Sunday, May 5, 2013

The Data Privacy Act of 2012

Disclaimer: This is only a law student's opinion.

“[T]he ways in which the information we give off about our selves, in photos and e-mails and MySpace pages and all the rest of it, has dramatically increased our social visibility and made it easier for us to find each other but also to be scrutinized in public.”
― Clay Shirky, Here Comes Everybody: The Power of Organizing Without Organizations

The right to privacy is concisely defined as the right to be left alone. It has also been defined as the right of a person to be free from unwanted publicity or disclosure and as the right to live without unwarranted interference by the public in matters with which the public is not necessarily concerned. 1

The right to privacy is a person's natural right however it is not an absolute right and can be limited by the State.

Along with advances in technology bringing about enhancements in the ability of the government to look, listen and pry into the affairs of the citizens, comes a heightened concern of privacy concerns. It is necessary to stress that unless the creeping interference of the government in essentially private matters is moderated, it is likely to destroy that prized and peculiar virtue of the free society – individualism. Every member of the society, while paying proper deference to the general welfare, must not be deprived of the right to be left alone or, in the idiom of the day, “to do his things.”

The protection of the right to privacy was, among others, the reason for the invalidation of Administrative Order No. 308 entitled, Adoption of a National Computerized Identification Reference System in Ople v. Torres. The Court, through Chief Justice Puno speaking, opined that:

Zones of privacy are likewise recognized and protected in our laws. The Civil Code provides that every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another. It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, and recognizes the privacy of letters and other private communications. The Revised Penal Code makes a crime the violation of secrets by an officer, the revelation of trade and industrial secrets, and trespass to dwelling. Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposit Act and the Intellectual Property Code. The Rules of Court on privileged communication likewise recognize the privacy of certain information.

Unlike the dissenters, we prescind from the premise that the right to privacy is a fundamental right guaranteed by the Constitution, hence, it is the burden of government to show that A.O. No. 308 is justified by some compelling state interest and that it is narrowly drawn. A.O. No. 308 is predicated on two considerations: (1) the need to provide our citizens and foreigners with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities and (2) the need to reduce, if not totally eradicate, fraudulent transactions and misrepresentations by persons seeking basic services. It is debatable whether these interests are compelling enough to warrant the issuance of A.O. No. 308. But what is not arguable is the broadness, the vagueness, the overbreadth of A.O. No. 308 which if implemented will put our people's right to privacy in clear and present danger.

In order to bolster the Right to Privacy, the Congress enacted Republic Act 10173 or the Data Privacy Act. Salient features of the law are: It applies to processing of personal information and sensitive personal information; It Creates the National Privacy Commission to monitor the implementation of this law. ; It gives parameters on when and on what premise can data processing of personal information be allowed; Its basic premise is when a data subject has given direct consent; Companies who subcontract processing of personal information to 3rd party shall have full liability and can’t pass the accountability of such responsibility ; Data subject has the right to know if their personal information is being processed. The person can demand information such as the source of info, how their personal information is being used, and copy of their information. One has the right to request removal and destruction of one’s personal data unless there is a legal obligation that required for it to be kept or processed; If the data subject has already passed away or became incapacitated (for one reason or another), their legal assignee or lawful heirs may invoke their data privacy rights; Personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law; In case a personal information controller systems or data got compromised, they must notify the affected data subjects and the National Privacy Commission, and finally , heads of government agencies must ensure their system compliance to this law (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner.2

Although the issue whether or not the enactment of Republic Act 10173 overturns the ruling of Ople v. Torres is moot and academic for being unripe for adjudication, it is humbly believed that the court will reach the same pronouncements should the Constitutionality of the Data Processing Act be assailed. The Ople Doctrine was premised on the vagueness of the law to the effect that the law on question did not provide how the data to be gathered would be handled. Likewise, it did not provide who may access the data, for what purpose and other circumstances similar to the same. The newly enacted law provides for specific guidelines on how the data would be handled, viz:

Section 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must, be:
(a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
(b) Processed fairly and lawfully;
(c) Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
(d) Adequate and not excessive in relation to the purposes for which they are collected and processed;
(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.
The personal information controller must ensure implementation of personal information processing principles set out herein.

Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

Section 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fidemembers of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

On another note, Sec.7 of the Act provides for the Functions of the National Privacy Commission. To wit: administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission.

This provision is very interesting because of the use of the word 'independent body. This means that the National Privacy Commission has a broad discretion in implementing the law and that they are not directly under the jurisdiction of the President. Assuming the constitutionality of the provision, here arises issues as to jurisdiction, where to file the case and under what department of the government does the National Privacy Commission belong.

The law even guaranteed for the rights of the data subject, separate chapter on security of personal information and penal provisions should any infarction of the law be committed, whether deliberately or inadvertently. The Court in Ople made it even doctrinal that data gathering is not illegal per se, however, the same must be grounded on a compelling State interest. The promulgation of the law was a reflection of the Congress’ deference with the wisdom of the Supreme Court in adjudicating matters pending before it.

If there is one lesson that every person – whether a member of the Bar or a lay individual – must ponder, it is the pertinence of one’s privacy. Nobody could afford to tolerate the intrusion of others within one’s domestic spheres, so much so if the intruder is the State. The affair of one is certainly not the affair of all. Unless constrained by a very special interest should others be merely allowed to meddle.

1., May 1, 2013.
2., April 24, 2013.

1 comment:

  1. In my opinion, the Data Privacy Act answers the main issue raised in the case of Ople vs. Torres. The essence of a National ID system is not to intrude on the privacy of individuals or to meddle with the affairs of one individual. The information that will be gathered are basic information that people would always right on their basic information sheet on whatever application they make. Thus, it is not technically an intrusion to privacy. For me, it is better to consider the advantages of having a National ID system because in effect , it will speed up the process of application in most government agencies and avoid possible corruption just like what happened on the issue in National Housing wherein reports say fictitious individuals where granted housing loan. Thank you.