Sucalit, Jennyfer Jinky

SY 2012-2013, Second Semester


RA 10173: Saving Private Data?

Information Age

RA 10173 or the Data Privacy Act of 2012 (DPA) did not draw much attention as compared to the sensational Cybercrime Prevention Act of 2012 (RA 10175). If the two laws were likened to two women, we will have the Maria Clara – Maria Ozawa dichotomy. The former, conservative in nature, maintained its composure and was unscathed from criticisms and issues. The latter on the other hand, became sensational and drew flak from different sectors of both the real and the cyber world. (Please understand that this comment neither intended to belittle women as the weaker sex nor stereotyped them in rigid and superficial categories. The metaphor used was only to show how seemingly similar laws appear, even if they are at the opposite ends of the spectrum when we consider the public reaction.)

Clearly, the use and transfer of information have greatly evolved whence the time of Maria Clara. The information age has provided us with very powerful platforms to extract, process, and transfer information. One could muse that during Rizal’s time, the pen was mightier than the sword. However in the information age, the more powerful weapon is the click of the mouse. (Tablet users may argue that it’s the tap of a finger). With one click, we can download an entire collection of Rizal’s works, or, upload a comprehensive warfare tactics that may have been useful for the Katipuneros. However, these technological advances have also made us more vulnerable to threats and attacks. In our time and age, personal information used fraudulently and/or erroneously can cause detrimental effects to us. Last 2008, in the United States alone there were as many as 10 million cases of identity theft and many of which were purported with the misuse of private data. [1] Thus, the law was supposedly conceived to protect us from these ills.

The Law

Purpose

The declaration of policy noted that the human right to privacy should be safeguarded and that personal information in Information and Communications Technology (ICT) systems in both the government and private sectors are protected and secured. [2] This declaration will tell us that the law recognizes the importance of our right to be let alone more so in these ever changing time and age. The Law will also ensure that we are protected from the threats of the misuse and abuse of personal and sensitive information.

Another purpose of the law is to increase the confidence of international investors particularly in the BPO industry by adhering to international standards of privacy protection. [3] Given the billions of dollars revenue generated from the BPO industry, compliance to international standards will surely ensure the competitiveness and attractiveness of the Philippines. This could very well translate to more job opportunities for Filipinos.

Scope

Personal information is defined as “any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or if put together with other information will certainly identify the person”. This will include facts and figures about a person’s race, ethnic origin, marital status, age, color, religion, political affiliations, health, and sexual life.[4]

The Law will cover “all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines” with specific exclusions on the following:

  • Personal information originally collected from residents of foreign jurisdictions
  • Information on government personnel related to position and function.
  • Information covered in AMLA, SBA, CISA, FCDU and other pertinent banking laws. [5]

Notable Provisions

The law mandates collectors, holders and processors of personal and sensitive information to ensure strict compliance the conduct of their activities. The information must also be stored only as long as it is needed or “for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.” Lack of consent from the data subject will not stop the processing should it be related to the fulfilment of a contract he has previously entered, to comply with legal obligation, in cases of life and health, and to serve the greater interests of the public. In some cases where the information are found to be incomplete, outdated, false, and/or unlawfully obtained, the data subject can demand for its withdrawal, blocking or removal. Penalties from violations will be imprisonment of up to 7 years and the fines ranges from Php 500,000 to Php 2,000,000.00 [6]

National Privacy Commission (NPC)

The NPC is tasked with administering and implementing the provisions of the Law, recommending to the DOJ the prosecution and imposition of penalties, and helping facilitate cross-border enforcement of data privacy protection. It will be composed of three members; a Privacy Commissioner and two deputies. Also, the NPC will be attached to the Department of Information and Communications Technology (DICT). Should the creation of the DICT is not completed the time the law takes full force and effect, the Commission will attach itself to the Office of the President. The Commission will receive an initial appropriation of Php 20,000,000 and Php 10,000,000 per year for 5 years upon implementation. [7]

My Take

The Good

The law will indeed spurt growth in the BPO industry. According to Business Processing Association of the Philippines (BPAP) President Benedict Hernandez, “Because the IT-BPO industry and best practice is evolving rapidly, enhancements to existing legislation will ensure that the Philippines remains competitive and in fact leads breakthrough initiatives in best practices for the industry.”[8] And, according to Alejandro Melchor III, deputy executive director for ICT industry development, “the new law will help the Philippines become a global leader for shared services, one of the fastest growing segments of the IT-BPO industry” [9]. Working in a call centre for two years made me realized that indeed the BPO industry employs a great number of Filipinos. The BPO industry has also employed many of my family members and friends and given this fact, I am very much in favor of a law that will help the BPO industry sustain and maybe increase its current hiring state.

The law will also help protect a person’s data from abuse and misuse. Without consent, companies and government institutions cannot transfer or process someone’s personal data. I am personally aware that some companies use and transfer personal information of their clients for marketing and cross-selling metrics purposes. This means that some companies allegedly use and share personal information like income, sex and preferences to sell products to clients via personal email and/or mobile numbers. With the law in place, we will be better protected from this type of practice and we may receive fewer spam emails and text messages.

I am also in favor of a law that will replicate the care and transparency the banking institutions practice with the personal and sensitive information of their customers to other sectors, both in the government and private industries. Married to a banker engaged in information risks, I am particularly aware of the different safeguards and due diligence banks do just to ensure that customer information are protected. There are different levels of checking and counter checking done in the banks and some even create a standalone department just to ensure compliance. This goes to show that when the law gains full throttle a similar practice will be expected in the other industries.

Another advantage of the law that I have seen is that it puts premium on the protection of our constitutional right to privacy. Extraction, processing and the transfer of our personal data should be done with utmost care. There is a reason why they coined the saying “we all have skeletons in our closets”. And it is that we value our personal information and we deserve for it to be handled well. I believed that several scandals (Hayden Kho, Amalayer) may have been avoided if the general public knows that there will be repercussions if they disregard the value of privacy.

The Bad

Some journalists raised their concerns that the law might be restrictive to the principles of the media – freedom of expression, accountability and transparency. They said that the personal lives of government officials have bearing in their accountability to the citizenry. Thus, there may be hindrances to journalists in proving the wrongdoings of certain politicians and officials in government. [10] I don’t think I agree with this type of thinking. There is a specific provision in the law which gives leeway to journalistic, artistic, literary or research purposes. Also, there are other ways to expose a corrupt official. We have existing mechanisms in the local government level as well in the Office of the Ombudsman and Sandiganbayan to address this type of concern. Also, I don’t think this can be an issue of freedom of expression. I believe that for every ounce of freedom the journalists claim they have, is a corresponding ounce of responsibility and accountability in their actions.

I am not particularly sold on the 1000 bulk limit in accessing and moving records. There may be times when the 1000 bulk limit will not be applicable. Databases may contain records of up to a million entries and if you have restriction on the limit then it would be hard for the processors to do their jobs. Also, why would you need to set a bulk limit if in the following paragraph of the law it is indicated that the data will be protected using the most secure encryption available. Following the armoured car analogy where the car used has thick armor and the guards inside have big guns, it wouldn’t make sense if the amount stored will be set at a very small limit.

There are some particular blogs which I have come across which mentioned that the penalties of the law are irrationally stiff. They reason that a poor processor may end up paying a large sum or worse do time even if they did not mean to do the wrong deed. I particularly do not agree with this. I believe that the intention of the law is to create awareness as well as create a system of due diligence when handling private data. It is the responsibility of the companies/industries to train their staff to be particularly familiar with the provisions of the law. Due diligence has been part of the banking industry ever since so I don’t think the other industries will have a hard time catching up. [11]

The Questions

As with other laws, the question may not be how beautifully they are crafted, but how effectively they are implemented. As we are yet to see the IRR, I cannot help but speculate the following:

a) What would be the different levels of penalties? Will it be according to the sensitivity of the information, the bulk of information? Where do we draw the line between what’s sensitive and highly sensitive?

b) How will the commission handle possible conflicts with other laws specifically those related to banking?

c) What are the criteria for journalistic, artistic, literary or research purposes?

d) Will the government compensate or give particular incentives and perks to those following the law?

e) Will the law entail additional costs to the government and the private sector?

The Verdict

Given the insights I have provided above, I am in favor of this law. I see that it will be beneficial to the greater good as long as the implementation is handled carefully. I also believe that the advantages the law definitely outweigh its perceived disadvantages. With that said, I shall wait for the formulation of the Implementing Rules and Regulations and revise/redraft my stance if necessary.


Endnotes

[1] http://ph.news.yahoo.com/pinay-model-raises-alarm-identity-theft-20110414-180756-019.html. Accessed 05 December 2012.

[2] http://www.gov.ph/2012/08/15/republic-act-no-10173/. Accessed 05 December 2012.

[3] http://www.malaya.com.ph/index.php/business/business-news/11765-data-privacy-act-to-boost-bpo. Accessed 05 December 2012.

[4] http://business.inquirer.net/79534/data-privacy-act-of-2012. Accessed 05 December 2012.

[5] http://www.gov.ph/2012/08/15/republic-act-no-10173/. Accessed 05 December 2012.

