Situational gray areas of R.A. 10173
Introduction:
In
the world of today we are mindful of the fact that there is a fast pace of
growth of technology. It is in technology that we somehow realized that it can
be a handmade, a tool for the economic and social growth of a country and to
every individual as well. But we cannot set aside the fact that there are also
some disadvantages in such modern realization. But this disadvantages or gray
areas can be glance from those who, in the technical sense, have made
technology applied from the very core of human activity. Furthermore, it can
also be viewed from a situation where congress would pass a law and technology
would be involved to secure one’s personal information of every natural or
judicial person. However, the thing here is how sure that our personal
information are protected if there are some loopholes or gray areas of law from
which the congress passed? In other words, it can be said that it is from the
making of the law vis-a-vi the application of technology that would somehow
tear down the rights of every individual because of the gray areas of the law
itself resulting in the misuse of technology.
Situational gray areas
on data privacy act:
One that has some situational
gray areas would be the R.A. 10173 or the Data Privacy Act. In the very words
of Mr. Justice Brandeis citing the case of Blas Ople vs. Ruben D. Torres et al,
right to privacy is considered as "the most comprehensive of rights and
the right most valued by civilized men."[i]
Though it is already a cliché to define the right to privacy as a right to be
let alone it is still the simplest way to define one of the rights of a person
because it is already enshrined in the constitution specifically the bill of
rights.
R.A. 10173 or
otherwise known as the ‘Data Privacy act of 2012’ is “an act protecting
individual information in Information and Communications Systems in the
Government and the Private Sector, creating for this purpose a National Privacy
Commission, and for other purposes.”[ii]
The creation of commission known as the National Privacy Commission is the one administering
or the one that is responsible for the implementation of the Data Privacy Act.
Furthermore, the National Privacy Commission is the one accountable of or the
one in charge in seeing to it that they comply with the international standards
set for data protection and with it “the processing of all types of personal information and
to any natural and juridical person involved in personal information processing
including those personal information controllers and processors who, although
not found or established in the Philippines….”[iii]
Indeed, congress passed a law that would somehow secure the personal
information of every natural and juridical person. The said law would somehow
put to an end the dilemma of invading or intruding the personal information of
others such that there are penal consequences that would entail.
One cannot really ignore the effort of government in passing this act
for this is truly the best evidence to see that politically and economically we
are growing and developing as a country. Evidently, R.A. 10173 or the “Data
Privacy Act” is one proof of the effort of the government. However, the passage
of the said act or law has some loopholes or gray areas that will consequently
prejudice the rights of the people to privacy. One such situational gray area
would be section 3 (b) which states, “SEC. 3. Definition of
Terms. – Whenever used in this Act, the following terms shall have the
respective meanings hereafter set forth:
xxx
(b) Consent of the data subject refers to any freely
given, specific, informed indication of will, whereby the data subject agrees
to the collection and processing of personal information about and/or relating
to him or her. Consent shall be evidenced by written, electronic or recorded
means. It may also be given on behalf of the data subject by an agent
specifically authorized by the data subject to do so.
xxx
(h) Personal information controller refers to a person
or organization who controls the collection, holding, processing or use of
personal information, including a person or organization who instructs another
person or organization to collect, hold, process, use, transfer or disclose
personal information on his or her behalf. The term excludes:
xxx
(2) An individual who collects, holds, processes or uses personal
information in connection with the individual’s personal, family or household
affairs.”[iv]
Thus, the statement talks about the consent of the
data subject on the ground that the data subject freely agrees for the processing
of his personal information. But, it must be noticed that this consent should
be written and if given by an agent, the written consent should be authorized
by the data subject. Here lies the problem of forgery because in forgery “to
forge an instrument is to make false instrument intended to be passed for the
genuine one.”[v]
Supposing that A forged the personal information of B who is already deceased,
A now becomes an agent, because of the fact that he forged such written
authorization of B. Another situation is that A can forged such written consent
making it appear that he is B because the consent evidence by written means was
forged making it appear to be genuine where in fact it is not. Whatever would
be the situation, still, the written authority is left hanging because of
forgery. The Personal Information Controller who collects and process the
personal information and Personal Information Processor who outsourced personal
data of an individual would be confused if the written consent or the written
authorization is forged or not. In this effect, it is logical to conclude that
the consent freely given is not at all absolute and thus presumed that the one
victimized by the act of forging does not want this to happen for his consent
is not at all taken. Furthermore, it is against his will for the one who is in
control of his personal information is not him but other person who is a
forger. Also, under number (2) of the excluded portion of personal information
controller, what if the personal information controller just so happen to text
the person using SMS because he has now the individual’s personal information.
Is the personal information controller liable under Data Privacy Act?
Definitely the answer would be ‘no’ because text message is included in number
(2) which happens to be one of the exclusions of Personal Information
Controller. But still, it violates the right to privacy of an individual for he
/she did not gave her personal number nor did she consented that she will be
receiving any text message. Worst, if that text message is just an informal one
or a threat to the individual.
