Republic Act No. 10173: Situational Gray Areas

Privacy is a valuable and advanced aspect of personality. Sociologists and psychologists agree that a person has a fundamental need for privacy. An individual therefore has an interest in the protection of his or her privacy.

 

In 1996 Harms JA accepted the following definition of privacy in National Media Ltd and Another vs Jooste: “Privacy is an individual condition of life characterized by exclusion from public and publicity. This condition embraces all those personal facts which the person concerned has determined himself to be excluded from the knowledge of outsiders and in respect of which he has the will that they be kept private.” [1]

 

The right to privacy is one of the most threatened rights of man living in a mass society. The threats emanates from various sources – governments, journalists, employers, social scientists, etc. [2]

 

A person’s right to privacy entails that such a person should have control over his or her personal information and should be able to conduct his or her personal affairs relatively free from unwanted intrusions.

 

The right to privacy is well-entrenched in the 1987 Constitution, particularly in the Bill of Rights. Pertinent provisions of the Bill of Rights[3] provides:

 

Sec 2. The right of the people to be secure in their persons, houses papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complaint and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.”

 

Sec 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”

 

Prior to the enactment of Data Privacy Act of 2012, there were also other provisions scattered across several statutes, such as the Civil Code, the Revised Penal Code, and some special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposits Act, E-Commerce Act and the Intellectual Property Code.

 

The Civil Code provides that “every person shall respect the dignity, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another[4] and recognized the privacy of letters and other private communications.[5] Also, an absolutely separate and independent civil action can be filed against a public officer or employee, or any private individual, who directly or indirectly violates the individual’s constitutional rights. [6]

 

On the other hand, the Revised Penal Code makes a crime the revelation of secrets by an officer known to the offending public officer by reason of his official capacity and by delivering wrongfully papers or copies of papers of which he may have charge and which should not be published,[7] and the revelation of trade and industrial secrets.[8]

 

Also, the Law of Secrecy of Bank Deposits or Republic Act 1405[9], as amended, is an Act prohibiting disclosure of or inquiry into, deposits with any banking institutions and providing penalty therefor. Republic Act 8792[10], otherwise known as the Electronic Commerce Act, includes provision on privacy security among others and provides for penalties on computer hacking, introduction of viruses and piracy of copyright works.

 

Similarly, certain provision on privacy can be found in Republic Act 8505[11], An Act Providing Assistance and Protection for Rape Victims. Sec 5 of Republic 8505 provides:

 

“At any stage of the investigation, prosecution and trial of a complaint for rape, the police officer, the prosecutor, the court and its officers, as well as the parties to the complaint shall recognize the right to privacy of the offended party and the accused. Towards this end, the name and personal circumstances of the offended party and/or the accused, or any other information tending to establish their identities, and such circumstances or information on the complaint shall not be disclosed to the public.

 

In like manner, Sec 12 of RA 8369[12], An Act Establishing Family Courts, Granting them Exclusive Original Jurisdiction over Child and Family Cases, states that:

 

“All hearings and conciliation of the child and family cases shall be treated in a manner consistent with the promotion of the child’s and the family’s dignity and worth, and shall respect their privacy at all stages of the proceedings. Records of the cases shall be dealt with utmost confidentiality and the identity of parties shall not be divulged unless necessary and with authority of the judge.”

 

The recognition and protection of the right to privacy as a fundamental human right in the Constitution, as well as in other statutes and special laws provides an indication of its importance.

 

Data Privacy Act of 2012

With the use of electronic computers for storing data, and the proliferation of personal records kept by government, corporations and employers, exacerbated by the adoption of Internet at increasing level over the past years, a greater possibility of disclosure of an individual’s private life has been created. In response to these developments, countries started to develop information protection laws in order to regulate these practices.

