With the evolving technology world that we face today, there have been corresponding benefits and consequences of these interconnecting websites and all sorts of communication to each individual who make use of it. On the same phase, a greater responsibility attaches to the government and private sector stockholders and institutions on holding personal information of data subjects.
In “The Right to Privacy,” Louis Brandeis and Samuel Warren defined protection of the private realm as the foundation of individual freedom in the modern age. 1 The term privacy is very broad in the legal context of the Philippines. In general, when we speak of privacy, we relate it to tangible things such as our properties, and this privacy we speak of is embodied in Section 2 Article III (Bill of Rights) of the 1987 Constitution. Also, same Article of the Constitution enshrines other provisions relating to Right to Privacy such as:
Sec. 1. No person shall be deprived of life, liberty and property without due process of law, nor shall any person be denied the equal protection of laws;
Sec. 6. The liberty of abode and changing of the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law;
Sec. 17. No person shall be compelled to be a witness against himself.
To strengthen the protection of right to privacy, the Revised Penal Code penalizes the following acts which are violations of privacy of a person:
Art. 229. Revelation of secrets by an officer – Any public officer who shall reveal any secret known to him by reason of his official capacity, or shall wrongfully deliver papers or copies of papers of which he may have charge and which should not be published;
Art. 230. Public officer revealing secrets of private individual – Any public officer to whom the secrets of any private individual shall become known by reason of his office who shall reveal such secrets;
Art. 290. Discovering secrets through seizure of correspondence – Any private individual who, in order to discover secrets of another, shall seize his papers or letters and reveal the contents thereof;
Art. 291. Revealing secrets with abuse of office – Any manager, employee or servant who, in such capacity, shall learn the secrets of his principal or master and shall reveal such secrets; and
Art 292. Revelation of industrial secrets – Person in charge, employee, or workman of any manufacturing or industrial establishment who, to the prejudice of the owner thereof, shall reveal the secrets of the industry of the latter.
In addition, Article 26 of the New Civil Code states that: Every person shall respect the dignity, personality, privacy and peace of mind of his neighbour and other persons.
With the interchanging era that we have, and with all sorts of new technology for communication and information dissemination, access may be had with personal information. And if this access will not be regulated, it can lead to intrusion of privacy through transfer of such information from one entity to another. Therefore, we must also protect intangible things particularly personal information and sensitive personal information.
The signing in to law of the RA 10173 or otherwise known as Data Privacy Act of 2012 by President Benigno Aquino III has posted some queries on how to implement it in detail awaiting the issuance of its Implementing Rules and Regulations to be issued by the National Privacy Commission. Upon reading and understanding this particular law, we come to explore on some of its provisions and try to consider gray areas of this statute for clarification and mitigate future obscurities as to its understanding and interpretation.
As stated in this particular law, it is the policy of the State to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.2
The fundamental human right of privacy of communication is embodied in Section 3 Article III of the 1987 Constitution and states: “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law”. This communication shall pertain to cover letters, messages, telephone calls, telegrams and the like which pertain or relate to data or information of subject matters and individuals.
Transfer of Information
To start with, the lawful collection of information whether personal information or sensitive personal information must always comply with the acquisition of consent which is defined under Section 3 (b) of Data Privacy Act. “Consent of data subject refers to any freely given specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.”
In this connection, the fulfilment of the state policy without disregarding the important requirement to obtain consent3 lies upon the Personal Information Controller who is defined to be a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.4 If this personal information controller acquires information from a data subject without the data subject knowing that consent is needed, the personal information controller could always exercise its discretion in obtaining any information it wishes. It is always the personal information controller who must inform the data subject of its right to give his consent as to the information to be obtained. In some cases, an implied consent may be availed of from the data subject when the circumstances so warrant.
