DATA PRIVACY ACT OF 2012 and ITS GRAY AREAS

Introduction

In the field of Psychology, “alone time” is a situation where one enjoys doing activities without a need of a companion.  According to Psychology Today, “alone time” or “solitude” helps individuals to know their selves, together with building their confidence a higher notch and other benefits that an individual need to get through and have a happy life.[1] The state of being alone makes one’s self feel the importance of self enjoyment that he/she does not feel when in the presence of other people.

The term “personal space” is likewise inter-related with the latter term mentioned. Personal space is the region surrounding people that they regard as psychologically theirs. Most people value their personal space and feel discomfort, anger, or anxiety when that space is encroached. [2] These perspectives are also laid down in our laws that let people secure and protect themselves from an intruder who may wanted nothing but the exposure of one’s activities in the scrutiny and use of other persons.

Every individual needs the feeling of security even for the least information of himself. None of us can fully open himself up to another because it is in our nature to avoid embarrassment if one who took the information rather in the other way we supposed to mean it. Keeping secrets is another human nature that every individual do to save his credibility and integrity that the others see as perfect as a Picasso masterpiece. But what will happen if one day, one of your secrets were revealed by accident or by a person whom you thought that will never do such thing against you? What can you do? Can your secrets be protected from other’s knowledge or discovery?

 

Right to Privacy

In the technical sense, the Merriam-Webster dictionary defines privacy as the state of being alone; state of being away from other people or from public attention. [3] The term “privacy” gives right to an individual to keep any person away from any personal belongings, property or information and to avoid further discovery of anything related to the owner.

From the case of Ople vs. Torres (1998), according to Justice Mendoza in his separate opinion, privacy is the most comprehensive of rights and the right most valued by civilized men. The case is about the Administrative Order No.308 entitled as “Adoption of a National Computerized Identification Reference System” issued by then President Fidel V. Ramos that seeks to have all citizens and foreign residents to have a reference number generated by the NSO using Biometrics Technology. The AO was questioned for it allegedly violates the citizen’s right to privacy as protected by our Constitution. The Court then declared that the AO no. 308 as unconstitutional because it falls short in assurance that the personal information gathered will be guaranteed used only for specified purposes.[4]

The concept of privacy or the right of privacy is spread throughout our laws. Under the Bill of Rights of the 1987 Philippine Constitution, privacy is one of the very basic components of the Article III and also called by many as the private right. The Bill of Rights provides the following provisions:

“Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.”

“Sec. 2. The right of the people to be secure in their persons, houses papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.”

“Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”

“Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law.”

“Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.”

”Sec. 17. No person shall be compelled to be a witness against himself.”  [5]

The Civil Code, as amended, also provides provisions on one’s right of privacy under the Preliminary Title of Human Relations, particularly, Article 26 which states,

“ Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons. The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief:

(1) Prying into the privacy of another’s residence;

(2) Meddling with or disturbing the private life or family relations of another;

(3) Intriguing to cause another to be alienated from his friends;

(4) Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition” [6]

and Article 32(11) stating that:

“Any public officer or employee, or any private individual, who directly or indirectly obstructs, defeats, violates or in any manner impedes or impairs any of the following rights and liberties of another person shall be liable to the latter for damages: . . .

(11) The privacy of communication and correspondence; . . .” [7]

Similarly, the Revised Penal Code provides penalties for crimes against one’s privacy, particularly, revelation of secrets by an officer under Article 229, discovery and revelation of secrets that can be found under Articles 290, 291 and 292. Anti-Wiretapping Law and the Secrecy of Bank Deposits Act are special law created for invasion of privacy.

Likewise, the Rules of Court provides for and recognizes the privilege communication between client and examiner under Rule 28 on Civil Procedure and Section 24 of Rule 130 on Rules of Evidence.

