By: Mildred F. Ople, Tech and the Law, First Semester | S.Y. 2013-2014

In this era dominated by information and communication technology, access to information is one of the gateways to gain control to various opportunities on data manipulation. For the right price or with good connections, private information disclosed in confidence to companies or government offices can be made available to or accessed by interested parties. Thus, privacy in personal data has become illusory[1]

Simply put, information is equivalent to power.

How does the government then protect its people from abuses made by persons possessing this power? Is there a statute that concretizes his constitutional right to privacy? How does an individual protect his right to privacy? When does an individual know that his right to privacy is being violated? Would the act of unauthorized disclosure of personal information constitute violation of a person’s right to privacy? This article hopes to shed light to these questions and to shape individual’s appreciation of the recent statute pertaining to data privacy.

It is basic in political law that the government plays a vital role in ensuring that the rights of individual guaranteed by the Constitution are protected. It will exercise its inherent powers whenever necessary as when somebody crosses the line defining the boundary of individuals exercising and enjoying their rights guaranteed by the Constitution as the fundamental law of the land and from which all laws must emanate. Through legislative enactments, implementation of the executive department and the interpretation of the judiciary on actual controversy arising from the statute, the state is able to do a balancing act – avoiding the clash of rights.

Before the birth of R.A. 10173

Prior to the promulgation of the Act, there was no Philippine law dealing specifically with personal data privacy. While the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy, they deal with the protection of personal information in only a general manner. Article III, Section 3 of the Philippine Constitution provides that:

(1)   “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”

There were provisions found across several statutes, such as the Civil Code, the Revised Penal Code, the Anti-Wire Tapping Law, and the Electronic Commerce Act, dealing with the right of privacy of an individual. Noteworthy though that these provisions do not squarely address the issue of data privacy and so are inadequate, and, in some instances, inapplicable, in addressing the issue of personal data privacy. Notwithstanding these provisions, there was no government agency overseeing the protection of personal data.[2]

Guidelines issued by the Department of Trade and Industry (DTI) in connection with the Electronic Commerce Act concerning the protection of personal data in information and communications systems in the private sector (the DTI Guidelines) are the closest thing the Philippines had to a data privacy rule prior to the Act which is at the center of the discussion in this article. The DTI Guidelines followed the basic principles of personal data processing laid down in the European Union’s Data Protection Directive (95/46/EC) including but not limited to legitimate purpose, transparency, and proportionality. [3]

These DTI Guidelines did not provide for any penalties for violations, thus, were generally considered to have no teeth. The DTI Guidelines did not cover personal data in the public sector and is limited in scope.

Why R.A. 10173?

According to Senator Edgardo Angara, the main author of the law in Senate, Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 is only one of the triumvirates of measures needed to usher in an Information Technology revolution in the country.  The other two forming the triumvirates are the recently enacted Cybercrime Prevention Act and the creation of the Department of Information and Communications Technology (DICT).

The Cybercrime Prevention Act was enacted as a legal framework for the detection, apprehension, and prosecution of such Internet-related crimes as hacking, identity theft, phishing, spamming and child pornography. The creation of the DICT on the other hand, allows government to efficiently allocate human and financial resources necessary for the integration of ICT in the more efficient delivery of social services. As of this writing, only the Commission on Information and Communications Technology has been the closest creation of the government in lieu of the DICT.

Flipping the pages of history backwards, the Act is the Philippines’ first data privacy law. The stimuli came from the strong clamour on data protection policy of the booming IT-BPO industry. The Act intended to protect the integrity and security of personal data in both the private and public sectors.

RA 10173 is based on Regulation (EC) No 45/2001 of the European Parliament and of the Council adapted on 18 December 2000 which provides for the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. It likewise protects the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data and shall neither restrict nor prohibit the free flow of personal data between themselves or to recipients.

In an article published by the Philippine Information Agency website, Louis Casambre, Executive Director of the Information and Communications Technology Office (ICTO), said the approved bill is a keystone for economic development through ICT and ICT-enabled industries. “The passage of the bill into law is an unequivocal sign that the country is taking the necessary actions to become a functioning knowledge-based, ICT-driven economy, thus, all public and private enterprises are now mandated to safeguard the confidentiality and integrity of personal information collected in the course of their operations,” said Angara, Chair of the Science and Technology Committee in the Senate.

It is expected that because of the passage of the law, it will not only boost the confidence of potential investors in the country’s IT-BPO industry, but also the trust of ordinary citizens in e-government initiatives.[4]

Finally, the enactment of the law seeks to bring the Philippines’ data protection policies and measures on par with the international standards of data privacy protection. Government and business leaders also believe that the implementation of the law will help maintain the competitiveness of the Philippines and boost investments in its information technology-business process outsourcing (IT-BPO) sector and support healthy information and communications technology (ICT) industry.[5]

President Benigno Aquino III signed the Data Privacy Act on August 15, 2012, was uploaded on the same day in the Official Gazette and became effective as a law after 15 days.