 

Republic Act No. 10173, or the Data Privacy Act of 2012 was the first data privacy law adopted by the Philippines. It was approved and signed by President Benigno S. Aquino III on August 15, 2012. It was published on August 24, 2012 in at least two (2) national newspapers of general circulation. It took effect 15 days after its publication, on September 8, 2012. It is an act protecting individual personal information in Information and Communication System in the Government and Private Sector, creating for this purpose a National Privacy Commission and for other purposes. The National Privacy Commission will administer and implement the provisions of this Act and to monitor and ensure compliance of the country with International Standard sets for data protection.[13]

 

The Data Privacy Act of 2012 aims to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. It also aims to ensure that personal information in information in Information and Communication Systems in the government and in the private sector are secured and protected.[14] The Data Privacy Act of 2012 mandates the public and private institutions to protect and preserve the integrity and confidentiality of all personal data that they might gather, in compliance with international data security standards. The intent of the Act is to ensure that the government and private organizations accord personal information an appropriate measure of protection, and also that such information is collected only for appropriate purposes and by appropriate means.

 

Republic Act 10173 explained the scope of the Act in Section 4 thereof:

 

Sec 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

 

This Act does not apply to the following:

(a)    Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

  1. The fact that the individual is or was an officer or employee of the government institution;
  2. The title, business address and office telephone number of the individual;
  3. The classification, salary range and responsibilities of the position held by the individual; and
  4. The name of the individual on a document prepared by the individual in the course of employment with the government

(b)   Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c)    Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d)   Personal information processed for journalistic, artistic, literary or research purposes;

(e)    Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6425, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA)

(f)    Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9520, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g)   Personal information originally collected from residents of foreign jurisdiction in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

 

Application to Everyday Life

 

There are many reasons why individuals disclose information about themselves and allow organizations to keep personal information about them. Sometimes it is because they are required to do so by law or because it is necessary to avail of a particular product or service, which is made conditional upon the giving of that information, such as when they are applying for a credit card or a government benefit. At other times, it is because they are providing it for a particular purpose such as when they enter a competition, or visit a doctor for health check up or when availing insurance policies. As far as the state is concerned, individuals are required by statute to provide certain information.  When people provide information in one context, they often do not realize that this information may ultimately be used for other purposes as well. And this is where the State will come into the picture of securing and protecting all personal information that where disclosed.

 

Data protection is an aspect of safeguarding a person’s right to privacy. It provides for the legal protection of a person in instances where said person’s personal information is being processed by another person or institution. Processing[15] of information is defined under the Data Privacy Act of 2012 as “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking ,erasure or destruction of data.”

 

The question whether the processing of information of an individual infringes the right to privacy of that individual is factual and will be determined on a case to case basis. For one, the privacy of an individual may be breached by the mere act of collection and storing of personal information such as when consent of the data subject was not obtained or when the purpose for collection was not specified and/or when it is for illegitimate purposes. Privacy of an individual may also be infringed by the use and communication of personal information which amount to a disclosure of privacy. Privacy may also be breached through improper disposal which can be illustrated from compact discs of USB flash drives of personal data being left in a public place to contact details being thrown in waste bins. In line with this, Sections 25 to 33 of Chapter VIII of the Data Privacy Act of 2012 provides for the penalties for the following acts:

  1. Unauthorized Processing of Personal Information and Sensitive Personal Information.
  2. Accessing Personal Information and Sensitive Personal Information Due to Negligence
  3. Improper Disposal of Personal Information and Sensitive Personal Information
  4. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes
  5. Unauthorized Access or Intentional Breach
  6. Concealment of Security Breaches Involving Sensitive Personal Information
  7. Malicious Disclosure
  8. Unauthorized Disclosure
  9. Combination or Series of Acts

 

In connection with the punishable acts pertaining to Sensitive Personal Information, a question may be raised as to whether information that indirectly reveals certain sensitive matters is covered and be likewise penalized. The information thus indirectly revealed is not what is contemplated by the Act when it defined Sensitive Personal Information[16] under Section 13 of Republic Act 10173. Hence, the fact that someone regularly buys Halal meat, or regularly go on pilgrimage, or visit certain web sites may not mean information as to that person’s beliefs or race but such a fact can be said to be nevertheless reveal such information, albeit indirectly. Will the person disclosing information indirectly be penalized under Republic Act 10173?

 

Right to be Forgotten

 

Can data that are publicly uploaded onto the Web be realistically be forgotten? The right to be forgotten, or the right to erasure allows individuals to require the deletion of any personal information relating to them, and that there be no further dissemination of such data. This right is specifically provided for in paragraph (e) of Section 16, Chapter IV of the Data Privacy Act of 2012.