The question now arises, how then can one company, who is considered as personal information controller, who has acquired information from its employees where such information has been entered into its data base, transfer to another company such information without violating this Law? Does the consent given by the data subject to the first company equivalent to the consent that such information may be further transferred to another company? For example, If Security Agency A has obtained personal information or sensitive personal information from its employee X, a security guard, can he further provide the same information to Company B, who has contracted the services of Security Agency A, without the consent of X. Would this not be a violation of Data privacy of X who is an employee of A and has only given such information for purposes of employment? Is this a violation of the Data Privacy Law?
This is a crucial provision of the statute which must be attended to because Section 32 of the same law implies a penalty for Unauthorized Disclosure which is defined as the disclosure to a third party personal information without the consent of the data subject.
Now comes the issue of the Personal Information Processor who is defined to be a person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. This must be further explained in the IRR and the qualifications that it pertains to must be elaborated so as not to make it too broad for anyone to become a personal information processor.
Section 4 of RA 10173 provides for the scope for the application of this statute. And it further provides what that: This act does not apply to the following: (d) Personal Information processed for journalistic, artistic, literary or research purposes. Does this really mean that if the personal information obtained from data subjects, the provisions of Data Privacy Law does not apply, therefore there is no confidentiality as to such information?
This section must be further explained. The word “research” has a two way meaning as how the law was written. 1. Research, as a careful study that is done to find and report new knowledge about something; 2. Research, as the activity of getting information about a subject.5
If we consider the context of “research” in the first definition, this appears to be contrary to most research guidelines available in various sectors such as in the medical field. World Health Organization6 itself issued guidelines which should be followed in order for a research be acknowledged as valid. This is backed up by National Ethical Guidelines For Health Research.7 Even the Code of Ethics for Philippine Psychologists are being directed to comply to accept as fundamental the Principle of Respect for the Dignity of Persons and People including free and informed consent, as culturally defined and relevant for individuals, families, groups, and communities.8
In general, these guidelines provide that written consent is always preferred, subject to some exceptions which the researcher or anyone who avails information must justify as an exception to written consent. If this is standard in the field of research, how come Data Privacy Act, Sec 4 (d) in particular, cites information for research purposes as one of the aspects not covered by the law? Is this not a blunt violation of one’s privacy?
Personal Information Controller
As defined in Section 3(h), Personal Information Controller refers to a person or organization who controls the collection, holding, processing or use of personal information…” With this, we now see the significance of a personal information controller, that it has control over the processing of personal information. Say if, A applies for a job in one company, such company automatically becomes a personal information controller upon the submission by the applicant his/her resume with all the information set forth in such. Upon interview, the company then asks further question even questions which are Sensitive Personal Information which the applicant would not hesitate to answer. On this instance, how can we assure confidentiality of personal information or sensitive personal information if all employers whether person or group or organization or company automatically becomes a personal information controller.
Next, can a personal information controller release information to employers who ask for background check. Up to what extend can the disclosure of information be? Who determines the purpose for such disclosure? Say X is applying as a Secretary in Office A. Can Office A, for purposes of verification, at any time, ask the Health Department of any details as to X’s history of illness and laboratory results? Office A could always pose as a defense that it is for medical purposes where Health department would find is valid reason and subsequently releases. However, these pieces of information are not so necessary for a job description of a Secretary in an Office. There must be a limit as to what information is needed for such purpose.
On the other side of the coin, one exclusion for this term in the light of Data Privacy Act is Sec 3 (h) (2) which provides “An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.” With this exclusion, we then now conclude that information obtained by a person in his personal capacity or family or household affairs and subsequently divulge it to an entity for business purposes does not make him a personal information controller, therefore has no liability under this law. If this were the right interpretation, what relief can be given to innocent data subject whose information was not kept in confidentiality and in the end may have been damaged due to such act of breach by another person?
Section 6 of this statute provides that this act applies to an act done or practice engaged in and outside of the Philippines if: (c) The entity has other links in the Philippines.
