Aware of the need to adapt to the rapidly evolving age of Information Technology, President Benigno S. Aquino III signed into law on August 15, 2012, Republic Act No. 10137, otherwise known as the “Data Privacy Act of 2012”, which aims to “protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” Together with the newly enacted R.A. 10175, otherwise known as the “Cybercrime Prevention Act of 2012”, this shines into light the State’s commitment to adapt to our ever-changing times while ensuring the basic rights of the Filipinos found in our Constitution and other laws are still upheld.
This brief study of the Data Privacy Act of 2012 aims to highlight seemingly ambiguous areas that may possibly give rise to legal questions in the near future when they are raised in the proper courts. The importance of the study of such ambiguous areas may help in lessening the confusion of the general public and lessen, if not eradicate, possible abuses that may be derived from these grey areas found in the Data Privacy Act of 2012.
The ambiguous areas that will be discussed in this brief study are the following: (1) Section 3(b) that covers the statutory requirement of consent of the data subject, (2) Section 4(a) that covers the scope of limitations concerning government official and employees, (3) Section 17 that covers the transmissible rights of the State as a legal heir, and lastly, (4) Section 20(f) that covers the prompt notification of data subjects by personal information controller in the event of a breach or a leakage of information.
Agreeing to the Terms and Conditions of Privacy without reading it in its entirety
Section 3(b) of R.A. 10173 provides for the definition of the “consent of the data subject”. It states that:
“Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.”
The above-mentioned provision requires that the consent of the data subject is a “freely given, specific, informed indication of will”. I would like to expound on the requirement of the law for the data subject to have an “informed indication of will”.
Whenever a person registers for a service or purchases something off the internet and fills out the necessary information required from the person, the person is usually required to check a box which reads something like this: “I have read and agree to the the privacy terms and conditions of this website”. If left unchecked, the person would not be able to conclude the registration for a service or the purchase of a product or service from the internet so the person would most likely click on the box to agree to it. However, since the contents of the privacy terms and conditions of websites are often published in very fine print and written in a language that a layman would have a difficulty in understanding its contents, there is a good chance that the person would forego reading the said terms and condition and just check on the box so he can already make use of the service or enjoy the product purchased. After all, most people do the same thing, don’t they?
Now consider this situation: a website of a Filipino-owned and locally-based Company X offers the service of notifying its subcribers through email or text message free of charge when there is an on-going sale or marked-down sale of goods or services in a number of establishments which the subscriber may filter according to his preference or lifestyle. However, before a person may successfully subscribe to the free service being offered, he must agree to the privacy terms and conditions that provides his personal information, at the discretion of the said company, may be disclosed to the establishments offering the discounted goods or services. Given the said provision in the privacy terms and conditions, will the company violate its obligation as a personal information controller in disclosing personal information of its subscribers?
In determining whether its subscribers have consented to such a practice, the consent of the data subject, in this case the subscribers of the services offered by Company X, must be a freely given, specific, informed indication of will.
First, regarding the issue whether consent was freely given, it may be said that the consent was freely given as there was no coercion on the part of Company X to ensure people would subscribe to their service. Second, regarding the issue whether the consent given was specific to the service being offered by Company X, it may also be said that the consent was specific because subscribers are aware that they are signing-up for the free service being offered by Company X. Lastly, regarding the issue whether there was informed consent from the subscribers in permitting the company to transmit personal information to other establishments, the answer to this element, unlike the previous two, must be expounded.
The quantum of informed consent to meet the statutory requirement may be either be (1) that it is already enough that the potential subscriber was informed of the existence of the privacy terms and conditions and that he agreed to it freely and specifically, or (2) that the privacy terms and conditions must be fully read by the potential subscriber in order for his consent to be considered “informed”. Given these two quanta of informed consent, the former one must be adhered to because if the latter one is allowed to be used as a defense to nullify the consent given, it will open flood-gates that could damage that sanctity of contracts between the parties since the contract’s “validity or compliance cannot be left to the will of one of them.”
Government Officials and Employees with Sensitive Job Descriptions:
Section 4(a) of R.A. 10173 provides for the scope and limitations of the law. It states that the law does not cover information regarding government institutions’ officers and employees regarding the following matters:
“(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government.”
The above-mentioned provision covers “any individual who is or was an officer or employee of a government institution”. The said provision did not provide any exceptions hence, I can be said that no officer or employee of a government institution is exemption from the limitation provided.
A possible issue may occur when the subject of inquiry is an officer or an employee of a government institution holding an office which is sensitive in nature but not covered by R.A. 10173. Because of the all in compassing provision stated above, such government officer or employee may not be protected by the said law regardless of the weight and value of the information and knowledge he may possess. The very life of the government officer or employee and the people close to him may be endangered if his “classification, salary range and responsibilities of the position” are divulged.
Take this situation for example: Person Y is an intelligence officer of the Optical Media Board tasked to investigate where pirated movie disks are produced in Metro Manila and, if need be, order the raid of the suspected facilities and the seizure of the illegal goods found therein. Since government officials and employees of government institution are not protected by R.A. 10173, the information regarding Person Y’s “classification, salary range and responsibilities of the position” may be acquired by anyone prudent enough to look into him, leaving him vulnerable to harassment and even threat to his own life and the people close to him.