Again on the same
section which is section 3 subparagraph (g) and (l) which respectively states,
“(g) Personal information refers to any information whether
recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding
the information, or when put together with other information would directly and
certainly identify an individual.
xxx
(l) Sensitive personal information refers to personal
information:
(1) About an individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence of
any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which
includes, but not limited to, social security numbers, previous or cm-rent
health records, licenses or its denials, suspension or revocation, and tax
returns; and
(4) Specifically established by an executive order or an act of Congress
to be kept classified.”[vi]
Comparing the two
subsections, subsection (g) defines what personal information is and subsection
(l) is named to be sensitive personal information which is also personal
information itself. The question that would be ask in here is that, why did the
act separate the personal information from sensitive personal information if
the personal information is a sensitive personal information itself and vice
versa? Can it be possible to just put it in one subsection? Because the problem
will arise: if an individual not highly technical in such terms or if not, the
person is not that highly educated, he will have a difficulty on what to put on
his personal information because of the misleading phrase of subsection (g)
….when put together with other information.... This phrase will lead individual
into a difficult situation on what would be this personal information that he
could give because he thinks that the personal information and the sensitive
personal information are entirely different in the manner of giving his
personal information for they are separated in the act. Assuming arguendo, that
the personal information and sensitive information are in a different manner of
giving such information, then the individual giving his personal information
will be having troubles on what would be that personal information or other
information for such personal information has a broad and a wide concept under
subsection (g).
Another is the scope of
the said act which is in section 4 which states, “This Act applies to the
processing of all types of personal information and to any natural and
juridical person involved in personal information processing including those
personal information controllers and processors who, although not found or
established in the Philippines, use equipment that are located in the
Philippines, or those who maintain an office, branch or agency in the
Philippines....”[vii] Reading
further the said section, there are exclusions that the said act provides. The
problem lies to the question of those who process the personal information of
an individual. What if they processed such personal information of an
individual but they are not found in the Philippines and they use equipment but
are not located in the Philippines? Also what if they do not have any office,
branch or agency in the Philippines? With this, it cannot be said that it can
be possible for the act did not include this kind of situation in its exclusion.
But it cannot also be possible because section 4 clearly defines the scope and
going beyond what is not distinguished will change the meaning or the concept
of the said section. Expressio unius est
exclusio alterius, the expression of one thing is the exclusion of another.
Thus, there are two sides of possibilities and therefore, there are
inconsistencies or gray areas in the said section 4 of the act.
Another situational
gray area of R.A. 10173 would be section 8 (Confidentiality) in connection with
section 11 (General Data Privacy Principles) to which it respectively states,
“SEC. 8. Confidentiality. – The Commission shall ensure at all
times the confidentiality of any personal information that comes to its
knowledge and possession.
xxx
SEC. 11. General Data Privacy Principles. – The
processing of personal information shall be allowed, subject to compliance with
the requirements of this Act and other laws allowing disclosure of information
to the public and adherence to the principles of transparency, legitimate
purpose and proportionality.
Personal information must, be:
(a) Collected for specified and legitimate purposes determined and
declared before, or as soon as reasonably practicable after collection, and
later processed in a way compatible with such declared, specified and
legitimate purposes only;
(b) Processed fairly and lawfully;”[viii]
Section 8 merely leads
us to think that this personal information has its confidentiality and the
Commission has the obligation to see to it that it is kept confidential the
moment the Commission acquires this personal information. Now the problem that
should be taken care of is that of section 11, wherein such processing of
personal information is subjected to certain requirements of the said act and
to other laws as well. With the end in mind that this processing of personal
information is for a legitimate cause or purpose and should be processed in a
lawful manner, it may be asked: who then should determine if such personal
information is legitimate or not? It is because section 11 did not clearly
specify who is capable of determining such legitimacy of said information. If
the Commission would determine the matter, then they are the ones who are in
control of disclosing such information to the public for they believed that it
is for legitimate purpose. It can be against the will of the one who gave
personal information and thus, violating the right to privacy of the individual
who gave such personal information. If on the other hand, the person who gave
his personal information will be the one determining its legitimate purpose,
then how vast will be his knowledge in complying with the legitimate purpose
without going away from the intention of the Act.
In section 13, it talks
about Sensitive Personal Information and Privilege Information. That its
processing is prohibited but with certain exceptions just like in letter (a) of
the said act wherein it speaks mainly of a specific purpose. But the question
here is that: To what specific purpose would it be to the extent that this
specific purpose will not violate the right of data subject in giving and
processing of his sensitive and privileged information? For the data subject,
how sure are they, that this information of theirs is not under peril so much
so that this is secured and not done or be subjected to any wrong purposes?
Also, what will be the demarcation line of the word specific purpose? What
would be the means of the government to make sure that this sensitive and
privileged information are done for specific purpose?