 

Data Privacy Act of 2012

Our government makes its efforts to let us feel secure of our own property and identity. Then, our Members of the Congress, signed by the President Benigno S. Aquino III on August 15, 2012, the Republic Act No. 10173 or also known as the Data Privacy Act of 2012 was enacted. The Act was published on August 24, 2012 and took effect on September 8, 2012. The Data Privacy Act of 2012 is an Act protecting individual personal information and communications system in the government and the private sector, creating for this purpose the National Privacy Commission, and for other purposes. The administration and implementation of the provision of this Act was given to National Privacy Commission, especially created for such task. The Commission also has the duty to monitor and ensure compliance of the country with international standard set for data protection.[8]

Republic Act No. 10173 was enacted to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth as stated in its declaration of policy under Section 2 of the said act. The Data Privacy Act also ensures, as an inherent obligation, that personal information and communications in the government and in the private sector are secured and protected.

In the business world, the Data Privacy Act or Republic Act 10173 regulates the processing of personal information of individuals collected by both public and private entities as a way to protect one’s privacy. According to Atty. JJ Disini, during the IMMAP 9th Breaking in the Morning Breakfast Series, “Data Privacy Law tries to give us the right to control any kind of personal information that is collected about us and (their) use and further disclosure,” [9] The enactment of the law is also for boosting investments, whether international or local, and competitiveness in the information technology-business processing outsourcing or IT-BPO sectors and also to support our information and communication technology industry.

Like every law enacted and approved by the government, there would be always the misty or unclear part in the act. Some part of the act can be easily answered by further explanations but some needed a follow up act by the government to make the law more effective as it can be.

 

Situational Gray Areas

FIRST. Under the Section 4(1) of the Data Privacy Act, that pertains to the non-application of the Act to officer or employee of a government institution. This particular section clearly states that government officers and employees do not enjoy the protection granted by the said Act and the government can easily have access to their personal or sensitive personal information. In a scenario where a government employee, under our laws, is required to file Statement of Assets and Liabilities or SALN and a government officer scans through the SALN of his employees and saw the employee’s statement and conclude that the latter had maliciously acquired such properties not proportionate to his salary considering his position as a government employee. Because of non-applicability of Republic Act 10173, his personal or even sensitive personal information are processed and he was put into controversy even if the properties he acquired was through the legal and proper way. What the aggrieved party can do?

Nevertheless, this blurred section can be cleared out using Administrative Law. Under Section 32, “Public office is a public trust. Public officers and employees must at all times be accountable to the people, serve them with the utmost responsibility, integrity, loyalty and efficiency, act with patriotism and justice, and lead modest lives.” In relation to this, under Section 35 of the same law, “All public officers and employees shall be bound by a Code of Ethics to be promulgated by the Civil Service Commission.” With this, the public officers are expected to act with commitment to public interest, professionalism, justness and sincerity, simple living and others as stated in Section 4 of RA 6713 or Code of Conduct and Ethical Standards for Public Officials and Employees.

 

SECOND. One of the functions of National Privacy Commission under Section 7 of the Data Privacy Act is

“(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;”

In this part of the Act, it makes me think of some questions. Some of them were, what if the info they collected was more than what they should have? What will happen to those not needed? What if the excess info they collected may trigger issues other than what is supposed they have obtained? Does it mean that NPC can barge into the information of a person subject of the Alternative Dispute Resolution process? The law does not speak of anything about this, like as to what the victim can do; can the individual sue the NPC? The Act only provides under

“SEC. 8. Confidentiality. – The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession.”

I can say that the Act lacks the explanation or corresponding answers to these questions. The Act does not also mentioned of the process an aggrieved individual can do and what the law can do to protect his information retrieved by the commission in excess, what will the commission do if they discovered something using the unnecessary information and how will they dispose it if those were not needed?

 

THIRD. The Section 16 speaks of the Rights of the Data Subject that shows what the data subject can control his personal information. Some of the rights were the right to be informed that his personal info has been processed; right to be furnished the information before entry of the personal information; reasonable access to it upon demand; to have the wrongful information corrected by the personal information controller; to be indemnified for any damages sustained by him due to false or wrongful information obtained or unauthorized use of it and others. Another part of the Act can be related to former is Section 12 that pertains to the Criteria for Lawful Process of personal information that states “ the processing of personal information shall be permitted only if not otherwise prohibited by law and when at least one of the following conditions exists” , and the list goes on.

