INTRODUCTION

The 1987 Philippine Constitution is designed to protect the most basic rights afforded to humans, including the right to privacy. It is the right that must be enjoyed by everyone either natural or juridical person. As defined by scholars, it is the right to be let alone[1] or as the right of a person to be free from undesired publicity or disclosure and as a right to live without unwarranted interference by the public in matter with which the public is not necessarily concerned.[2] In 1765, British Lord Candem said, “We can safely say there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society, for papers are often the dearest property any man can have.”[3] The right to privacy is entrenched in the 1987 Philippine Constitution, particularly in the Bill of Rights and safeguarded by several provisions of the Civil Code, the Revised Penal Code, and other domestic and international statutes that provide penalties for their violation.

In a long line of jurisprudence, the Supreme Court has consistently held that the right to privacy is considered a fundamental right that must be protected from intrusions and constraints. In the language of Prof. Emerson, the protection of the dignity and integrity of the individual has become increasingly important as modern society has developed and all the forces of a technological age such as industrialization, urbanization, and organization operate to narrow the area of most important rights concern of this generation. In the continuing modernization, technologies become an integral part of our day today transactions while laws have not kept up with the technology, leaving significant gaps in protections. [4]

According to a 1997 report “Assessing the Technologies of Political Control” Commissioned by the European Parliament’s Civil Liberties Committee and undertaken by the European Commission’s Science and Technology Options Assessment Office, new surveillance technologies can exert a powerful “chill effect” on those who “might wish to take dissenting view and few will risk exercising their right to democratic protest.” The capacity of information technology to disseminate information on individuals has been a call of urgency to the demand for legislation. [5]

In compliance therewith, the House of Senate and the House of Representatives of the Philippines in Congress enacted Republic Act No. 10173 also known as the Data Privacy Act of 2012 for the full protection of personal information in information and communications systems in the government and in the private sector signed by President Benigno S. Aquino III. As enshrined in the declaration of policy of Data Privacy Act of 2012, it is the inherent obligation of the State to ensure that the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth are secured and protected.

Republic Act No. 10173 was passed into law for the purpose of securing and safeguarding the personal information of an individual. Nonetheless, a question remains to be addressed by the lawmaking body of the State: “Will the Data Privacy Act of 2012strengthen the State policy on privacy security?” The author of this article would like to point out some of the issues that are not clearly addressed by the subject law: First Issue, Section 4, Paragraph (g) is inconsistent with the Revised Penal Code in relation to the extraterritoriality principle; Second Issue, Section 8 does not narrowly draw the scope of confidentiality of the personal information when submitted to the Commission; Third Issue, What are the parameters in determining whether or not the collection of personal information falls under specific and legitimate purposes, fair and lawful, accurate, relevant and necessary as provided for under RA No. 10173?Who exercises the discretion in determining whether or not the purpose for processing the information is legitimate?; Fourth Issue, Section 16, Paragraph (a) provides that the data subject has the right to be informed about the processing of his personal information before, during or after the data has been processed; and Lastly, Republic Act 10173 penalizes both unauthorized processing of personal information and sensitive personal information and accessing personal information and sensitive personal information due to negligence without giving the distinction between unauthorized processing and accessing due to negligence. 

First Issue: Section 4, Paragraph (g) is inconsistent with the Revised Penal Code in relation to the extraterritoriality principle.

             Section 4, Paragraph (g) of the Data Privacy Act of 2012 states that the act does not apply to personal information originally collected from the residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines. This provision is inconsistent with the provision of the Revised Penal Code of the Philippines in cases wherein the information originally collected from the residents of foreign jurisdictions are deemed threats to national security.

On the other hand, according to Article 2, Paragraph (5) of the Revised Penal Code, the Philippines exercises jurisdiction over persons who commit any of the crimes against national security and the law of nations defined in Title One of Book Two of the Revised Penal Code.

ILLUSTRATION:

A is a foreign resident, whois internationally known to be a terrorist, temporarily visiting the Philippines. The Philippine government, upon knowledge of the presence of A on Philippine soil, caused the processing of the personal information of said data subject in order to intercept him. In this situation, will the unconsented processing of the personal information of A constitute a violation of his right to privacy under the Data Privacy Act of 2012? or Will the provision of the Revised Penal Code apply in prosecuting A?

International Law acknowledged two theories in cases of extraterritoriality, the French Rule and the English Rule.  In French Rule, the crime is triable in the country of origin of the vessel, except if it affects the national security of the country where such vessel is within jurisdiction.  In English Rule, the law of the foreign country where a foreign vessel is within its jurisdiction is strictly applied, except if the crime affects only the internal management of the vessel. In which case, it is subject to the penal law of the country where it is registered.The Philippine follows the English Rule. [1]

If Section 4, Paragraph (g) of the Data Privacy Act of 2012 will apply, information of an offender which was happened to be a foreign resident cannot be used as evidence in the Philippine court proceeding because Philippines has no jurisdiction over the personal information of a foreign resident.

Second Issue: Section 8 does not narrowly draw the scope of confidentiality of the personal information when submitted to the Commission.

 As provided under section 8 of the Data Privacy Act of 2012, the Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession. The dilemma that this situation poses is how the Commission will guarantee the confidentiality of the personal information. Is there an assurance that personal information obtained by the Commission will not pass through the hands and eyes of unconcerned individuals within the Commission?

