GRAY AREAS IN THE DATA PRIVACY ACT OF 2012

The Right To Privacy

“To be let alone”- this is a phrase that was coined by Justice Cooley in 1880[1]. Today, such phrase is widely accepted as the concise definition of the right to privacy.  Under Philippine laws, the right to privacy is not limited to being left alone; it likewise includes the right of a person to be free from unwanted and unwarranted governmental interference in matters with which the government is not necessarily concerned[2].

 

In the Philippines, the right to privacy was first recognized in the 1968 ruling of Morfe v. Mutuc where the Court affirmed that: 

 

“The right to privacy as such is accorded recognition independently of its identification with liberty; in itself, it is fully deserving of constitutional protection.”[3]

 

It was also in the case of Morfe v. Mutuc that the significance of the right to privacy was emphasized when the Supreme Court declared that “the right to be let alone is indeed the beginning of all freedom.”The Court expressed that such description of the right hewed very closely to that earlier made by Justice Brandeis in Olmstead v. United States that the right to be let alone was “the most comprehensive of rights and the right most valued by civilized men.”[4]

 

Finding its way in more than a few provisions of the Constitution and statutes, it is safe to say that the State recognizes the right to privacy as one of the vital rights of an individual. The Bill of Rights, enshrined in Article III of the Constitution, provides at least two guarantees that explicitly create zones of privacy. Such guarantees highlight a person’s “right to be let alone” or the “right to determine what, how much, to whom and when information about himself shall be disclosed [5]. The provisions read as follows:

 

“Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.”

 

“Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”[6]

 

Aside from the Constitution, zones of privacy are also extensively protected under different statutes i.e., Art. 26 of the Civil Code which mandates “every person to respect the dignity, personality, privacy and peace of mind of his neighbours and other persons”, the Revised Penal Code defines trespass to one’s dwelling as a felony, the Anti-Wiretapping Law punishes the invasion of privacy,  the Intellectual Property Law punishes the unauthorized reproduction of one’s work,  and the Bank Secrecy Law prohibits the disclosure to authorities of a client’s personal and account information unless certain conditions apply.

 

Nevertheless, notwithstanding the safeguards set forth by the fundamental law and some statutes, the Supreme Court expressed in the case of Ople vs. Torres that the right to privacy is one of the most threatened rights of man living in a mass society. The threats emanate from various sources – governments, journalists, employers, social scientists, etc[7]. Taking into consideration this predicament on privacy, the law-making body of the State addressed the same by introducing bills and enacting laws which provide for an array of levels of protection of security involving personal information.

 

In 2012, the legislative arm of the government successfully passed into law Republic Act No. 10173 otherwise known as The Data Privacy Act of 2012. Republic Act No. 10173 is an act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a national privacy commission, and for other purposes. The said law aims to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. Further, it recognizes the vital role of information and communications technology and its obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected[8].

 

The Data Privacy Act of 2012

Does the adoption of Republic Act No. 10173 address the security challenges that the right to privacy is faced with? At first glance, the aforementioned law seems to provide a mechanism which best secures personal information from any kind of privacy threat. Nonetheless, a closer observation of some of the provisions of Republic Act No. 10173 may prove that the same was not narrowly drawn to make it absolutely free from abuses or misuse.

 

As a rule, a statute or an act may be said to be vague when it lacks comprehensible standards that “men of common intelligence must necessarily guess at its meaning and differ to its application.”[9] It is repugnant to the Constitution in two respects: (1) it violates due process for failure to accord persons, especially the parties targeted by it, fair notice of the conduct to avoid; and (2) it leaves law enforcers unbridled discretion in carrying out its provisions and becomes an arbitrary flexing of the government muscle.[10]

 

The provisions of the Data Privacy Act of 2012 can have far-reaching consequences on individual right to privacy.  From a legal perspective, I am of the view that the following provisions may give rise to gray areas in the understanding and construction of Republic Act No. 10173:

 

“Sec. 3 (b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.”

