RA 10173 or the Data Privacy Act of 2012 (DPA) did not draw much
attention as compared to the sensational Cybercrime Prevention Act of 2012 (RA
10175). If the two laws were likened to two women, we will have the Maria Clara – Maria Ozawa dichotomy. The
former, conservative in nature, maintained its composure and was unscathed from
criticisms and issues. The latter on the other hand, became sensational and
drew flak from different sectors of both the real and the cyber world. (Please
understand that this comment neither intended to belittle women as the weaker
sex nor stereotyped them in rigid and superficial categories. The metaphor used
was only to show how seemingly similar laws appear, even if they are at the
opposite ends of the spectrum when we consider the public reaction.)
Clearly, the use and transfer of information have greatly evolved
whence the time of Maria Clara. The information age has provided us with very
powerful platforms to extract, process, and transfer information. One could
muse that during Rizal’s time, the pen was mightier than the sword. However in
the information age, the more powerful weapon is the click of the mouse.
(Tablet users may argue that it’s the tap of a finger). With one click, we can
download an entire collection of Rizal’s works, or, upload a comprehensive
warfare tactics that may have been useful for the Katipuneros. However, these
technological advances have also made us more vulnerable to threats and
attacks. In our time and age, personal information used fraudulently and/or
erroneously can cause detrimental effects to us. Last 2008, in the United States
The Law
Purpose
The declaration of policy noted that the human right to privacy
should be safeguarded and that personal information in Information and Communications
Technology (ICT) systems in both the government and private sectors are
protected and secured. [2] This declaration will tell us that the
law recognizes the importance of our right to be let alone more so in these
ever changing time and age. The Law will also ensure that we are protected from
the threats of the misuse and abuse of personal and sensitive information.
Another purpose of the law is to increase the confidence of
international investors particularly in the BPO industry by adhering to
international standards of privacy protection. [3] Given the billions of dollars
revenue generated from the BPO industry, compliance to international standards
will surely ensure the competitiveness and attractiveness of the Philippines
Scope
Personal information is defined as “any information whether recorded
in material form or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding the
information or if put together with other information will certainly identify
the person”. This will
include facts and figures about a person’s race, ethnic origin, marital status,
age, color, religion, political affiliations, health, and sexual life.[4]
The Law will cover “all
types of personal information and to any natural and juridical person involved
in personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines” with specific exclusions on the
following:
- Personal information originally
collected from residents of foreign jurisdictions
- Information on government personnel
related to position and function.
- Information covered in AMLA, SBA,
CISA, FCDU and other pertinent banking laws.[5]
Notable Provisions
The law mandates collectors, holders and processors of personal
and sensitive information to ensure strict compliance the conduct of their
activities. The information
must also be stored only as long as it is needed or “for the establishment, exercise or
defense of legal claims, or for legitimate business purposes, or as provided by
law.” Lack of consent from
the data subject will not stop the processing should it be related to the
fulfilment of a contract he has previously entered, to comply with legal
obligation, in cases of life and health, and to serve the greater interests of
the public. In some cases
where the information are found to be incomplete, outdated, false, and/or
unlawfully obtained, the data subject can demand for its withdrawal, blocking
or removal. Penalties from violations will be imprisonment of up to 7 years and
the fines ranges from Php 500,000 to Php 2,000,000.00 [6]
National Privacy Commission (NPC)
The NPC is tasked with administering and implementing the
provisions of the Law, recommending to the DOJ the prosecution and imposition
of penalties, and helping facilitate cross-border enforcement of data privacy
protection. It will be composed of three members; a Privacy Commissioner and
two deputies. Also, the NPC will be attached to the Department of Information
and Communications Technology (DICT). Should the creation of the DICT is not completed
the time the law takes full force and effect, the Commission will attach itself
to the Office of the President. The Commission will receive an initial
appropriation of Php 20,000,000 and Php 10,000,000 per year for 5 years upon
implementation. [7]
My Take
The Good
The law will indeed spurt growth in the BPO industry. According to Business Processing Association of the
Philippines (BPAP) President Benedict Hernandez, “Because the IT-BPO
industry and best practice is evolving rapidly, enhancements to existing
legislation will ensure that the Philippines remains competitive and in fact
leads breakthrough initiatives in best practices for the industry.”[8] And, according to Alejandro Melchor III, deputy executive
director for ICT industry development, “the new law will help the
Philippines become a global leader for shared services, one of the fastest
growing segments of the IT-BPO industry” [9]. Working in a call centre for two years made me realized that indeed
the BPO industry employs a great number of Filipinos. The BPO industry has also employed
many of my family members and friends and given this fact, I am very much in
favor of a law that will help the BPO industry sustain and maybe increase its
current hiring state.