Furthermore, from the
last paragraph of letter (d) of section 13 it talks about the
non-transferability of this sensitive personal information to third person but
what if for example, A, being the data subject and giving his consent gave his
personal information to B who, in this situation is responsible for processing
such information of A. however in the course of events, B gave a copy of the
personal information of A to C who is a third party and not related to A. The
dilemma would now be this: how will A know and if B gave the personal information
of A to C? What will be the determining factor of A that B really and indeed
gave it to a third party? Will A just be silent and have a leap of faith
because anyway he (A) gave his personal information without bothering himself
that this confidentiality will not be exposed to someone not related to him,
without his consent or against his will? It leaves a doubt on whether or not
the confidentiality of information that the individual gave will not be exposed
to someone else because right from the very start, the individual, giving his
information to the one responsible of processing this information creates a
certain suspicion that the information might be disclose to someone else. Still
under the same section with letter (f) as an exception to wit: “The processing
concerns such personal information as is necessary for the protection of lawful
rights and interests of natural or legal persons....”[ix]
However the confidentiality still remains as an issue for the problem that, how
can the lawful rights and interests of natural or legal persons be protected if
they don’t know from the very start that such personal information might be
given to someone else? How will they determine if their rights and interest are
protected or not because of the hunch that the one processing those personal
information might also be the one sending a copy to someone else?
Section 15 of the Data Privacy Act talks about the Extension of
Privilege Communication wherein privilege communication over privilege
information may be invoked by the personal information controllers in order to
secure the personal information and that it will be kept in confidentiality.
Any evidence gathered on privileged communication will be inadmissible as
evidence. But it will be subjected to laws and regulations. The concept of
privacy of communication in Constitution somehow has its connection to section
15. Under Article 3 of section 3(1) and 3(2) to which it respectively states:
“The privacy of communication and correspondence shall be inviolable except upon
lawful order of the court or when public safety or order requires otherwise as
prescribed by law. xxx Any evidenced obtained in violation of this or the
preceding section shall be inadmissible for any purpose in any proceeding.”[x]
But what if it involves national interest such that our country will be in
danger? How good is this section if right from the very start, the individual
who is giving such personal information is the one who is in control whether to
put that information or not, whether to change his personal information so that
it will be more advantageous to him? It is because of the risk that the
personal information might be subjected to existing laws and regulations so
much so that the personal information that he will give are now change so that
he will not prejudice himself. Another gray would section 17 which speak of
transmissibility of rights of the data subject. From here, when the data
subject is already dead or incapacitated, the lawful heirs or assigns may take
over and be the one who can invoke the rights of the data subject. The question
here is that how will they prove that the transfer to the lawful heirs and
assigns was done with the consent of the data subject prior to his death? How
will they verify at least some of the personal information is true or not if
the data subject is already dead? Another is on section 20 where it talks about
Security of Personal Information and subsection (e) of the said section speaks
of those who are involved in the processing of the personal information, that
this personal information should be kept confidential if they are not meant for
public disclosure. This obligation will continue even after termination of
employment, leaving public service or transfer to another office. Then the
question here is that what will happen to the personal information of the data
subject if the personal information controller leaves the public service? Supposing
that every now and then employees, agents or representatives or even the
personal information controller himself leave the public service because of
contractual relations, will the person still give his personal information to
the new personal information controller or the new personal information
controller will just review the personal information that was being processed
by the old personal information controller. Can this situation clearly defeats
the very purpose of confidentiality because of the fact that every now and
then, after contractual relations new persons will come and work for this said
commission and it can be possible that they will know the individual’s personal
information.
Conclusion:
At present, one cannot
really escape the changes in reality in so far as technology is concerned so
much so that the congress adapts technology in order to be equipped with the
trend of reality in technology. It is in technology that the congress can
incorporate it with the laws that they pass. However, it creates a danger if
the application of technology is being done in a wrong concept just like not
being knowledgeable enough on technology and mixed it in creating a law. Thus,
the danger that the law will harm the very rights of individual, may it be
natural or legal person. Law is there to guide people towards their right to
privacy. For if this right to privacy is being abused then people should not
think themselves as free men for they are not at liberty. In the words of Karl
Marx on his critique to human rights, “Liberty,
therefore, is the right to do everything that harms no one else. The limits
within which anyone can act without harming someone else are defined by law….”[xi] and R.A. 10173 is there to
exemplify that technology can be a handmade of law. However, because of some
gray areas in the law, it can somehow harm the very rights each individual and
somehow will not take full effect in implementing the said act.
[i] Blas Ople v. Ruben D. Torres et al., G.R. No. 127685, July 3, 1998,
available at http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html,
(last accessed May 7, 2014).
[ii] Republic Act No. 10173 (2012).
[iii] Id., Sec. 4
[iv] Id., Sec 3 (b)
[v] Book 2, LUIS B. REYES, Revised Penal Code: Criminal Law, p. 201, 17th
ed., 2008.
[vi] Id., Section 3 (g), (l)
[vii] Id., Section 4
[viii] Id., Section 8, 11
[ix] Id., Section 13 (f)
[x] ISAGANI A. CRUZ, Constitutional Law, p. 141, 2007 ed.
[xi] Jeremy Waldron, Nonsense Upon Stilts: Bentham, Burke and Marx on the Rights of Man,
Methuen & Co., 1987, at pp. 33–34.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home