Introduction

An advocate of individual privacy Gary Kovacs once said “Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet.” – G. Kovacs is a San Francisco Bay Area technologist. He is the Chief Executive Officer of AVG Technologies.

Personal privacy is a natural and fundamental right. Even at the early stages of civilization, the emergence of concern to privacy has long been sought. Looking back in the middle ages where spears, axes and wooden shields is your common luggage and induction to the army is the common profession, right to privacy has already been abided. As quoted “Medieval people had no such assumptions about privacy. In a medieval village or a castle, a community of people living close together, it was assumed that everyone knew everyone else’s business, perhaps even better than they did.” As gleaned, people then already had an instinctive feeling of respect to one’s personal dwelling, and this is the times when landlords practically rules over everything as far as their eyes can see (C. Dale Brittain, professor of medieval history. Life in the Middle Ages. Jan 14, 2015.)

Right to data privacy is a human right. To keep up with the changing times, and undeniable clamour against the modern intrusion against one’s personal information, Philippine legislature enacted Republic Act No. 10173 or the Data Privacy Act of 2012. It aimed to strengthen and legitimize the State’s crusade against violators of data privacy of private individual and government officials or employees in their private capacity. However, despite its noble advocacy the law lacks teeth in certain aspects.

The law slept for awhile. Although the law was enacted way back 2012, the first Commissioner of the National Privacy Commission (NPC) only took his oath of office in March 6, 2016. This resulted in almost four years of inactiveness since the law took effect. It goes without saying that the NPC is still undergoing its preliminary stages of doe’s and don’t. Virtually, a fledgling born in a wrong time, since 4 years is enough to breed new changes in technology.

The release of the Implementing rules and regulation (IRR) was delayed and insufficient. The IRR is needed to provide the clear guidelines on dealing with data breaches; establishing data breach policies and response protocols and crafting safety standards, among others. Without it the law remains a mere scrap of paper. The IRR states that the NPC will handle all investigations and complaints in violation of RA. 10173 to wit:

SEC. 7 Functions of the National Privacy Commission. – To administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the National Privacy Commission, winch shall have the following functions:

(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;

It is of the writer’s opinion that this specific provision gives the NPC an unbridled power that may be lead to abuse and corruption. By not providing for a holistic procedure as when and how a person can resort to courts as their last bulwark who is adjudged adversely by a final decision of NPC leaves the procedure of appeal vague and unjust. “Congress can vest to administrative agencies judicial and quasi-judicial powers. This must be in the form of an express delegation to be effective” as quoted (Ruben E. Agpalo. Administrative law, law on public officers and election law. p.12, 2005). The grant of quasi-judicial power to an agency carries with it the power to issue and promulgate rules and procedure for the proper exercise of its adjudicatory power, even thought the enabling law is silent on the matter (Angara v. Electoral Commission, 63 Phil. 139, 1936).

Having said, the IRR should have further provided the proper procedure as to what remedy to take in case of unfavourable decision of NPC. Although the right to appeal is not a part of due process but a mere statutory privilege that has to be exercised only in the manner and in accordance with the provision of law (Cu-Unjieng v. CA, 479 SCRA 594, 601). Also, while the right to appeal is not a constitutional, natural or inherent right. It is still a statutory privilege and of statutory origin (Canton v. City of Cebu, 515 SCRA 441, 448)

The law is reactive but not proactive. A closer scrutiny to the law reveals the lack of guidelines which a natural or a juridical person undertake in case a personal data information of a person falls into their hands whether intentionally, negligently or for some reason or another. It does not impose a duty on the part of subsequent holder of the data information on what to do after acquiring such. In is only reactive because the law becomes useful only when the personal information has already been held for a relative time, about to be processed, processed or when the real owner decides to file a complaint.

In a 2008 report titled ‘For Your Information: Australian Privacy Law and Practice’ (Report 108), it recommended that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a real risk of serious harm to the affected individual. Data breach notification is good privacy practice. Notifying individuals when a data breach involves their personal information supports good privacy practice, for the following reasons: (1) Notification as a reasonable security safeguard – As part of the obligation to keep personal information secure, notification may, in some circumstances, may be a reasonable step in the protection of personal information from misuse, interference and loss, and from unauthorized access, modification or disclosure (2) Notification as openness about privacy practices – Being open and transparent with individuals about how personal information may be handled is recognized as a fundamental privacy principle. Part of being open about the handling of personal information may include telling individuals when something goes wrong and explaining what has been done to try to avoid or remedy any actual or potential harm (3) Notification as restoring control over personal information – Where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, where an individual’s identity details have been stolen, once notified, the individual can take steps to regain control of their identity information by changing passwords or account numbers, or requesting the reissue of identifiers (4) Notification as a means of rebuilding public trust – Notification can be a way of demonstrating to the public that an agency or organization takes the security of personal information seriously, and is working to protect affected individuals from the harms that could result from a data breach. Customers may be reassured to know that an agency or organization’s data breach response plan includes notifying them and relevant third parties.

The writer strongly encourages notification in appropriate circumstances as part of good privacy practice, and in the interest of maintaining a community in which privacy is valued and respected.

Consequently, we demand the NPC to voluntarily put in place reasonable measures to deal with initial data breaches including obliging subsequent users and holders of data information to immediately notify the true owners of the data, under the pain of stringent punishment in case of non-compliance therewith.