The law will also help protect a person’s data
from abuse and misuse. Without
consent, companies and government institutions cannot transfer or process
someone’s personal data. I
am personally aware that some companies use and transfer personal information
of their clients for marketing and cross-selling metrics purposes. This means that some companies
allegedly use and share personal information like income, sex and preferences
to sell products to clients via personal email and/or mobile numbers. With the law in place, we will be
better protected from this type of practice and we may receive fewer spam
emails and text messages.
I am also in favor of a law that will replicate the care and
transparency the banking institutions practice with the personal and sensitive
information of their customers to other sectors, both in the government and
private industries. Married
to a banker engaged in information risks, I am particularly aware of the
different safeguards and due diligence banks do just to ensure that customer information
are protected. There are different
levels of checking and counter checking done in the banks and some even create
a standalone department just to ensure compliance. This goes to show that when the law gains full
throttle a similar practice will be expected in the other industries.
Another advantage of the law that I have seen is that it puts
premium on the protection of our constitutional right to privacy. Extraction, processing and the
transfer of our personal data should be done with utmost care. There is a reason why they coined the
saying “we all have skeletons in our closets”. And it is that we value our
personal information and we deserve for it to be handled well. I believed that several scandals
(Hayden Kho, Amalayer) may have been avoided if the general public knows that
there will be repercussions if they disregard the value of privacy.
The Bad
Some journalists raised their concerns that the law might be
restrictive to the principles of the media – freedom of expression,
accountability and transparency. They said that the personal lives of
government officials have bearing in their accountability to the
citizenry. Thus, there may be hindrances
to journalists in proving the wrongdoings of certain politicians and officials
in government. [10] I don’t think I agree with this type of
thinking. There is a specific provision in the law which gives leeway to journalistic,
artistic, literary or research purposes. Also, there are other ways to expose a
corrupt official. We have existing
mechanisms in the local government level as well in the Office of the Ombudsman
and Sandiganbayan to address this type of concern. Also, I don’t think this can be an issue of
freedom of expression. I believe that
for every ounce of freedom the journalists claim they have, is a corresponding
ounce of responsibility and accountability in their actions.
I am not particularly sold on the 1000 bulk limit in accessing and
moving records. There may be times when
the 1000 bulk limit will not be applicable.
Databases may contain records of up to a million entries and if you have
restriction on the limit then it would be hard for the processors to do their
jobs. Also, why would you need to set a
bulk limit if in the following paragraph of the law it is indicated that the
data will be protected using the most secure encryption available. Following the armoured car analogy where the
car used has thick armor and the guards inside have big guns, it wouldn’t make
sense if the amount stored will be set at a very small limit.
There are some particular blogs which I have come across which
mentioned that the penalties of the law are irrationally stiff. They reason that a poor processor may end up
paying a large sum or worse do time even if they did not mean to do the wrong
deed. I particularly do not agree with
this. I believe that the intention of the law is to create awareness as well as
create a system of due diligence when handling private data. It is the responsibility of the companies/industries
to train their staff to be particularly familiar with the provisions of the
law. Due diligence has been part of the
banking industry ever since so I don’t think the other industries will have a hard
time catching up. [11]
The Questions
As with other laws, the question may not be how beautifully they
are crafted, but how effectively they are implemented. As we are yet to see the IRR, I cannot help
but speculate the following:
a) What would be the
different levels of penalties? Will it
be according to the sensitivity of the information, the bulk of information?
Where do we draw the line between what’s sensitive and highly sensitive?
b) How will the
commission handle possible conflicts with other laws specifically those related
to banking?
c) What are the criteria
for journalistic, artistic, literary or research purposes?
d) Will the government
compensate or give particular incentives and perks to those following the law?
e) Will the law entail
additional costs to the government and the private sector?
The Verdict
Given the insights I have provided
above, I am in favor of this law. I see
that it will be beneficial to the greater good as long as the implementation is
handled carefully. I also believe that
the advantages of the law definitely outweigh its perceived disadvantages. With that said, I shall wait for the
formulation of the Implementing Rules and Regulations and revise/redraft my
stance if necessary.
ENDNOTES