 

The question that comes to mind in relation to this provision is that since consent may be evidenced not only by written communications but by electronic and recorded means as well, how can the genuineness or authenticity of such consent be validated? Will a Short Message Service (SMS) indicating an informed will approving the processing of personal information be considered substantial compliance under Sec. 3(b) of Republic Act No. 10173? I believe this question should be specifically addressed by the policy-making body of our government.

 

“Section 3(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

 

“Section 3 (h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a  person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.”

 

“Sec. 3 (j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”

 

The three above cited provisions persuade me to believe that private communications between individuals may come within the purview of Republic Act No.10173. Under Sec. 3 (g), personal information is any information recorded from which the identity of an individual may be ascertained by the entity holding the information. Further, under Sec. 3 (h), a personal information controller is any person or organization  who controls the collection, holding or processing of personal information. Moreover, processing refers to any operation upon personal information including collection or storage of data. With these definitions, even a class beadle who inputs in his computer his classmates’ email address, contact number and name can be placed in a situation wherein he may violate the Data Privacy Act of 2012 without him knowing it. For instance, when the semester has ended and the class beadle does not delete from his computer the list of his classmates’ information, this may constitute a violation of RA No. 10173 because the class beadle would be holding or storing such information without a legitimate purpose. Hence, making him criminally liable under the law.

 

Another provision that calls for clarity is Section 11(a) of Republic Act No. 10173. This section states that:

 

“Personal information must be collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.”

 

It may be inferred from the above quoted provision that the collection of personal information may be conducted either before or after the purpose for such collection has been determined by the personal information controller. My concern in this provision is that the framers of the Data Privacy Act of 2012 allow for the collection of personal information even before the determination of the legitimate and specific purpose for which the personal information is to be processed or used as long as such information is later processed in a way compatible with such declared and specified.

 

Notwithstanding the safeguard provided in Sec. 11 (a), this provision may still give rise to a situation that would provide for a pathway for mishandling of personal information which would inevitably result to the violation of the right to privacy.

 

Interestingly, Sec. 12 of the Data Privacy Act of 2012 also raises an equally important question. According to section 12, the processing of personal information shall be permitted only if: a) the data subject has given his or her consent; or b) when processing of personal information is necessary and is related to the fulfillment of a contract with the data subject; or c) is necessary for compliance with a legal obligation to which the personal information controller is subject; or d) processing is necessary to protect vitally important interests of the data subject, including life and health; or e) processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or f) processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

 

It is not difficult for an ordinary observer like me to conclude from the scenarios enumerated in the immediately preceding paragraph that the personal information of a data subject may be processed even without his or her consent, provided that such processing falls under any of those stated in letters (b) to (f) of section 12. Thus, it is without doubt that notwithstanding the absence of consent, personal information can be processed.

 

Nonetheless, a predicament in the construction of the law may still arise despite the parameters set forth in section 12. For instance, the processing of personal information of a data subject falls under section 12 (b). Under letter b, the data subject’s lack of consent will not bar the processing of the personal information. The question now is: Will the express disagreement of the data subject to the processing of personal information in situations which do not require his or her consent constitute a violation of the Data Privacy Act of 2012? This becomes an issue because an express disagreement is not tantamount to lack of consent.

 

One more provision under the Data Privacy Act of 2012 which I believe is tainted with ambiguity is Sec. 14 in relation to Sec. 3 (b). Sec. 14 provides that:

 

a personal information controller may subcontract the processing of personal information: Provided, That the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information.”

 

According to Sec. 3 (b), the law mandates personal information controllers to first obtain the consent of the data subject before the former may process the personal information of the latter. It is now safe to say that obtaining the consent of a data subject is a condition precedent for processing. However, in another provision of the Data Privacy Act of 2012, personal information controllers may subcontract the processing of personal information without disclosing to the data subject that his or her personal information is being processed by an entity other than the personal information controller. My question now is: Is there a need to disclose to the data subject that his or her personal information is being processed by an entity other than the personal information controller in order comply with the consent requirement of the of Republic Act No. 10173?

 

Furthermore, section 14 is unclear because it suggests that so long as the personal information controller provides for proper safeguards to ensure the confidentiality of personal information processed and prevent its use for unauthorized purposes, it cannot be held liable for violating the data subject’s right to privacy. The gray area comes into play when there has been in fact an unauthorized processing of a data subject’s personal information and the defense and proof of compliance by the personal information controller with section 14 would exonerate him or it from criminal liability.

 

Lastly and significantly, Sec. 16 (d) is another provision under the Data Privacy Act of 2012 that, in my opinion, needs to be constricted in more definite terms. The provision reads:

 

SEC. 16. Rights of the Data Subject. – The data subject is entitled to:

 

“(d) Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;”

 

From the wording of the law, a data subject has the right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. With this statement, I can only surmise that the personal information controller is given the power to exercise discretion in deciding whether or not the call for a correction of an error is vexatious or unreasonable.

 

My first question with respect to first sentence of Sec. 16 (d) is that: Will a vexatious or unreasonable dispute in the inaccuracy or error in the personal information justify the inaction of the personal information controller to immediately correct such information notwithstanding the presence of an error or inaccuracy? The second question is: Will this situation constitute a violation of a right conferred upon a data subject under the Data Privacy Act of 2012?

 

I leave all these questions to the wisdom of the legislative arm of the government.

 

 

Conclusion

 

Over time, advances in information and communications technology have been rapidly and rampantly improving. In the same light, it cannot be denied that information and communications technology are increasingly playing an important role in organizations and in society’s ability to produce, access, adapt and apply information[11]. They are being heralded as the tools for the post-industrial age, and the foundations for a knowledge economy, due to their ability to facilitate the transfer and acquisition of knowledge.[12]

 

Nonetheless, despite the constructive effects of the technological age, one should be cautious enough to realize that along with the high-tech advancements is greater vulnerability to privacy intrusion. Even the Supreme Court is convinced of the undesirable import of technology on the right to privacy. The Court expressed in the case of Ople vs. Torres that given the record-keeping power of the computer… It is timely to take note of the well-worded warning of Klavin Jr., “the disturbing result could be that everyone will live burdened by unreasonable record of his past and his limitations. In a way, the threat is that because of its record-keeping, the society will have lost its benign capacity to forget”.

 

Hence, the law-making body of the State ought to exercise greater responsibility in enacting laws which immensely affect the constitutional right of every individual to be free from unwanted and unwarranted intrusions. The reason for this is enunciated by the Supreme Court in the case of Ople vs. Torres. According to the Court:

 

“The right to privacy was not engraved in our Constitution for flattery”[13]

 

 

[1] The Right to Privacy: Rights and Liberties Under the Law By Richard A. Glenn 2003

[2] Art. III Sec. 2, Philippine Constitution

[3] Morfe vs. Mutuc G.R. No. L-20387 January 31, 1968

[4] G.R. No. 181881

[5] SABIO vs. GORDON, G.R. No. 174340,  October 17, 2006, 504 SCRA 704

[6] 1987 Philippine Consitution

[7] GR No. 127685

[8] RA No. 10173

[9] G.R. No. 127685 Vitug, J., separate opinion 

[10] G.R. No. 103956, March 31, 1992, 207 SCRA 712, 719-720

[11] ELECTRONIC JOURNAL OF ACADEMIC AND SPECIAL LIBRARIANSHIP, L. A. Ogunsola, 2005

[12] ELECTRONIC JOURNAL OF ACADEMIC AND SPECIAL LIBRARIANSHIP, L. A. Ogunsola, 2005

[13] Ople vs. Torres G.R. No. 127685                    July 23, 1998

Advertisements

One thought on “GRAY AREAS IN THE DATA PRIVACY ACT OF 2012”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s