There seems to be a problem in this situation. The Philippines is considered a top destination for business process outsourcing industry.9General reservations agents, for example, working for an International Call Center company based in the Philippines who accept calls from foreigners in other countries and accept information regarding their certain transaction such as hotel reservations, would not be bound by such data privacy act. This outsourcing seems to be an exception to the general rule of extraterritoriality of Data Privacy Act. In this outsourcing service, the information entered into the company system based in the Philippines is stored in the foreign company’s data base regardless of the nationality of the customer from which information was acquired. The question however, is that, are these privacy provisions are based on the nationality of the company, nationality of the customer or of the agent?
If Call Center A is of US origin, customer B is of European nationality, there seems to be a conflict as to how to deal with the information’s confidentiality. Worse, the agents who acquire such information are Filipinos, who are of different jurisdictions. Who then has control over the information? Does the customer with different nationality as that of the agent and that of the call center has the right to claim Privacy Acts or Laws of his country of jurisdiction? Is the Data Privacy Law specifically Sec 6 (c) been violated?
Another crucial scenario is, when it comes to online entry of personal information and sensitive personal information in the internet through various websites, domestic or international. Say, if X enters his personal information through an online merchandising website in the United Kingdom to avail of a product, can the Philippines somehow protect the data privacy of our Filipino men? The answer must be in the affirmative because this is a case of extraterritorial jurisdiction. The question however remains. How are we protected if the personal information controller in this case is a foreign website but information entered are that of our national. We have different laws and somehow with different ways and means to protect one’s privacy. Information may be accessed openly for one country, but not with the other.
All kinds of organization or company have an indispensable way of collecting information whether from employees, customers, clients and other transactions. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting obligations to a multinational enterprise.10
The National Privacy Commission
Section 7 provides for the functions of the National Privacy Commission and one of which is: (n) Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection.
Is the pacing of Philippine technology somehow adapts to international standard? Is there an international standard or guideline as to the protection of personal information? We have to consider that each and every country has different Privacy Laws for the protection of the information of their own nationals. There is no treaty to which the Philippines is a signatory for which we can adopt standard protection for personal data. Now the next question, can we give foreigners and our people that equal treatment when it comes to data privacy in its utmost protection while respecting the data privacy system that the foreign country has as regards to such foreigner?
This topic is still related to the extraterritoriality provision of this particular statute. How then can we reconcile both provisions?
Subcontract of Personal Information
Section 14 of this statute provides that a personal information controller may subcontract the processing of personal information. First question is: What is subcontracting in the concept of Data Privacy Act? This is better understood if it would be further explained in the IRR to be issued. Second: What is the coverage of subcontracting of personal information controller to personal information processor for transfer of information? Does it include all information disclosed by the data subject including Sensitive Personal Information which is not necessary for the purposes of the third party? This is a problem in the sense that, if this were permitted and there would be no specific coverage for subcontracting, the network of individuals who are only supposed to have knowledge of these personal information or sensitive personal information would be limitless. With this, the purpose of the law would be belittled because of the spawning of information through subcontracting which in the first place should have been confined and kept confidential.
If personal information controller has the right to subcontract and transfer data to personal information processor, do the data subjects have the same rights as provided in Sec 16 of the statute? If yes, then they must be properly informed of such transfer and for what purposes it has. This then brings us back to the need to obtain the consent of the data subject and include these possible processes as part of what they are consenting to.
For example, Company A employs 200 applicants then acquiring personal information and some sensitive personal information. Company A, having complex operations, now subcontracts a group individuals with specialized skills in organizing information for the company. Now, there are more than the company personnel that has knowledge regarding such information. The dilemma in this case is that more people with knowledge regarding a specific information may be crucial than only a few persons. The more the people who have knowledge, the higher the risk of breach of confidentiality.
Section 12 provides for the Criteria for Lawful Processing of Personal Information. The processing of personal information shall be permitted only if not prohibited by law and at least one: (f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The only question in this provision is the coverage of third parties. There must be a specific requirement or qualification of who these third parties are because they are to hold such information that are confidential to data subjects. If this is as broad as it seems to be, then anyone or any entity whether or not with a facade lawful purpose may be a third party and can access such confidential data. This is an indirect violation of Data Privacy Law.
