In this day and age of modern technology, privacy, in every essence of the word, is difficult to protect. With proper tools and enough resources people can easily find a way to breach barriers in an individual’s private details and affairs. Some individuals are very wary with their privacy. Some people are just not that protective of their personal details. Technology, specifically the internet, makes data readily available to the public. Through the use of social media similar to Facebook, Instagram, Friendster, Myspace and the like a person can knowingly or blindedly reveal their personal data. Revealing someone’s full name, birth date, cellular number, parents and siblings name and other personal stuff on the internet is very risky. Thus unauthorized use of such information must be prohibited.
Privacy is defined in Black’s Law dictionary as “the right that determines the nonintervention of secret surveillance and the protection of an individual’s information. It is split into 4 categories (1) Physical: an imposition whereby another individual is restricted from experiencing an individual or situation. (2) Decisional: an imposition of a restriction that is exclusive to an entity. (3) Informational: the protection of searching for unknown information and lastly (4) Dispositional: the prevention of attempts made to get to know the state of mind of an individual.”
The Philippine Constitution grants us the fundamental right to an individual’s privacy. It is enunciated in Article III Bill of Rights, Section 3 of the Constitution, to state: (1) the privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law. (2) Any evidence obtained in violation of this or the preceeding section shall be inadmissible for any purpose in any proceeding.
It is a basic concept that any law passed in contravention of the provisions of the constitution is unconstitutional and thus shall be voided. This article is written to explore possible instances whereby Republic Act No. 10173 or the Data privacy act of 2012 violates the Philippine Constitution specifically the right to privacy of individuals and entities. Also this article shall discuss Republic Act No. 10173, its purpose, objective, application and penalties in violation of the Act.
REPUBLIC ACT NO. 10173
Republic Act No. 10173 is an act protecting personal information in information and communications systems in the Government and the private sector, creating for this purpose a National Privacy Commission. This is also known as Data Privacy Act of 2012. R.A. 10173 which took effect 15 days after its publication on July 25, 2011. This act effectively amends Section 7 of Republic Act 9372, otherwise known as the Human Security Act of 2007. Also, except as otherwise expressly provided in the Act, all other laws, decrees, executive orders, proclamations and administrative regulations or parts thereof inconsistent therewith are hereby repealed or modified accordingly.
On its declaration of policy, it is stated that, ” It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.” This is supposedly consistent with the right provided in the Constitution under Article III Section 3 sub paragraph number 1 which states that “The Privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law”.
Section 4 of the Act provides for the scope or applicability of the act which states that “This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.”
Moreover, Section 4 also provided for several exceptions to the applicability of the Act. This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
Under Section 6 of the Act, the Extraterritorial applicability of the act was discussed. It is stated that the Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:
(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;
(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
(c) The entity has other links in the Philippines such as, but not limited to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by an entity in the Philippines.
Chapter III Section 12 defines the criteria for lawful processing of Personal Information, which states that: The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
There are several views on why Data Privacy Act of 2012 was enacted. Most views are in line with the publication of Manila Bulletin on August 29, 2012, where it is stated that “the purpose of the law is to pattern patterned on standards set by Directive 95/46/EC of the European Parliament and aligned with Asia Pacific Economic Cooperation Information Privacy Framework, that protect the integrity of personal data. The passage of RA 10173 is expected to boost investment in the fast-growing information technology and business process outsourcing (IT-BPO) industries. Hailing its enactment, the Business Processing Association of the Philippines said the new law brings the Philippines to international standards of privacy protection as much of IT-BPO work involves confidential personal and company information of local and foreign clients.”
The Philippines for quite a while now has become a major player in BPO industry. The Filipinos proved to clients around the world that we can deliver and get the job done. There is no question about it. RA 10173 aims to reassure our foreign investors that they are protected and their privacy will not be breached. BPO industries process highly confidential and risky transactions. Large purchases and transfers of cash happens in a blink of an eye. The law protects and assures that the foreign clients personal details will be protected. RA 10173 provides for a stiff penalty in violation of privacy. It can be found in Chapter VIII from Section 25 to Section 37.
GRAY AREAS IN APPLICATION OF RA 10173
Provided that the Act bestow very stiff penalty, ranging from thousand to millions of Pesos, there should be a clear description of the law.
To process ones data will probably take several steps. And this might take several Personal information controller and Personal information processor. It would be very difficult to determine on which step of the process the right of the subject has been violated. Does this make every personnel and controller who handles the processing of the personal information liable to the subject?
There is no doubt that a Controller will have a very high influence on the processors. As the processors will listen to what his immediate officer will tell him. What will be the basis of accountability of the Controller and the Processor? Will the liability of the controller and processor be solidary?
Under Section 34 (Extent of Liability) it is stated that “If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be.”
The question would be, will the Partners of a partnership and Board of Directors be liable if their Controllers and Processors violated the Act. It seems that from the point of view of the law they will be liable as they are grossly negligent of the actions of their officers and staff. But from the point of view of the directors and partners, they can’t monitor every action and demeanor of their officers and staff.