The Data Privacy Act In a Nutshell

The Act, as the first statute that concretizes the constitutional right to privacy provides for ways on how an individual protect his right to privacy especially of his sensitive personal information, pertinent provisions as to when his right to privacy is being violated and the corresponding penalty for each violation.

In its declaration of policy (Section 2, RA 10173), the law states that, although the free flow of information promotes innovation and growth, it is essential that personal information in the government’s and private sector’s information and communications systems are secured and protected.

The following are the salient features of the act relevant to the issue being discussed in this article:

1. It applies to processing of personal information (Section 3.G) and sensitive personal information (Section 3.L). As used in this act, personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. On the other hand, sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.

2. Sections 12 and 13 gave parameters on when and on what premise can data processing of personal information be allowed. Its basic premise is when a data subject has given direct consent. Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority which necessarily includes the processing of personal data for the fulfilment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

3. Sections 20 and 21 states that personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law. (Section 20 and 21)

4. The Act provides for the list of prohibited acts and the corresponding penalties (up to five million as per Section 33) for the violation thereof on the processing of personal information and sensitive personal information based on the following acts:

a. Unauthorized processing under Section 25

b. Negligence under Section 26

c. Improper disposal under Section 27

d. Unauthorized purposes under Section 28

e. Unauthorized access or intentional breach Section 29

f. Concealment of security breaches under Section 30

g. Malicious disclosure under Section 31

h. Unauthorized disclosure under Section 32[6]

5. Section 4 provides for the coverage of the act which is the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

6. Section 22 highlights the provision when malicious disclosure and unauthorized disclosure will not apply which is the processing of personal information used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose. Likewise, the immediately preceding sections are not applicable to processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.


The case at bar

Apart from the questions raised at the beginning of this article, the sole issue that this article intends to shed light to is, would the act of giving another person’s number without his consent a violation of the Data Privacy Act of 2012? To succinctly discuss the qualified answer, the salient points of the law and the rationale behind its birthing process was first highlighted including but not limited to the prohibited acts and their corresponding penalties, the coverage of the act and the non-applicability of the provisions.

In any statute mala prohibita, the first question to be determined is “does the act or subject matter of the controversy one of the prohibited acts that the law seeks to penalize?” Clearly from the provisions of the law discussed above, processing of personal information when done lawfully as provided in Sections 12 and 13 are not prohibited. The law emphasized the importance of the data subject’s consent as one of the criteria for lawful processing of personal information except when the processing of personal information was gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject or when the processing of personal information is for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject.

In the case at hand, consent of the data subject is lacking. Applying the above provisions, if the processing of his personal information (in this case, giving his number to another person) is not for any of the purpose enumerated above when consent is not necessary, then the act becomes unlawful.

Expressly provided under Section 31 that the processing of personal information if done with malice or in bad faith as when a person discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her to another is punishable as malicious disclosure. It is likewise unlawful under Section 32 when any personal information controller or personal information processor or any of its officials, employees or agents, discloses to a third party personal information or sensitive personal information without the consent of the data subject.

The next consideration would be the presence of the elements of the crime that would amount to the violation of the law. Under Sections 31 and 32, it can be inferred that the requirements would be the act of disclosure without the consent of the data subject or the act of disclosure done with malice or in bad faith. However, absent the implementing rules and regulations of the act it would be difficult to determine indispensable requirements of the law for an act to constitute a violation thereof.

Challenges of RA 10173

While the law was meant to protect personal information and sensitive personal information being handled by business process outsourcing companies, the law was worded so vaguely that it could apply to almost everyone.

Another challenge is the implementation of the law considering that it is already close to one year since the law was passed, yet, no National Privacy Commission was created and neither the Implementing Rules and Regulations (IRR) was crafted.

Our society is being shape everyday by the fast flow and processing of different types of information. The decisions we make in gathering and processing of this data holds the promise of an ICT-driven economy. Still, behind these data are real people, real organizations, and real concerns, so we need to reconcile the competing goals of free information flow and individual privacy.[7]

While we’re yet to see the fruition of this act when the National Privacy Commission and the IRR will come to life, every citizen must know how to protect his/her own personal data and at the same time know how to properly manage data that relates to others.

[1] Data Privacy Act of 2012 by Raul J. Palabrica, Philippine Daily Inquirer, August 31, 2012

[2] ANALYSIS: The Philippines’ Data Privacy Act Of 2012 by Laxmi Rosell and Sheilah Marie Tomarong-Cañabano, of Quisumbing Torres, Manila, a member firm of Baker & McKenzie International, September 14, 2012

 [3] Ibid

[4] Christine Joy Sarmiento, Data privacy act signed into law, described as keystone for ICT sector, Philippine Information Agency website

[5] ANALYSIS: The Philippines’ Data Privacy Act Of 2012,  Laxmi Rosell and Sheilah Marie Tomarong-Cañabano, of Quisumbing Torres, Manila, a member firm of Baker & McKenzie International, September 14, 2012

[6] Janette Toral, Digital, December 17, 2012

[7] Harriet Pearson, VP Security Counsel & Chief Privacy Officer at IBM