To Look Beyond Data Privacy Law (Gray Areas)


Different perspectives come into play in elaborating, defining, and describing the word Privacy. Privacy may be used in different contexts in Legal, Political and Philosophical discussions. Privacy is defined as the state of being private; retirement or seclusion, or the state of being free from intrusion or disturbance in one’s private life or affairs. i Privacy is one of the rights that is not respected and being abused.

There is a constitutional right of privacy to every individual. In the 1987 Constitution of the Republic of the Philippines, this states that: Article 3, Section 3;

  1. The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.

  2. Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding.

The Constitution protects the right of an individual to communication and correspondence. Communication plays an important role in our daily living. It is not limited to telephones, telegrams, but also to the expanding communication technology such as yahoo messengers, vibers, emails, facetime and alike. Many people still view privacy as a valuable interest and realize it is now threatened more than ever by technological advances.

The first privacy law adopted in the Philippines signed by the President Benigno “Noynoy” Aquino III on August 15, 2012 is Republic Act No. 10173, or the Data Privacy Act of 2012. It is an act intended for the protection and security of individual personal information in Information and Communication System in the Government and Private Sector, creating for this purpose a National Privacy Commission and for other purposes. The National Privacy Commission will administer and implement the provisions of this Act and to monitor and ensure compliance of the country with International Standard sets for data protection. ii

As the Philippine Constitution recognizes the right of privacy, the Act also provides the protection of the right of privacy which states;

Section 2.  Declaration of Policy. It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.iii

The new law penalizes the unauthorized disclosure of personal information. Like for instance, if a company passes on personal information, to another company without the customer’s consent, the first company is already violating the Data Privacy Law.

The scope of its applicability states that:

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

With this, it is important to look beyond the meaning and description of Data Privacy so that it can be fully understood. The context of every words used may be differ to other words. In order to avoid confusion with regard to the words being used in the Act, let’s further examine what are the matters which may bring confusion to an individual. Not just words but also let us take into consideration some situations or circumstances that seems to be possible be covered by Data Privacy Act but turned out that due to technical matters it cannot be covered by the Act.

The importance of personal information controllers and processors has been tackled in the Act.

The law defines personal information controller as “a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf”.iv A personal information processor, on the other hand, refers to “any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject”. v

As I looked at it, personal information processors only pass the information, but do not make decisions as to how to use these data. The personal information controllers are responsible or answerable for that, and accountable for criminal liability should the personal data is used for something else other than what was consented for. Now, there is confusion if data and information are alike.

Take note of the difference between the two which are the following: data is/are the facts of the world, unprocessed raw information. Data is normally stored in a database or a file. Information is the result of processing, manipulating and organizing data in a way that adds to the knowledge of the person receiving it. The term data refers to raw material which when processed makes meaningful output, while information refers to a processed outcome of data. Data is normally disorganized and disjointed, while information is properly arranged and organized. Information primarily depends on data for it to be complete. vi In the Act, it does not provide distinction between the data and the information which is essential in knowing whether it is in accordance to what Data Privacy really means.

As I viewed beyond the meaning of the following context, which states that;

Section 5.Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.

There may be an abuse of right on the part of the media men. The provision may be used to protect their evil intent in reporting libelous or false information. The law provides that the media men may not be compelled to disclose the personal information of their source. My concern is that, there can be libelous or false information to be reported by the media men but on their defense it can be cover up by a reliable source which does not really exists. The media men can be supported by this provision and invoke their right not to compel to disclose the personal information of their source. The provision does not provide up to what extent does the media men will not be covered and also on certain circumstances that will be a supporting evidence to identify the source, is it stills a valid reason to compel the media men in revealing the reliable source?

The salient features of Data Privacy Law are the following:

Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;

(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

But the question is this, is there such thing as Privacy Standard which is not included in the Act? Standard in determining up to what extent privacy can be granted to an individual of a government or private sector. Privacy standards may extend the self-regulatory code of practice in some vital ways. Standard imply that a process exists through which an organization’s claims that they are following to privacy rules can be objectively tested. Standard in asking the whole information but it has been consented on specific personal information only, would it still be part of processing data, if the standard is not met. Like for instance in technical standards may include both a code of practice for computer security and a standard specification for security management systems, which includes a risk analysis for the different categories of information stored by the organization.

As I look beyond the Data Privacy Law, the main challenge is with regard to the gray matters existed with some of the provisions of the Act and also on the part of the Congress on who will have the obligation of ensuring the compliance of this law in line with its Implementing Rules and Regulations. It must go beyond the provisions of Implementing Rules and Regulations so that in the future there can be no chaos in to serve as a guiding Law.































Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s