 

Sec 16. Rights of Data Subject. – The data subject is entitled to:

 

xxx

 

(e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information;

 

xxx

 

It can be gleaned from the abovementioned provision that the right extend not only to companies collecting personal information but also to third-party internet companies to whom data may have been transferred. This would mean that a person can request that his or her personal information be removed not only from primary websites but also in any other sites that link to, or republish the information in question.

 

One problem that the right to erasure poses is that it would be particularly burdensome on internet service providers and major search engine and social-media companies like Google, Facebook and YouTube, due to the amount of personal data processed on these sites. In social networking sites, for example, there is a huge amount of user generated data for which the data controller has no responsibility. If the right to be forgotten is applied to social-media, will social networking sites be compelled to remove content or data at a user’s request? Also, would a website be expected to track down third-parties who have republished the data? This presents a problem in a sense that given that information can be easily copied from websites without knowledge or consent of the primary website to which the information was first published. It is unlikely that a business will have effective control on information republished by others.

 

Another issue that can be raised is that can a data subject request the deletion of each and every kind of information relating to him? It seems to me that the Right to Erasure is restricted by certain exemptions such as when other interests override the data subject’s rights to privacy. These exemptions which appear to be justified include the freedom of expression, freedom of information and those relating to major public interests. It should be noted that the right to freedom of expression is guaranteed by the Constitution to everyone, and not only to journalists, artists and writers. Hence, this will cover news reports or articles of journalists as well as comments on posts or blogs made by ordinary people.

 

Moreover, the right of access to official and other documents, usually referred to as “freedom of information” is likewise a fundamental right of every Filipinos protected by the Bill of Rights. Lastly, it may be permissible in the interest of the public to restrict the application of the right to erasure, specifically for the following purposes: national security, defense, investigation and prosecution of offenses, financial interests of the state, public health, social protection, scientific research and government statistics.

 

In Ople vs Torres[17], the High Court declared that the right to privacy does not bar all incursions into individual privacy. The right is not intended to stifle scientific and technological advancements that enhance public service and the common good. It merely requires that the law be narrowly focused and a compelling interest justify such intrusions. Intrusions into the right must be accompanied by proper safeguards and well-defined standards to prevent unconstitutional invasions. Any law or order that invades individual privacy will be subjected by the Court to strict scrutiny.

 

 

[1] South African Law Reform Commission. http://www.justice.gov.za/salrc/dpapers/dp109.pdf‎

[2] Ople vs Torres (1998)

[3] Art III 1987 Philippine Constitution

[4]Ople vs Torres (1998)

Art 26, Civil Code of the Philippines

[5] Art 723 Civil Code of the Philippines. Letters and other private communications in writing are woned by the person to whom they are addressed and delivered, but they cannot be published or disseminated without the consent of the writer or his heirs. However, the court may authorize their publication or dissemination if the public good or the interest of justice sorequires.(n)

[6] Melencio S. Sta Maria. Persons and Family Relations. 5th Edition. Page 60

[7] Luis B. Reyes. The Revised Penal Code: Criminal Law. 16th Edition. Page 425

[8] Art 290 – 292 of the Revised Penal Code

[9] An Act Prohibiting Disclosure of or Inquiry Into, Deposits with Any Banking Institution and Providing Penalty Therefor.

[10] An Act Providing for the Recognition and Use of Electronic and Commercial and Non-commercial Transactions and Documents, Penalties for Unlawful Use Thereof and for other Purposes.

[11] Rape Victim Assistance and Protection Act of 1998

[12] Family Courts Act of 1997

[13] Sec 7, Republic Act 10173

[14] Sec 2, Republic Act 10173

[15] Sec 3 (j), Republic Act 10173

[16] Sec 3 (l) Sensitive Personal Information refers to personal information:

  1. About an individual’s race, ethinic origin, marital status, age, color, and religious, philosophical or political affiliations.
  2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
  4. Specifically established by an executive order or an act of Congress to be kept classified.

[17] GR No. 127685, July 23, 1998

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s