right or duty.”
-Montesclaros vs COMELEC GR No. 152295
Having said that, the proposed bill has no legal effect, it confers no rights, it imposes no duties and it affords no protection. Regardless of how perfect it was crafted or how beautiful the intention is, still, we cannot rely on it.
However, as a nation and as responsible netizens, we cannot just sit. We can do something just like what we did when RA 10175 took effect. We once raised our voice to protect our rights. We can do that again now so that this SB 3327 may be given importance. In my humblest opinion, the proposed bill is almost perfect compared to RA 10175, and if it becomes law, it will change the entire future not only of the Philippines but its people.