Wednesday, May 7, 2014

Situational gray areas of R.A. 10173

            In the world of today we are mindful of the fact that there is a fast pace of growth of technology. It is in technology that we somehow realized that it can be a handmade, a tool for the economic and social growth of a country and to every individual as well. But we cannot set aside the fact that there are also some disadvantages in such modern realization. But this disadvantages or gray areas can be glance from those who, in the technical sense, have made technology applied from the very core of human activity. Furthermore, it can also be viewed from a situation where congress would pass a law and technology would be involved to secure one’s personal information of every natural or judicial person. However, the thing here is how sure that our personal information are protected if there are some loopholes or gray areas of law from which the congress passed? In other words, it can be said that it is from the making of the law vis-a-vi the application of technology that would somehow tear down the rights of every individual because of the gray areas of the law itself resulting in the misuse of technology.
Situational gray areas on data privacy act: 
One that has some situational gray areas would be the R.A. 10173 or the Data Privacy Act. In the very words of Mr. Justice Brandeis citing the case of Blas Ople vs. Ruben D. Torres et al, right to privacy is considered as "the most comprehensive of rights and the right most valued by civilized men."[i] Though it is already a cliché to define the right to privacy as a right to be let alone it is still the simplest way to define one of the rights of a person because it is already enshrined in the constitution specifically the bill of rights.
R.A. 10173 or otherwise known as the ‘Data Privacy act of 2012’ is “an act protecting individual information in Information and Communications Systems in the Government and the Private Sector, creating for this purpose a National Privacy Commission, and for other purposes.”[ii] The creation of commission known as the National Privacy Commission is the one administering or the one that is responsible for the implementation of the Data Privacy Act. Furthermore, the National Privacy Commission is the one accountable of or the one in charge in seeing to it that they comply with the international standards set for data protection and with it “the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines….”[iii] Indeed, congress passed a law that would somehow secure the personal information of every natural and juridical person. The said law would somehow put to an end the dilemma of invading or intruding the personal information of others such that there are penal consequences that would entail.
One cannot really ignore the effort of government in passing this act for this is truly the best evidence to see that politically and economically we are growing and developing as a country. Evidently, R.A. 10173 or the “Data Privacy Act” is one proof of the effort of the government. However, the passage of the said act or law has some loopholes or gray areas that will consequently prejudice the rights of the people to privacy. One such situational gray area would be section 3 (b) which states, “SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective meanings hereafter set forth:
(b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.”[iv]
Thus, the statement talks about the consent of the data subject on the ground that the data subject freely agrees for the processing of his personal information. But, it must be noticed that this consent should be written and if given by an agent, the written consent should be authorized by the data subject. Here lies the problem of forgery because in forgery “to forge an instrument is to make false instrument intended to be passed for the genuine one.”[v] Supposing that A forged the personal information of B who is already deceased, A now becomes an agent, because of the fact that he forged such written authorization of B. Another situation is that A can forged such written consent making it appear that he is B because the consent evidence by written means was forged making it appear to be genuine where in fact it is not. Whatever would be the situation, still, the written authority is left hanging because of forgery. The Personal Information Controller who collects and process the personal information and Personal Information Processor who outsourced personal data of an individual would be confused if the written consent or the written authorization is forged or not. In this effect, it is logical to conclude that the consent freely given is not at all absolute and thus presumed that the one victimized by the act of forging does not want this to happen for his consent is not at all taken. Furthermore, it is against his will for the one who is in control of his personal information is not him but other person who is a forger. Also, under number (2) of the excluded portion of personal information controller, what if the personal information controller just so happen to text the person using SMS because he has now the individual’s personal information. Is the personal information controller liable under Data Privacy Act? Definitely the answer would be ‘no’ because text message is included in number (2) which happens to be one of the exclusions of Personal Information Controller. But still, it violates the right to privacy of an individual for he /she did not gave her personal number nor did she consented that she will be receiving any text message. Worst, if that text message is just an informal one or a threat to the individual.        
            Again on the same section which is section 3 subparagraph (g) and (l) which respectively states, “(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
(l) Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.”[vi]
            Comparing the two subsections, subsection (g) defines what personal information is and subsection (l) is named to be sensitive personal information which is also personal information itself. The question that would be ask in here is that, why did the act separate the personal information from sensitive personal information if the personal information is a sensitive personal information itself and vice versa? Can it be possible to just put it in one subsection? Because the problem will arise: if an individual not highly technical in such terms or if not, the person is not that highly educated, he will have a difficulty on what to put on his personal information because of the misleading phrase of subsection (g) ….when put together with other information.... This phrase will lead individual into a difficult situation on what would be this personal information that he could give because he thinks that the personal information and the sensitive personal information are entirely different in the manner of giving his personal information for they are separated in the act. Assuming arguendo, that the personal information and sensitive information are in a different manner of giving such information, then the individual giving his personal information will be having troubles on what would be that personal information or other information for such personal information has a broad and a wide concept under subsection (g).
            Another is the scope of the said act which is in section 4 which states, “This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines....”[vii] Reading further the said section, there are exclusions that the said act provides. The problem lies to the question of those who process the personal information of an individual. What if they processed such personal information of an individual but they are not found in the Philippines and they use equipment but are not located in the Philippines? Also what if they do not have any office, branch or agency in the Philippines? With this, it cannot be said that it can be possible for the act did not include this kind of situation in its exclusion. But it cannot also be possible because section 4 clearly defines the scope and going beyond what is not distinguished will change the meaning or the concept of the said section. Expressio unius est exclusio alterius, the expression of one thing is the exclusion of another. Thus, there are two sides of possibilities and therefore, there are inconsistencies or gray areas in the said section 4 of the act.
            Another situational gray area of R.A. 10173 would be section 8 (Confidentiality) in connection with section 11 (General Data Privacy Principles) to which it respectively states, “SEC. 8. Confidentiality. – The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession.
SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must, be:
(a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
(b) Processed fairly and lawfully;”[viii]
            Section 8 merely leads us to think that this personal information has its confidentiality and the Commission has the obligation to see to it that it is kept confidential the moment the Commission acquires this personal information. Now the problem that should be taken care of is that of section 11, wherein such processing of personal information is subjected to certain requirements of the said act and to other laws as well. With the end in mind that this processing of personal information is for a legitimate cause or purpose and should be processed in a lawful manner, it may be asked: who then should determine if such personal information is legitimate or not? It is because section 11 did not clearly specify who is capable of determining such legitimacy of said information. If the Commission would determine the matter, then they are the ones who are in control of disclosing such information to the public for they believed that it is for legitimate purpose. It can be against the will of the one who gave personal information and thus, violating the right to privacy of the individual who gave such personal information. If on the other hand, the person who gave his personal information will be the one determining its legitimate purpose, then how vast will be his knowledge in complying with the legitimate purpose without going away from the intention of the Act.
            In section 13, it talks about Sensitive Personal Information and Privilege Information. That its processing is prohibited but with certain exceptions just like in letter (a) of the said act wherein it speaks mainly of a specific purpose. But the question here is that: To what specific purpose would it be to the extent that this specific purpose will not violate the right of data subject in giving and processing of his sensitive and privileged information? For the data subject, how sure are they, that this information of theirs is not under peril so much so that this is secured and not done or be subjected to any wrong purposes? Also, what will be the demarcation line of the word specific purpose? What would be the means of the government to make sure that this sensitive and privileged information are done for specific purpose?
            Furthermore, from the last paragraph of letter (d) of section 13 it talks about the non-transferability of this sensitive personal information to third person but what if for example, A, being the data subject and giving his consent gave his personal information to B who, in this situation is responsible for processing such information of A. however in the course of events, B gave a copy of the personal information of A to C who is a third party and not related to A. The dilemma would now be this: how will A know and if B gave the personal information of A to C? What will be the determining factor of A that B really and indeed gave it to a third party? Will A just be silent and have a leap of faith because anyway he (A) gave his personal information without bothering himself that this confidentiality will not be exposed to someone not related to him, without his consent or against his will? It leaves a doubt on whether or not the confidentiality of information that the individual gave will not be exposed to someone else because right from the very start, the individual, giving his information to the one responsible of processing this information creates a certain suspicion that the information might be disclose to someone else. Still under the same section with letter (f) as an exception to wit: “The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons....”[ix] However the confidentiality still remains as an issue for the problem that, how can the lawful rights and interests of natural or legal persons be protected if they don’t know from the very start that such personal information might be given to someone else? How will they determine if their rights and interest are protected or not because of the hunch that the one processing those personal information might also be the one sending a copy to someone else?