The issue to be balanced is this provision is the right of the data subjects to be informed of the process of their personal information and the right of the personal information controller to control such process as against the right of the people to information on matters of public concern and access to research data used as basis for policy development, as embodied in the Bill of Rights of the Constitution, Section 7.
Personal Information as defined in Sec 3(g) of this law only covers pieces of information from which identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
One issue is the collection of data from different sources in order to come up with a summary of information for purposes of writing an article. This would obviously be gathering of personal information. Apparently, Sec 4 (d) connotes this situation as an exception to the scope of applying Data Privacy Act, to cite: “Personal information processed for journalistic, artistic, literary or research purposes”. Are those data gathered by a person from different sources equivalent to information that should fall under this act? We should note that this kind of situation is a breach of one’s privacy as an individual. How can we reconcile this? What, again, are the reliefs of this innocent data subject?
Second, in the definition of personal information from which identity of an individual is apparent, it is then understood that cell phone numbers are not considered information which are personal to a data subject because generally speaking, the mere number does not identify the data subject. SIM (subscriber identity modules) card used in mobile phones are not registered in the Philippines.11 However, a problem arises when it this is not considered confidential, such as when a third person who somehow acquired information from a personal information controller has unlawful interest on the data subject openly accesses the cell phone number and consummates an unlawful desire using such number which could lead to criminal offenses like threatening and extortion. This is not far from impossible since it is not confidential enough to be protected by this law. There may be unrecorded cases of this kind of situation, which are unfortunately, not given much attention to because primarily, the access to cell phone numbers is not a violation of any law.
According to Atty. Disini, an expert in Internet Law, “Unfortunately, despite its high occurrence, there have not been any convictions not only because there have been no complaints filed but also because of the difficulty of tracing hackers.”12
Principle of Accountability
Section 21 provides for accountability of the Personal Information Controller even if information of data subjects has been transferred to a third party. A problem arises when information which were subsequently disclosed were used unlawfully. If the personal information controller has lawfully and validly disclosed information to third persons regarding data subjects, it remains to be responsible for the acts of third persons, whether lawful or unlawful. Such responsibility seems to be boundless and unlimited to which it is only to the personal information controller the finger is pointed at in case of unlawful disclosure or breach of confidentiality by other entity. This seems to be a violation due process of law and equal protection clause.
1 The Right to Privacy; Louis Brandeis and Samuel Warren; http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm
2 Sec 2 RA 10173; http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html
3 Id RA 10173 Sec 12(a)
4 Id RA 10173 Sec 3(h)
5 Merriam Webster Dictionary; http://www.merriam-webster.com/dictionary/research
6 Research Ethics Review Committee, the process of obtaining Informed Consent; http://www.who.int/rpc/research_ethics/Process_seeking_IF_printing.pdf
7 Philippine National Health Research System, National Ethical Guidelines for Health Research 2011; www.pchrd.dost.gov.ph/index.php/component/banners/click/3
8 Code Of Ethics For Philippine Psychologists; Psychological Association Of The Philippines; Scientific And Professional Ethics Committee (2008-2009) Http://Www.Pap.Org.Ph/Includes/View/Default/Uploads/Code_Of_Ethics_Pdf.Pdf
9Philippines still top BPO destination – consulting firm; – Cheryl Arcibal, GMANews.TV; October 4, 2007 10:19am; http://www.gmanetwork.com/news/story/63053/economy/companies/philippines-still-top-bpo-destination-consulting-firm
10 International Compendium of Data Privacy Laws – Baker Hostetler; http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International-Compendium-of-Data-Privacy-Laws.pdf
11Telcos nix SIM card registration; Lawrence Agcaoili; Philippine Star; http://www.philstar.com/business/2013/10/23/1248215/telcos-nix-sim-card-registration
12 Disini & Disini Law Office; GMA News Interviews Atty. Disini on Internet Law Issues; http://www.disini.ph