[6] http://www.gov.ph/2012/08/15/republic-act-no-10173/. Accessed 04 December 2012.

[7] http://business.inquirer.net/79534/data-privacy-act-of-2012. Accessed 05 December 2012.

[8] http://www.malaya.com.ph/index.php/business/business-news/11765-data-privacy-act-to-boost-bpo. Accessed 05 December 2012.

[9] http://rp1.abs-cbnnews.com/business/08/28/12/new-data-privacy-law-boost-it-bpo-industry. Accessed 05 December 2012.

[10] http://www.cmfr-phil.org/2012/09/18/a-restrictive-mindset/. Accessed 07 December 2012.

[11] I have chosen not to indicate the particular blogs so as not to pinpoint these individuals. I will however upon request provide the URLs if it is really necessary.


Senate Bill No. 3327: Will this Bill Really Give Internet Freedom for the Filipinos?

Miriam Defensor-Santiago’s Magna Carta for Philippine Internet Freedom, according to her, will ensure that the Filipinos will be able to meet the challenges posed by the ICT and cyberspace, and able to wield it and benefit from it in charting a better future. How does this bill match up with the current enacted law on Data Privacy Act of 2012? Can this bill eliminate the uncertainties of the latter enacted law? Does the bill clearly draw the line of those punishable acts from those genuinely innocent and yet brilliant works of those computer addicts with their pure genius acts in using their toys? Will this bill really protect the Filipinos from those crooked minds of those people whom all they want is to lure the innocent with their vital information and do illegal acts using the internet at the expense of the latter?

The bill is trying to put some amendments to current applicable laws such as the Data Privacy Act, E-Commerce Act, Intellectual Property Code of the Philippines to name a few, and intends to repeal entirely the newly enacted Anti-Cybercrime Law. Although terms, punishable acts and penalties are similar from each other, what is significant in this bill is that the author tried to carefully clearly emphasize the details of each section so as to enhance its discussions on what are really illegal and what are lawful. However some of them are still blurry, maybe only to me who is studying law, or maybe more so to a layman? It would also seem at the first reading that 2 or more parts of the bill is discussing the same issues where in fact the bill is trying to pertain to different acts. It’s either that it needs a few editing or the reader just has to focus on what he’s reading (like me perhaps, hehehe…).

The creation of the Department of Information and Communication Technology and how the bill intensified its duties and responsibilities with regard to the implementation of plans, policies, programs and measures that this bill is trying to convey would be very beneficial, especially now that most, if not yet all but eventually I suppose it will be, tasks that a person needs to do (i.e. working at home, paying bills, buying articles, reading books, playing, etc.) can be done over the internet. This agency will be the one to oversee what is happening over the world wide web, especially with regard to assuring that the rights of the Filipinos are not violated using the internet. The Department of Information and Communication in collaboration with the Department of Education and Commission on Higher Education will create and develop curriculums for students to allow the new generations acquire knowledge on how to properly utilize the internet in all its aspects through formal education. This will be beneficial as well, instead of them getting the information directly from the net because they as well as their parents are not certain that the information the kids are getting from the computer are trustworthy.

I particularly like the part on the Periodic Review Clause, which makes the bill up to date with all the new technologies available in the market and from which the crooks can and will use to do illegal acts that can make the law, without this periodic review, obsolete, and allow these crooks free from any liabilities at the expense of the innocents.

I have noticed that some of the provisions under Cybercrimes to be a little stringent, ambiguous and inconsistent with the other statements used in the bill, such as the following:

Chapter VII. Cybercrimes and other Prohibited Acts, Section 26. Violation of Data Privacy: Unauthorized access. – It shall be unlawful for any person to intentionally access data, networks, storage media where data is stored, equipment through which networks are run or maintained, the physical plant where the data or network equipment is housed, without authority granted by the Internet service provider, telecommunications entity, or other such person providing Internet or data services having possession or control of the data or network, or to intentionally access intellectual property published on the Internet or on other networks without the consent of the person having ownership, possession, or control of the intellectual property, or without legal grounds, even if access is performed without malice. (Senate bill No.3327/Fifteenth Congress of the Philippines)

My take: what is access all about, as defined here in the bill? Access is the ability and means to communicate with or otherwise interact with a device, computer, system or network, to use resources to handle information, to gain knowledge of the information the device, computer, system, or network contains, or to control device or system components and functions. Access does not, based on the bills definition, speak of a way a particular way to communicate or interact with a device. In my understanding, it’s just the pure and simple way of surfing the internet or getting information, whether it is for educational purpose or for leisure. If these information are indeed not for the p se 4 F}D4hrHe owner of such should be careful in keeping these from the public’s eyes. Meaning, the owner should prove first that he made all the necessary technical approaches to hide this. Because if the data can readily be accessed in the internet without any password or any security system to conceal them, intentional access of it should not be illegal, for whatever purpose by any individual, in good faith, accessed it for. It should only be illegal if the access is done through hacking.