Section 15 of the Data Privacy Act talks about the Extension of Privilege Communication wherein privilege communication over privilege information may be invoked by the personal information controllers in order to secure the personal information and that it will be kept in confidentiality. Any evidence gathered on privileged communication will be inadmissible as evidence. But it will be subjected to laws and regulations. The concept of privacy of communication in Constitution somehow has its connection to section 15. Under Article 3 of section 3(1) and 3(2) to which it respectively states: “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court or when public safety or order requires otherwise as prescribed by law. xxx Any evidenced obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding.”[x] But what if it involves national interest such that our country will be in danger? How good is this section if right from the very start, the individual who is giving such personal information is the one who is in control whether to put that information or not, whether to change his personal information so that it will be more advantageous to him? It is because of the risk that the personal information might be subjected to existing laws and regulations so much so that the personal information that he will give are now change so that he will not prejudice himself. Another gray would section 17 which speak of transmissibility of rights of the data subject. From here, when the data subject is already dead or incapacitated, the lawful heirs or assigns may take over and be the one who can invoke the rights of the data subject. The question here is that how will they prove that the transfer to the lawful heirs and assigns was done with the consent of the data subject prior to his death? How will they verify at least some of the personal information is true or not if the data subject is already dead? Another is on section 20 where it talks about Security of Personal Information and subsection (e) of the said section speaks of those who are involved in the processing of the personal information, that this personal information should be kept confidential if they are not meant for public disclosure. This obligation will continue even after termination of employment, leaving public service or transfer to another office. Then the question here is that what will happen to the personal information of the data subject if the personal information controller leaves the public service? Supposing that every now and then employees, agents or representatives or even the personal information controller himself leave the public service because of contractual relations, will the person still give his personal information to the new personal information controller or the new personal information controller will just review the personal information that was being processed by the old personal information controller. Can this situation clearly defeats the very purpose of confidentiality because of the fact that every now and then, after contractual relations new persons will come and work for this said commission and it can be possible that they will know the individual’s personal information.
            At present, one cannot really escape the changes in reality in so far as technology is concerned so much so that the congress adapts technology in order to be equipped with the trend of reality in technology. It is in technology that the congress can incorporate it with the laws that they pass. However, it creates a danger if the application of technology is being done in a wrong concept just like not being knowledgeable enough on technology and mixed it in creating a law. Thus, the danger that the law will harm the very rights of individual, may it be natural or legal person. Law is there to guide people towards their right to privacy. For if this right to privacy is being abused then people should not think themselves as free men for they are not at liberty. In the words of Karl Marx on his critique to human rights, “Liberty, therefore, is the right to do everything that harms no one else. The limits within which anyone can act without harming someone else are defined by law….”[xi] and R.A. 10173 is there to exemplify that technology can be a handmade of law. However, because of some gray areas in the law, it can somehow harm the very rights each individual and somehow will not take full effect in implementing the said act.

[i] Blas Ople v. Ruben D. Torres et al., G.R. No. 127685, July 3, 1998, available at, (last accessed May 7, 2014).
[ii] Republic Act No. 10173 (2012).
[iii] Id., Sec. 4
[iv] Id., Sec 3 (b)
[v] Book 2, LUIS B. REYES, Revised Penal Code: Criminal Law, p. 201, 17th ed., 2008.
[vi] Id., Section 3 (g), (l)
[vii] Id., Section 4
[viii] Id., Section 8, 11
[ix] Id., Section 13 (f)
[x] ISAGANI A. CRUZ, Constitutional Law, p. 141, 2007 ed.
[xi] Jeremy Waldron, Nonsense Upon Stilts: Bentham, Burke and Marx on the Rights of Man, Methuen & Co., 1987, at pp. 33–34.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home