Given these two sections, it will appear that an individual has no right to refuse for the processing of his personal information. What if the Data Subject refused that his personal information is processed? Does he have the right to refuse? But the law did not specify such situation and not give solution if such happens. As the Act says, the right of choice and of privacy will not be available anymore if one of the conditions in Section 12 exists and his control over his personal information is limited to Section 16. And according to Section 16, his only advantage is to receive damages due to such wrongful act committed against him.

 

FOURTH. Under Section 3, the definitions of “personal information controller” and “personal information processor” were stated as to what their duties and functions are. Section 21 of RA 10173 states that the identity of the individuals designated shall be made known to any data subject only upon request. It also states the accountability for the transfer of personal information for which is given to personal information controller as his responsibility.

Let’s say, the person designated by the personal information controller is a college graduate, who is his friend, not knowledgeable about the laws and saw information of an important person, used such information for his own wrongful ways or found something about his enemies and use it for something he can benefit from. Of course, then it will result to different and numerous trouble. Can the designated person do this? The personal information controller can only be held liable, as the law says. Should it be automatic that the data subject be informed of who were holding his personal information for the feeling of security? And why does the personal information controller has the right to designate? Should the Commission have a say to this situation? For me, it is proper that there must be qualifications needed before an individual shall be held credible for such responsibility because he will be seeing information that are private and should not be known o the public. There must be definite characteristics and skills that the person to have be rightful for such job because it needed the most modest personality to effectively do his duties.

But then, the Revised Penal Code provides that:

“Article 230. Public officer revealing secrets of private individual. – Any public officer to whom the secrets of any private individual shall become known by reason of his office who shall reveal such secrets, shall suffer the penalties of arresto mayor and a fine not exceeding 1,000 pesos.”

 

FIFTH. The Act also does not mention about how personal information was disposed, how can accessing information be considered negligent and others, instead, it only provides for penalties but not the punishable acts. It lacks certainty of definition of crimes that could be committed under this Act but instead only provide for the penalties one can suffer. Sections 25 to 37 are under Chapter VII of the Act stating the crime and its penalties but does not mention of any elements f the crime or qualifications for each crime to be considered as punishable.

What will the commission can do if a third party who accidentally had a copy of the personal information of an individual and disclosed it to the public? Who will be punished? What will be their penalties? How the aggrieved party can took hold of the person responsible for the damage done? None of these were mentioned in the provisions of this Act and clearly there is no relief was provided for the aggrieved party.

 

Conclusion

Republic Act No. 10173 or the Data Privacy Act is enacted for the protection of one’s information or data or right of privacy. But as we scrutinize the law, it lacks the teeth to mark and scare off law breakers. It is also have the parts that are vague and lacks further description or explanation to make the law more understandable. Even some comparisons are needed for the law to be clearer for us. The Congress might have overlooked at it and focused at the some parts of the law. To enhance the law and make it more effective, it must be amended or new laws be enacted and clear out the vagueness of the law.

“Without privacy, there was no point in being an individual”. This quote from Jonathan Franzen reflects the essence of right of privacy.  Every individual differs from one another in personality, fashion style, lifestyle and even way of eating our food. Individuality marks us different and to protect it makes the existence of the concept privacy important. We must value it, protect it and also treasure it.

 

SOURCES:

[1] Psychology Today. (2012). 6 Reasons You Should Spend Time Alone. Retrieved from http://www.psychologytoday.com/blog/high-octane-women/201201/6-reasons-you-should-spend-more-time-alone

[2] Boundless. Understanding Social Interaction. Retrieved from; https://www.boundless.com/sociology/understanding-social-interaction/types-of-social-interaction/personal-space/

[3] Merriam-Webster Dictionary Online. Retrieved from http://www.merriam-webster.com/dictionary/privacy

[4] GR No. 127685. July 23, 1998

[5] 1987 Philippine Constitution

[6] The New Civil Code of the Philippines

[7] Supra.

[8] RA no. 10173.

[9] Kim Luces(GMA Network). 2013. How the Data Privacy Act Impacts PHL Businesses. Retrieved from: http://www.gmanetwork.com/news/story/330365/scitech/technology/how-the-data-privacy-act-impacts-phl-businesses

Advertisements

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s