Giving away one’s personal number transgresses right to privacy. In modern times, getting in touch with someone entails calling him via telephone and cell phone. This is an accepted norm. A vital question presents itself however, “Is the Disclosure of Someone’s Mobile Number to a third person without the owner’s consent a Violation of R.A. No. 10173? While the writer applauds the interpretation of legislature that “it is not” an encroachment, it must be rejected respectfully taking in to account the modern way of living. Right to privacy encompasses the right not to be disturbed. Imagine a branch manager in a bank on a Monday tight schedule where he hardly makes various calls to all sorts of people be it client, colleagues, head office personnel etc. only to be disturbed by a number of text messages and calls from enthusiastic sales agents selling their promos, discounted products, health care insurances, loans, real estate properties and not to mention the spam messages. Evidently, a clear distraction of your right to peace of mind.

Our private mobile number was undervalued by legislature. Unwary its significance “Personal Information” was defined by Congress as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. Worthy of mentioning that telecommunication companies now offer product packages including a phone with a new sim card along to be paid on instalments. This entails filling up a form where you’re personal information is written, thus surrendering before the telecoms. Accordingly, your name, addresses at other particulars are now traceable by merely identifying your mobile number.

Extraterritorial application of the law may be counterproductive to our economy. The law provides an overseas application over Filipino citizen or resident. It means that person covered may enforce his data privacy rights even against companies abroad. This would likely present obstacles to some industries, such as the IT-BPO wherein they gain access through their local BPO companies over personal information of their employees obviously for administration purposes. In effect technically subjecting them by the obligations set forth under the law. If this happens, foreign employers might feel unsecure and discouraged in investing in the Philippines. The result will be the downsizing of the employment machinery of local branches here.

In an article written by Edward Barbour-Lacey titled “BPO in the Philippines Could Jumpstart Economic Growth” Posted on October 7, 2014. He underscored the significance of the industry. Over the past decade, the Philippines’ BPO industry has seen tremendous growth – revenues and employment have expanded tenfold since 2004. The industry sees an average yearly growth rate of 20 percent. Filipino employees are particularly attractive to BPO employers – they tend to be very fluent in Western-accented English. While the BPO industry employees just two percent of the country’s workforce, the industry has had a positive effect on a number of other business areas, such as the retail, real estate, and telecom industries.

At any rate, the writer both expresses her gratitude and dismay as to the fast-tracking of the law. However, while we recognize the laudable efforts of our Congress in their pursuit to strengthen privacy laws, we want raise our concern as to the fragmentalistic approach of the law. As Legal scholars Katharina Pistor and Chenggang Xu describes an incomplete law in the article “How Countries Deal with Incomplete Law.” 2003.

Lawmakers cannot foresee all situations in which the law may be applied or needed. Changes in social conditions, innovations in markets and developments in new technologies may create circumstances not contemplated when the law was created. A very specific law may very quickly become obsolete. So, legislatures often formulate general law that can be applied to all conditions and individuals covered under the law. While a general law prevents arbitrariness with respect to the application of the law, it makes it impossible to create a complete law. New circumstances always arise.

In fine, a plain reading of the provisions of the Data Privacy Act of 2012 clearly shows the legislature’s continuing concern to the protection of the right to privacy consistent with the continuing advancement in technology. As succinctly explained in Whalen vs. Roeis:

“We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files. The collection of taxes, the distribution of welfare and social security benefits, the supervision of public health, the direction of our Armed Forces and the enforcement of the criminal laws all require the orderly preservation of great quantities of information, much of which is personal in character and potentially embarrassing or harmful if disclosed. The right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures.”

In Ople vs. Torres, the Supreme Court underscored in no uncertain terms, that the right to privacy does not bar all incursions into individual privacy. The right is not intended to stifle scientific and technological advancements that enhance public service and the common good. It merely requires that the law be narrowly focused and compelling interests justify such intrusions. Intrusions into the right must be accompanied by proper safeguards and well-defined standards to prevent unconstitutional invasions. Any law or order that invades individual privacy will be subjected by the Court to strict scrutiny.

Conclusion:

The law has all the good intentions for the promotion of the Constitutional right of Right to Privacy. The legislature’s intent was well reflected in the provisions where it tried to uphold privacy when due and still balanced it and protected the person in times its intrusion becomes necessary and authorized. A plain reading of the law, even by a lay man will easily agree with it and feel protected by it. However, reality does not end where the law ends. Reality in its application and enforcement is still the gravamen of the right, for what use is the right when it remains only in paper.

In the penultimate, the writer concludes that its implementing rules and regulations lack the other safeguards and teeth to extend the rights and protection given by the law.

The implementing rules of the Data Privacy Act provides that employees and officers of the NPC after their severance from employment are obligated to maintain confidentiality perpetually all information obtained during their service. While non-disclosure is one thing, penalty in case of breach thereof is another. The IRR failed to provide how and in what manner the secrecy should be maintained. It also neglected to specify details as to what information is covered and up to what extent. The evident incompleteness of the regulation will ultimately defeat the purpose intended by the law which is to safeguard the privileged information.

Nonetheless, all is not at lost. What matters is that the Legislature already has provided a Law which recognizes such rights and favored its protection. Experience, necessities and the ever-growing technological environment will be the follow up guides in later on amending and improving the Implementing Rules.

Sources: