Republic Act No. 10173- “Data Privacy Act of 2012”
“The Arc and the Preliminary”
Information and communication technology (ICT) age is gearing towards its highpoint, and same goes with the human activities that we normally do physically that can now be possibly done through the use of such technology. Moreover, in this day and age, internet has paved a different way on how to do things. You can greet your friend a “Happy Birthday” in what we call social media. You can conduct meetings with persons who are geographically distant from you through the use of video-conferencing. You can also use the internet to buy and sell a product that you so desire because even the weirdest buys and sells are most probably in the internet. Internet truly has changed how we do things. On the other hand, ICT paves way in order that business may streamline their processes through the use system connectivity through the use of simple network sharing from Local Area Network (LAN) to Wide Area Network(WAN), Enterprise Resource Planning (ERP), accounting systems and the likes.
It must be borne in mind then that as we use ICT and internet we exercise our so called human rights coupled with the obligations attached to such exercise. We interact through them. From this interaction we create a community. It is essential then that the same must be governed by governments of each State or country. They must then legislate and enforce laws and statutes in order to assure that interaction in the said community is protected and regulated. In the Philippines, one of the laws enacted is Republic Act No. 10173 or “Data Privacy Act of 2012”.
Data Privacy Act of 2012 is a law enacted on July 25, 2011 by the Philippine government with the aim, aptly stated in its title- protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a national privacy commission, and for other purposes.
Section 4 of the same act provides for the scope to which the law is applicable, to wit:
“This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 [Protection Afforded to Journalists and Their Sources] are complied with.
This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”
The provision of the law, as above enumerated, provides for a wide-ranging scope and exemption. Since the law is one of the recent promulgation of our government it has yet to withstand the test of the changing tides and weather.
In an amplified view, let us take a look at Section 4(d) of RA No. 10173. Now for instance, you happen to have a great love for traveling locally and abroad. You will then check the internet if there are “cheap” fares, hotel bookings, travel guides and tours. For first timers, these tasks will surely entail a lot of time and effort, more so that it entails much time surfing the internet. In this event, you would type in same search subjects in the internet over and over again, so much so, that your web search engine will now auto-populate the said search subjects. The web search engines like Google and Yahoo maintain a database of your searches and use them in order that they may customize how you view the web pages according to your search patterns. This case is one of the types of internet spying.
Internet spying as defined by Senator Bernie Sanders of United States Congress is “gathering metadata on calls made from official or personal phones, content from websites visited or e-mails sent, or collecting any other data from a third party not made available to the general public in the regular course of business.” 1
Internet spying is a mechanism done by either a private or a juridical person or organization that has a capability of monitoring, analysing and recording your internal browsing patterns. The websites that we are browsing has the so called “cookies”. These are data stored in your computer which contains information about your browsing patterns. British Broadcasting Corporation (BBC) in its online article defines cookies as simple ’text files’ which you can read using the Notebook program on your own personal computer (PC). They contain two pieces of information: a site name and unique user ID.2
Section 4(d) of the same Act provides that the law is not applicable to personal information processed for journalistic, artistic, literary or research purposes research purposes. Your data is your property right, the same right is guaranteed by the 1987 Philippine Constitution. Isn’t it that by having a cookie send-out information about your browsing pattern to sites a violation of the said right? You own such data, no one or no “thing” (such as cookies) shall have access to the same without your consent. The Data Privacy Act of 2012, by providing such provision, does not necessarily provide for protection to your right. The framers of the statute seem not to recognize the mentioned perplexity. And to intensify the need for modification or elaboration on the said law, the said tailor-fitting of websites affect your freedom of communication. Since the said cookie provides your browsing pattern to websites, is it not that such cookies are influencing your mind frame as to what to browse? Isn’t it that while we browse on our web search engines, when we type our search subject, the former auto-populates search data according to your search pattern? You only have control over the exercise of your freedom of communication once you choose which site to click onto, not when you type-in your search subject. Then, isn’t it that the right to exercise freedom, freedom of communication for that matter, stems from the initial step of the communication which is the cognitive stage (on what search subject is to type) up to the clicking of websites you are to choose.
What is freedom then if you are to exercise only a portion of it? Such exercise then is not freedom. What does Data Privacy Act of 2012 seeks to protect then? The Act has provided for penalties for any violation provided stated therein. But isn’t it that what is necessary is the regulation of use of personal information or data, and not to redress a wrongful act punishable by law, in order that we as citizens be able to enjoy the exercise of rights granted by our own Constitution?
In contrast to what has been cited above, let us expand the topic and now take a closer look at another case of internet spying was a news headliner half-a-year ago. News circulated that the government of United States of America is spying on its citizens. This information was an offshoot of the leakage of confidential National Security Agency (NSA) documents by Edward Snowden, a former CIA employee and NSA contractor, about the conduct of surveillance on Americans’ phones and internet behavior for the of national security.
National Journal (NJ) says in its website that “President Obama pushed Congress to enact cybersecurity legislation, and when it didn’t, he issued his own executive order in 2013.” The same news organization furthers that, “But critics argue that the National Security Agency has actually undermined cybersecurity and made the United States more vulnerable to hackers. At its core, the problem is the NSA’s dual mission. On one hand, the agency is tasked with securing U.S. networks and information.” 4
For a developing country like the Philippines, we cannot expect at the soonest time that we will be able to have a security agency as well-equipped and with highly trained agents in the field of information technology as NSA. But, it is a thought that the Philippine Government is now commencing on plans to do so in order to adopt to technology changes, and in the same vein uphold national security. It might be then, that our government may practice ways to obtain personal data from its citizens sans their consent as what had happened in the Snowden revelation.
Citizens in this instance will now be covered by RA No.10173 being the Data subject. As defined therein, Data subject refers to an individual whose personal information is processed. Section 16 of the Data Privacy Act provides the Rights of the Data Subject, to wit;
(a) Be informed whether personal information pertaining to him or her shall be, are being or have been processed;
(b) Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:
(1) Description of the personal information to be entered into the system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.
Part b of the above-cited provision provides that the data subjects should be provided with the information that personal information pertaining to him or her shall be, are being or have been processed and purposes for which they are being or are to be processed [personal information]. It may seem that the enumeration under Section 16 of the Data Privacy Act is likely to be a difficult requisite for the Philippine Government, since such provision would run counter with the purpose of upholding national security as the same is impressed with confidentiality. Will the government then be penalized should there be any violation to its citizens’ rights in conjunction to such act on upholding national security?
The Data Privacy Act provides for provisions regarding the imposition of penalties should there be any violation of the said Act. Section 25 of the Data Privacy Act provides for the penalty for unauthorized access of personal information and sensitive personal information. Moreover, the same Act provides for penalty for any malicious disclosure of personal information under Section 31. However, it would seem that the Data Privacy Act has not provided for any extensive discussion for instances of internet spying, more so when the same entails national security.
As citizens of the Philippines, what we need to do now is wait. We await the legislative to enact a supplementary statute to fine-tune the provisions of data Privacy Act. We await the executive branch to promulgate implementing rules and regulations in order that there be an effective enforcement of the law. We await for an actual legal controversy to arise in order that the Supreme Court may rule on the matter. What does matter now, as an adage goes, is that “the seed is sown …”