With the enactment of Republic Act No. 10173 otherwise known as Data Privacy Act of 2012 many would speculate on its implications in an era when technology reigns. Presence of innovation forces our law to adapt to the transformation.
Privacy as Guaranteed
The Act pledges to protect the guaranteed fundamental right of a citizen and a member of a society of privacy of communication while encouraging both innovation and growth through exchange of information. In simple language, it is patterned to overcome the perils brought about the age of advancement. In order to acclimate to these developments, the legislated law covers the protection of personal information in information and communication system of both government and private sectors against possible exposures, intrusions, attacks and damaged reputation. It concerns not only juridical but also natural person as it is addressed to all private sectors without any differentiation. Therefore, whether juridical or natural person, it may be covered by the rules as set by R.A. 10173. The law does not make any distinction.
The 1987 Constitution declares as one of the State policies the imperative role of communication and information in nation-building. It states that science and technology, which includes information and communication system, are indispensable for the development of progress. Further, under the bill of rights of the Constitution it guarantees every person the right to privacy. Thus, in view of sustaining the policy of the fundamental law of the land, the Data Privacy Act endeavors to regulate data sharing and strengthen its campaign to uphold the integrity of personal information as it undergoes the procedure in processing, recording and transmission of information. Its intent is to protect individual’s personal information in information and communication system to any probable unauthorized disclosure or any form of misuse in handling personal data.With the expansion of technology advancement, personal information vulnerabilities have elevated aggressively. Thus, Section 2 of R.A. 10173 acknowledges the importance of establishing measures and safeguards such as encryption and internal controls to secure and protect the confidentiality and privacy of personal information.
Scope and Application
“Is the act of a person, A, disclosing the mobile number of B, to a third person, without B’s consent, considered a violation of RA 10173?”
Often, the disclosure of one’s personal information is a requirement by the government and private institutions in their aim to maintain easy access to all the records and transaction concerning the individual. Their objective is to be able to use and process this personal information in their advantage as a key to legitimately achieve its purpose in their day-to-day operation. The Data Privacy Act lays down the scope of its applicability. Section 4 of the said Act prescribes that it applies to the processing of all types of personal information and to any person involved in personal information processing whether or not they are established in the Philippines. The law clearly mandates that the processing of all types of personal information is covered by this Act which means any information that openly identifies a person or any data connected with the identity of a person is protected under this Act. This may include but not limited to name, age, business address, status, position held and even personal mobile numbers which when taken collectively will directly affect and be identified with a certain individual. Said Act also provides for its extraterritorial application which states that acts performed even outside the territorial jurisdiction of the Philippines are covered by this Act when it possesses the three criteria laid down by the provision of Section 6.
Moreover, it is important to determine whether the commission or omission of an act is covered by Data Privacy Act of 2012. Based on Section 3(j) of the said Act, processing has been defined as any operation performed upon personal information including but not limited to the collection, recording, modification, retrieval and even destruction of data. With its broad scope of the definition, it covers any act or processing the conduct of which will have an effect on the integrity, confidentiality and security of information. Thus, it can be argued to include the act of disclosure.
Accordingly, it is identified not to apply to the processing of personal information pertaining to any individual connected or employed in any government institution, or for journalistic, artistic, literary, or research purposes and those which are required by the laws of the foreign jurisdiction. Thus, if the disclosure of personal information relates to any officer or employee of a government in relation to the performance of their duties, R.A. 10173 does not apply because it is expressly indicated in its provision. In Valmonte v. Belmonte (GR 74930), the court ruled that as public figures they enjoy a more limited right as compared to ordinary individuals and their actions are subject to closer scrutiny. The limitation in the scope of the Data Privacy Act may be rooted in the fact that as public authorities’ limitations on their rights are expected in order to prevent possible hindrance in the performance of their duty as servants of the public.
Personal information controller and personal information processor may be held liable on any violation of the provisions of R.A. 10173. Section 3(h) of the said law refers personal information controller to any person or organization who exercise control over the collection, holding, processing or use of personal information, including party authorized to instruct another person to perform such act. The law even recognizes the right of the personal information controller to subcontract the processing of personal information on their behalf under Section 14 but such fact does not shift to the other party the responsibility to secure the processing of personal information imposed upon them. Meanwhile, personal information processors are those whom personal information controller may outsource the processing of personal information of a person. Both of which are vested by the law the responsibility to conduct safety measures and controls to ensure unauthorized use and misuse of the data.