 If the answer to the question in the immediately preceding paragraph is in the negative, hence the Data Privacy Act of 2012 will not serve the purpose which it purports to serve.

ILLUSTRATION:

A who is a confidential agent of the Commission was able to process the personal information of B who happened to be his business competitor. Through the personal information gathered by A, he uses such information to the detriment and disadvantage of B.

Third Issue: What are the parameters in determining whether or not the collection of personal information falls under specific and legitimate purposes, fair and lawful, accurate, relevant and necessary as provided for under RA No. 10173? Who exercises the discretion in determining whether or not the purpose for processing the information is legitimate?

The Data Privacy Act of 2012 provides that:

 SEC. 11.General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

Personal information must, be:

(a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;

(b) Processed fairly and lawfully; 

According to the above cited provision, the personal information that are processed must have a specific and legitimate purpose but nothing in this act provides for the manner on how to determine whether the purpose is legitimate or not. It does not even provide who will determine whether the purpose is legitimate or not.

            The subject law did not even outline the parameters in determining the fairness of the process. Fairness is subjective, what may be fair for someone may not be fair to another.

Fourth Issue: Section 16, Paragraph (a) provides that the data subject has the right to be informed about the processing of his personal information before, during or after the data has been processed.

SEC. 16.Rights of the Data Subject. – The data subject is entitled to:

(a)                Be informed whether personal information pertaining to him or her shall be, are being or have been processed; (Emphasis supplied)

xxxxxxxxxxx

           The issue arises when the data subject was informed after the information has been processed and he did not consent with it. Isn’t it a violation of his constitutional right of due process to be informed because he was only informed about the process after it was become available to the hands and eyes of third persons?

Last Issue: Republic Act 10173 penalizes both unauthorized processing of personal information and sensitive personal information and accessing personal information and sensitive personal information due to negligence without giving the distinction between unauthorized processing and accessing due to negligence.

 SEC. 25Unauthorized Processing of Personal Information and Sensitive Personal Information.

 (a) The unauthorized processing of personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.

(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.

SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence

(a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.

While it is true that Republic Act No. 10173 enumerated the criteria for lawful processing of personal information and sensitive personal information and privileged information, it is not clear on when and how accessing personal information and sensitive personal information due to negligence is done.  Will it penalize the person who by chance accessed sensitive personal information of an individual? If yes, what specific offense was committed?

ILLUSTRATION:

The Court ordered A to search for the health information of B. While browsing the data provided by the hospital, A was able to access all the information of the hospital’s patients. Will it be a violation of Republic Act No. 10173 by accessing sensitive personal information due to negligence or will it be unauthorized processing of sensitive personal information?

The subject law did not qualify what is the scope of accessing sensitive personal information due to negligence, how it is committed and what are the elements of this offense. (Emphasis supplied) Republic Act No. 10173 enumerated the criteria for lawful processing of personal information but nothing in this act mentioned the diligence required in the keeping and distributing of the data information.

CONCLUSION

To my mind, the provisions of Data Privacy Act of 2012 is not enough to strengthen the State policy on privacy security. There are legal issues in the provisions that need to be addressed by the lawmaking body. While it is true that Republic Act 2012 purpose is to strengthen the constitutional right of an individual to be secure on his private life, the provisions of the law will just show that the purpose which it purports to serve is hard to achieve because the languages used by the legislature are ambiguous and inconsistent with the public policy.

If the Data Privacy Act of 2012 purpose is to protect the right to privacy of an individual, there must be no question of confidentiality. The law must enumerate who are in the National Privacy Commission would be able to access and process the personal information of the Data subject. The law must also informed the data subject not during and after the information was processed or accessed but must be informed before processing or accessing the information because it will be a violation of his constitutional right of due process.

In the end, the author of this article would like to acknowledged the opinion laid down in the case of Morfe v. Mutuc that, “The concept of limited government has always included the idea that governmental powers stop short of certain intrusions into the personal life of the citizen. This is indeed one of the basic distinctions between absolute and limited government. Ultimate and pervasive control of the individual, in all aspects of his life, is the hallmark of the absolute state. In contrast, a system of limited government safeguards a private sector, which belongs to the individual, firmly distinguishing it from the public sector, which the state can control. Protection of this private sector– protection, in other words, of the dignity and integrity of the individual– has become increasingly important as modern society has developed. All the forces of a technological age– industrialization, urbanization, and organization– operate to narrow the area of privacy and facilitate intrusion into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.”

 

Footnotes

 

[1] Warren and Brandeis, “The Right to Privacy,” 4 Harvard Law Review 193-220 [1890]

[2] Brents v. Morgan, (Ky.),299 S.W. 967; 55 A.L.R. 964

[3] “PRIVACY AND HUMAN RIGHTS: An International Survey of Privacy Laws and Practice,” http://gilc.org/privacy/survey/intro.html

[4] Morfe v. Mutuc, citing Emerson, “Nine Justices in Search of a Doctrine,” 64 Michigan Law Review 219, 229 [1965]

[5] Id, citing Warren and Brandeis, “The Right to Privacy,” 4 Harvard Law Review 193-220 [1890]

[6]The Revised Penal Code: Criminal Law Book One by Luis B. Reyes

[7] Id, citing Morfe v. Mutuc, supra, citing Emerson, “Nine Justices in Search of a Doctrine,” 64 Michigan Law Review 219, 229 [1965]

 

 

 

Advertisements