I find the absolute provision covering all officers and employees of government institution problematic because people occupying sensitive positions in government (The Armed Forces, The Police, Government-owned Public Utilities, etc.) are left vulnerable which in turn, leaves the entire country vulnerable.
The State as an Intestate Legal Heir in Right of the Data Subject
Section 17 of R.A. 10173 provides for the transmissiblity of the right of the data subject in case of the his death or incapacity to exercise his rights. It states that:
“The lawful heirs and assignees of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.”
The above-mentioned provision states that the rights of the date subject are transmitted to legal heirs and assignees and may be invoked by them anytime after the death or incapacity of the data subject.
It is said in our laws in succession that, Article 1011 of the New Civil Code of the Philippines, as amended, that “in default of the persons entitled to succeed in accordance with the provisions of the Sections, the State state shall inherit the whole estate” making the state a legal heir in the event a person dies without any other legal heir but the State. This situation does not go against the basic human right of privacy found in our Constitution as this is all found in R.A. 10173 making access to the information and data legal with respect to the data subject decedent.
However, a problem may arise when information and data from the private sector made available to the State by virtue of the transmissible rights found in Section 17 of R.A. 10173 include transactions that may violate the privacy rights of third persons who had dealings with the data subject decedent which may go against Section 2, Article 3 of the 1987 Philippine Constitution which states that “the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizure of whatever nature” and, possibly, bank secrecy laws such as the R.A. 1405 (Secrecy of Bank Deposit Act).
This situation may further be illustrated by this example: Person Z died intestate without any legal or voluntary heir but the State. He has left, among other properties, a bank account with the Bank of the Philippine Islands. The State, by virtue of the Section 17 of R.A. 10173, was able to get hold of Person Z’s list of all of his bank transactions since he opened an account with the said bank in 1980. Based on the records that was passed on by the bank to State, the latter found out all the transactions of Person Z and to whom the money was given or received from. Absent any probable cause to investigate them for crimes like money-laundering or tax evasion, would the State’s actions, acquiring knowledge of the bank transactions of Person Z with third parties, effectively amount to an unlawful search on the part of the third parties?
This issue is quite tricky as the law does not qualify which information or data may be transmitted to the legal heirs. It only provided for the rights which the data subject and his legal heirs or his assignees may do to enforce the rights found in R.A. 10173.
The Method of Notification to Data Subjects In case of a Breach of Information
Section 20(f) of R.A. 10173 provides the personal information controller shall promptly notify the Commission and the affected data subjects in the event of a breach that may cause a real risk that may affect the data subjects. It states that:
“(f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.”
In case of a breach or a leakage of information, the personal information controller is obligated to notify the Commission and the data subjects that may be possibility affected. However, the law failed to specify or at least give a minimum statutory requirement on how data subjects must be notified in case of a breach because the notification requirement would vary depending on the size of population of the data subjects affected by a breach or a leakage of information. For example, if the breach of information happened in a small retail company employing 20 people, then there would be a slim chance that their personal information controller would have a hard time disseminating the notification and ensuring all the data subjects received the notification. However, if the breach occurred in a major telecommunications company which has 20 million subscribers then, the task of notifying the data subjects and making sure they were able to get hold of the new would be challenging to say the least. It would have been helpful of the law gave a minimum statutory requirement there would not have been a grey area concerning the manner of notifying the data subjects.
Also, another issue that may be pointed out in the same provision is the lack of substantiation with regard to the period in which the personal information controller is obligated to notify the Commission and the affected data subjects. It merely said the “the personal information controller shall promptly notify the Commission and affected data subjects.” Similar to the issue stated above, it would have been helpful of the law gave a minimum statutory requirement there would not have been a grey area concerning the period of notifying the data subjects.
While the intent of Republic Act No. 10173,otherwise known as the “Data Privacy Act of 2012” is noble and pioneering as it brings into light the need of our law to adapt to our ever-changing times while ensuring the basic rights of the Filipinos found in our Constitution and laws are still upheld, the said law still needs to be improved either through an amendment or further elucidated by its Implementing Rules and Regulations.
Lastly, it must be stressed that the importance of the study of such ambiguous areas may help in lessening the confusion of the general public and lessen, if not eradicate, possible abuses that may be derived from these ambiguous areas found in the Data Privacy Act of 2012.
Section 1 of R.A. 10173, otherwise known as the “Data Privacy Act of 2012”.
Section 2 of R.A. 10173, otherwise known as the “Data Privacy Act of 2012”.
Section 1 of R.A. 10175, otherwise known as the “Cybercrime Prevention Act of 2012”.
Section 3(b) of R.A. 10173, otherwise known as the “Data Privacy Act of 2012”.
Article 1308 of R.A. 386, as amended, otherwise known as the “ Civil Code of the Philippines”.
Section 4(a) of R.A. 10173, otherwise known as the “Data Privacy Act of 2012”.
Section 17 of R.A. 10173, otherwise known as the “Data Privacy Act of 2012”.
Article 1011 of R.A. 386, as amended, otherwise known as the “ Civil Code of the Philippines”.
Section 2, Article 3 of the 1987 Philippine Constitution .
Section 20(f) of R.A. 10173, otherwise known as the “Data Privacy Act of 2012”.