Moreover, it excludes a person or organization who is only instructed by another person or organization and also those individual in which the purpose of processing is in connection with their personal affairs and usage. Therefore, exposure of a party to any possible liability is not determined by the manner of the acquisition of the personal information but rather for what purpose or reason it will be provided for. It can then be argued that if the act of processing is merely a duty imposed by another party or organization and the purpose of the processing is in connection with their personal, family or household affairs, a person cannot be considered as personal information controller who may be subject to any liability in cases of violation of Data Privacy Act.
Identifying what kind or class of information you are dealing with helps to categorize appropriate compliance requirements. The said Act undertakes both processing of personal information and sensitive personal information. One of the noticeable features of the Data Privacy Act is how it overtly discusses and distinguishes between personal and sensitive information. Its major distinction is that, generally, processing of personal information shall be allowed but subject to the criteria provided by the said Act while the rule in the processing of sensitive personal information is generally prohibited subject to certain exceptions as enumerated in Section 13 of the Data Privacy Act of 2012.
Section 3 (l) of R.A. No. 10173 enumerates the instances where information may be considered as sensitive personal information. This may include one’s race, ethnic origin, marital status, age, color, affiliations, health, education, information issued by government agencies and those specifically established by an executive order or an act of Congress to be kept classified. As pointed out, it restricts the recognition of sensitive personal information exclusively to the items enumerated in the said section. Clearly, telephone number does not belong to such classification.
On the other hand, Section3(g) defines personal information as any information which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual. The definition expanses the scope of what type of data may be considered as personal information. As the term itself denotes it includes those which can be directly associated with someone or combined information which may rationally pertain to an individual such as name, address, title, and the like. Undeniably, personal telephone number may be included for those items which considered as personal information. Nowadays, a person can be identified by their personal mobile number alone. It is an information that when taken collectively with other information will attach to the identity of an individual. Due to the advancement communication system, almost everyone, if not all, have personal telephone or mobile numbers.
The law provides considerations when can the data processing of personal information may be allowed. Its basic condition is when a data subject has given direct consent. Note that the items specified under Section 12 are not to be accounted as requisites but rather conditions where the existence of at least one criterion constitutes the processing lawful. Consent of the data subject is only one of the criteria for lawful processing of personal information. Other conditions include where it is necessary to the fulfillment of a contract, legal obligation to which the personal information controller is subject, protection of the interest of the data subject, concerns national interest and in pursuance for the legitimate interest of the personal information controller except where such interests prejudice the fundamental rights guaranteed under the Philippines Constitution.
Article III Section 2 and Section 3 of the Constitution provide for the guarantee to its people of the right to privacy. It is a fundamental right that each Filipino is entitled to exercise in order to protect their interest against unlawful acts and intrusion on their private life. The landmark case of Ople vs. Torres (G.R. No. 127685) depicts the power of this right as the court acknowledged the supremacy of protection of the right of its citizens against disclosure of personal information in a proposed creation of a common reference number using biometrics technology. It was ruled that it is unconstitutional since “It falls short of assuring that personal information gathered about our people will be used only for specified purposes thereby violating the citizen’s right to privacy.” Under the doctrine of constitutional supremacy, if a law contravenes against any rule of the constitution, that law is said to be null and void and without any force or effect.
Another criterion outlined for a lawful processing of personal information is when processing is indispensable during a national emergency and is required to maintain public order and safety. There are instances where for valid purposes disclosure of personal information is needed to preserve and protect the well-being of the public. In US Courts, the case Tucson Women’s Clinic v Eden, 379 F.3d 531 (2004) illustrates the difference between particular privacy interests. The Tucson test balanced five factors to decide whether the governmental interest in obtaining information prevail over an individual’s privacy interest. The reality is even if the law wishes to grant and protect one’s right to privacy of personal information, greater weight is conferred upon when national interest will be sacrificed.
Another cited condition which also permits lawful processing of personal information is when processing is necessary and is related to the fulfillment of a contract. Noteworthy is the provision in our Constitution that “No law impairing the obligation of contracts shall be passed.” and in recognition and compliance with the law of the land, the Data Privacy Act of 2012 inserted a provision where it advocates and respect the solemnity of obligation and contracts between the parties. The Act is clear that if the purpose of which is compliance with contract and or any legal obligation, it certainly falls within the ambit of the provision of R.A. No. 10173.
The disclosure of personal information without the consent of the concerned person is not per se unlawful neither is it considered a violation of the Data Privacy Act. The Act penalizes two kinds of disclosure under Section 31 and 32: malicious and unauthorized disclosure. Absence of consent alone will not automatically stand as a ground on intrusion of one’s privacy if it can be proven to fall under the other criteria stated in Section 12. In fact, under general data privacy principles, processing of personal information is allowed when it complies with the requirement of the Data Privacy Act and other laws which permits the disclosure of personal information to the public in accordance within the law or its legitimate purpose. So even if it can be demonstrated that the disclosure of “A” of the mobile number of B is without B’s consent, what is necessary is to establish any of the criteria provided for by Section 12 of Data Privacy Act. The law is clear on the matter that as a general rule, processing of personal information is allowed so long as any one of the condition is satisfied. Consent as used in the Data Privacy Act refers to any freely given, specific, informed indication of the will whereby the data subject agrees to the collection and processing of personal information. It is to be noted that in this particular law, it requires that such consent to be in a written form.
Assuming arguendo that “A” qualified as a personal information controller and thus involved in the collecting and processing of personal information, all data subject to which he transacts possess certain rights created to protect their interest under Section 16 of the said Act. Before the initial entry of personal information in the processing system or at the next practical opportunity, data subject has the right to be informed on all the descriptions to be entered upon, for what purposes it may serve, its scope and limitations, the method to be applied in the course of processing the data, the recipients of the information and the period when such information will be used.
Applying it to the given scenario, it can be clearly found under the provisions of the law that if the processing of personal information has already occurred, the personal information controller is given an opportunity to perform his duty of informing the data subject of all the circumstances he is required to be comprehended. In this case, again it can be shown that the disclosure of personal information without the consent of the data subject does not, at an instance, violates the right of the data subject because the law provides for an allowable and reasonable time to disclose to the data subject all the information as required by the Act.
In applying the provisions of a special law, it is significant to fully understand the prohibited act or acts which may constitute an offense. Generally, criminal intent need not be proven but what should be determined is whether the act committed constitutes the prohibited act defined by the special law. Therefore, the scope and purpose of the special law must first be considered.
Disclosure of personal information is not by itself a prohibited act. There must be a closer scrutiny on the purpose of the action, the qualification of a person, the kind of information disclosed, the manner of the disclosure, the instance it was disclosed, the authority of the person who disclosed and the effect of the disclosure. At a glimpse, it seems effortless to answer the question of whether or not a person will be liable but what lies within the question is myriad of qualifications and conditions to consider. In the implementation of a law, assumptions are the least to consider. The Act does not aim to punish a person disclosing a mobile number without the consent of the other if it’s plainly for personal use. It was not of course the intention of the law to restrain us in any of our personal agenda, especially if no prejudice of rights will result thereof.
What the Act campaigns for is the protection of information privacy and to secure the integrity and confidentiality of the information in the advanced world. The development of technology and information system has definitely helped not only the growth of our economy but also our day-to-day operation. And along with this development is the challenge to everyone especially the government to protect the interest of the public against the increasing risks and vulnerabilities that may develop. Everyone should take its part to practice responsible information sharing not only to avoid violation of Data Privacy Act of 2012 but as a conscious effort to promote information privacy and technology advancement combined.
In every given scenario a mere change of facts may have resulted in a different conclusion. In order to arrive at a conclusion, facts must be established so that rule can be applied. The vague question of “Is the act of a person, A, disclosing the mobile number of B, to a third person, without B’s consent, considered a violation of RA 10173?” certainly deserves a qualified answer. Indeed, different facts need different approach to use and therefore will gain different results.
Information privacy is a right that needs to be exercised and a practice that needs to be upheld.