Chapter VII. Cybercrimes and Other Prohibited Acts, Section 24 on Network Sabotage: Direct network sabotage – It shall be unlawful for any person to cause the stoppage or degradation of Internet or network operations of another person, through electronic means, through physical destruction of devices, equipment, physical plant, or telecommunications cables including cable TV transmission lines and other transmission media, or through other means, except if the stoppage or degradation has been done in the normal course of work or business by a person authorized to stop, modify, or otherwise control network operations of the other person. (Senate bill No.3327/Fifteenth Congress of the Philippines)

My Take: I don’t think that this act should be criminalized, per se, especially if the person who caused the stoppage never intended to do the same. I can’t think of any way of how an unintentional stoppage can be done (I’m not the techy type), but supposing this was done by an unsuspecting person who is just surfing the net, trying different things, clicking here and there, and then boom!!! It happenned! There was stoppage, degradation of Internet or network operations of another person, through electronic means, and so on and so forth… There was no intention on the part of the person to cause direct network stoppage. But just because of his curiosity on the internet, direct network sabotage happened. Although of course this person can still be civilly liable.

My Take: Although this subsection, I think, can still be revised, like inserting the word “intentionally” (It shall be unlawful for any person to “intentionally” cause the stoppage or degradation of Internet…). Because the word intentionally would also mean that the person who caused the direct network stoppage has his reasons why he did such a thing, and it is usually in bad faith. I think its just proper to insert a qualification to know which act is punishable and which is not. Otherwise, this section referring to the direct network sabotage may cause hindrance to people, especially those not well versed on the internet, making them even more afraid of touching a key as they may think they will cause direct network sabotage, punished with imprisonment of prision correccional or a fine of not more than P500,000.00 or both. This may also be a reason for an increase on the number or persons still illiterate on the Internet.

Chapter VII. Cybercrimes and Other Prohibited Acts, Section 25 on Failure to Provide Reasonable Security for Data and Networks: Failure to provide security – It shall be unlawful for any Internet service provider, telecommunications entity, or other such person providing Internet or data services to intentionally or unintentionally fail to provide appropriate levels of security for data, networks, storage media where data is stored, equipment through which networks are run or maintained, or the physical plant where the data or network equipment is housed. (Senate bill No.3327/Fifteenth Congress of the Philippines)

My Take: I am unable to comprehend what is really punishable in this because the data which the subsection intends to apply appropriate levels of security, did not state the kind of data and whom such data belongs to. Is it the data of the end-user? If that is the case, should an end-user’s aim is to protect some information, is it not that it is in the end-user’s hands to protect such data? But if the data that this subsection is referring to is the data of their end-user which the latter offered under the agreement that such information will not be offered to other persons natural or juridical, I suppose it is punishable.

All in all, I can say that the bill has high potentials which could, once enacted, and would last for a long time. I say so because of this particular part of this bill that really got my attention. It is the Periodic Review Clause. This review will indeed pave way to new additions for the improvement of the law (should this bill be enacted). This would really make this law (again should this bill be enacted) keep pace with the technological advancements and other changes. As we all know, new technology now will only last for a few months or even weeks. As the technology quickly changes, crooked thoughts of the criminal minds also rapidly change by planning again just to make sure they will accomplish whatever perverse acts they want to perform at the expense of other innocent victims.

Although it is very strict, I suppose it is just the right time that the use of internet is given some limitations. Anyway, freedom does not mean that you are free to do all things without taking into considerations of the effects it can do make to those surrounding you. Freedom has its limitations. And these limitations with regard to internet usage are drawn here in this bill.

Another significant portion of this bill is that it tried to create new kinds of punishable acts based on current acts, statutes and/or other special law, such as some crimes in the Revised Penal Code, Child Prostitution, Child Trafficking to name a few. The bill created punishable acts, by just adding an additional element from current laws. This element is that the act is done by using devices, equipments or physical plants connected to the Internet or telecommunications network. In other words, with the non stop development of the technology of today, crimes may now be done through the use of the internet.

Yes is the answer as to the question on whether this bill will indeed give internet freedom for the Filipinos. Yes this bill is better than the Data Privacy Act of 2012 or even the Cybercrime Prevention Act of 2012. Not that I am saying that the current laws are ineffective. The bill just needs a little adjustment for it to be perfect. But this bill is definitely the improved version.

Advertisements
1 comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: