situational gray areas of R.A. 10173
Introduction:
In the world of today we are mindful
of the fact that there is a fast pace of growth of technology. It is in
technology that we somehow realized that it can be a handmade, a tool for the
economic and social growth of a country and to every individual as well. But we
cannot set aside the fact that there are also some disadvantages in such modern
realization. But this disadvantages or gray areas can be glance from those who,
in the technical sense, have made technology applied from the very core of
human activity. Furthermore, it can also be viewed from a situation where
congress would pass a law and technology would be involved to secure one’s
personal information of every natural or judicial person. However, the thing
here is how sure that our personal information are protected if there are some
loopholes or gray areas of law from which the congress passed? In other words,
it can be said that it is from the making of the law vis-a-vi the application
of technology that would somehow tear down the rights of every individual
because of the gray areas of the law itself resulting in the misuse of
technology.
Situational gray areas on data
privacy act:
One that has some situational gray areas would be
the R.A. 10173 or the Data Privacy Act. In the very words of Mr. Justice
Brandeis citing the case of Blas Ople vs. Ruben D. Torres et al, right to
privacy is considered as "the most comprehensive of rights and the right
most valued by civilized men."[i]
Though it is already a cliché to define the right to privacy as a right to be
let alone it is still the simplest way to define one of the rights of a person
because it is already enshrined in the constitution specifically the bill of
rights.
R.A. 10173 or otherwise known as
the ‘Data Privacy act of 2012’ is “an act protecting individual information in
Information and Communications Systems in the Government and the Private
Sector, creating for this purpose a National Privacy Commission, and for other
purposes.”[ii]
The creation of commission known as the National Privacy Commission is the one administering
or the one that is responsible for the implementation of the Data Privacy Act.
Furthermore, the National Privacy Commission is the one accountable of or the
one in charge in seeing to it that they comply with the international standards
set for data protection and with it “the processing
of all types of personal information and to any natural and juridical person
involved in personal information processing including those personal
information controllers and processors who, although not found or established
in the Philippines….”[iii]
Indeed, congress passed a law that would somehow secure the personal
information of every natural and juridical person. The said law would somehow
put to an end the dilemma of invading or intruding the personal information of
others such that there are penal consequences that would entail.
One
cannot really ignore the effort of government in passing this act for this is
truly the best evidence to see that politically and economically we are growing
and developing as a country. Evidently, R.A. 10173 or the “Data Privacy Act” is
one proof of the effort of the government. However, the passage of the said act
or law has some loopholes or gray areas that will consequently prejudice the
rights of the people to privacy. One such situational gray area would be
section 3 (b) which states, “SEC. 3. Definition of Terms. –
Whenever used in this Act, the following terms shall have the respective
meanings hereafter set forth:
xxx
(b) Consent
of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and
processing of personal information about and/or relating to him or her. Consent
shall be evidenced by written, electronic or recorded means. It may also be
given on behalf of the data subject by an agent specifically authorized by the
data subject to do so.
xxx
(h) Personal
information controller refers to a person or organization who controls
the collection, holding, processing or use of personal information, including a
person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her
behalf. The term excludes:
xxx
(2) An
individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.”[iv]
Thus, the statement talks about the consent of the data subject on the
ground that the data subject freely agrees for the processing of his personal
information. But, it must be noticed that this consent should be written and if
given by an agent, the written consent should be authorized by the data
subject. Here lies the problem of forgery because in forgery “to forge an instrument
is to make false instrument intended to be passed for the genuine one.”[v]
Supposing that A forged the personal information of B who is already deceased,
A now becomes an agent, because of the fact that he forged such written
authorization of B. Another situation is that A can forged such written consent
making it appear that he is B because the consent evidence by written means was
forged making it appear to be genuine where in fact it is not. Whatever would
be the situation, still, the written authority is left hanging because of
forgery. The Personal Information Controller who collects and process the
personal information and Personal Information Processor who outsourced personal
data of an individual would be confused if the written consent or the written
authorization is forged or not. In this effect, it is logical to conclude that
the consent freely given is not at all absolute and thus presumed that the one
victimized by the act of forging does not want this to happen for his consent
is not at all taken. Furthermore, it is against his will for the one who is in
control of his personal information is not him but other person who is a
forger. Also, under number (2) of the excluded portion of personal information
controller, what if the personal information controller just so happen to text
the person using SMS because he has now the individual’s personal information.
Is the personal information controller liable under Data Privacy Act?
Definitely the answer would be ‘no’ because text message is included in number
(2) which happens to be one of the exclusions of Personal Information
Controller. But still, it violates the right to privacy of an individual for he
/she did not gave her personal number nor did she consented that she will be
receiving any text message. Worst, if that text message is just an informal one
or a threat to the individual.
Again on the same section which is
section 3 subparagraph (g) and (l) which respectively states, “(g) Personal
information refers to any information whether recorded in a material
form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify
an individual.
xxx
(l) Sensitive
personal information refers to personal information:
(1) About
an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
(2) About
an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;
(3)
Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records,
licenses or its denials, suspension or revocation, and tax returns; and
(4)
Specifically established by an executive order or an act of Congress to be kept
classified.”[vi]
Comparing the two subsections,
subsection (g) defines what personal information is and subsection (l) is named
to be sensitive personal information which is also personal information itself.
The question that would be ask in here is that, why did the act separate the
personal information from sensitive personal information if the personal
information is a sensitive personal information itself and vice versa? Can it
be possible to just put it in one subsection? Because the problem will arise:
if an individual not highly technical in such terms or if not, the person is
not that highly educated, he will have a difficulty on what to put on his
personal information because of the misleading phrase of subsection (g) ….when
put together with other information.... This phrase will lead individual into a
difficult situation on what would be this personal information that he could
give because he thinks that the personal information and the sensitive personal
information are entirely different in the manner of giving his personal
information for they are separated in the act. Assuming arguendo, that the
personal information and sensitive information are in a different manner of
giving such information, then the individual giving his personal information
will be having troubles on what would be that personal information or other
information for such personal information has a broad and a wide concept under
subsection (g).
Another is the scope of the said act
which is in section 4 which states, “This Act applies to the processing of all
types of personal information and to any natural and juridical person involved
in personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those who
maintain an office, branch or agency in the Philippines....”[vii]
Reading further the said section, there are exclusions that the said act
provides. The problem lies to the question of those who process the personal
information of an individual. What if they processed such personal information
of an individual but they are not found in the Philippines and they use equipment
but are not located in the Philippines? Also what if they do not have any
office, branch or agency in the Philippines? With this, it cannot be said that
it can be possible for the act did not include this kind of situation in its
exclusion. But it cannot also be possible because section 4 clearly defines the
scope and going beyond what is not distinguished will change the meaning or the
concept of the said section. Expressio
unius est exclusio alterius, the expression of one thing is the exclusion
of another. Thus, there are two sides of possibilities and therefore, there are
inconsistencies or gray areas in the said section 4 of the act.
Another situational gray area of
R.A. 10173 would be section 8 (Confidentiality) in connection with section 11 (General
Data Privacy Principles) to which it respectively states, “SEC. 8. Confidentiality.
– The Commission shall ensure at all times the confidentiality of any
personal information that comes to its knowledge and possession.
xxx
SEC.
11. General Data Privacy Principles. – The processing of personal
information shall be allowed, subject to compliance with the requirements of
this Act and other laws allowing disclosure of information to the public and
adherence to the principles of transparency, legitimate purpose and
proportionality.
Personal
information must, be:
(a)
Collected for specified and legitimate purposes determined and declared before,
or as soon as reasonably practicable after collection, and later processed in a
way compatible with such declared, specified and legitimate purposes only;
(b)
Processed fairly and lawfully;”[viii]
Section 8 merely leads us to think
that this personal information has its confidentiality and the Commission has
the obligation to see to it that it is kept confidential the moment the
Commission acquires this personal information. Now the problem that should be
taken care of is that of section 11, wherein such processing of personal
information is subjected to certain requirements of the said act and to other
laws as well. With the end in mind that this processing of personal information
is for a legitimate cause or purpose and should be processed in a lawful
manner, it may be asked: who then should determine if such personal information
is legitimate or not? It is because section 11 did not clearly specify who is capable
of determining such legitimacy of said information. If the Commission would
determine the matter, then they are the ones who are in control of disclosing
such information to the public for they believed that it is for legitimate
purpose. It can be against the will of the one who gave personal information
and thus, violating the right to privacy of the individual who gave such
personal information. If on the other hand, the person who gave his personal
information will be the one determining its legitimate purpose, then how vast
will be his knowledge in complying with the legitimate purpose without going
away from the intention of the Act.
In section 13, it talks about
Sensitive Personal Information and Privilege Information. That its processing
is prohibited but with certain exceptions just like in letter (a) of the said
act wherein it speaks mainly of a specific purpose. But the question here is
that: To what specific purpose would it be to the extent that this specific
purpose will not violate the right of data subject in giving and processing of
his sensitive and privileged information? For the data subject, how sure are
they, that this information of theirs is not under peril so much so that this
is secured and not done or be subjected to any wrong purposes? Also, what will
be the demarcation line of the word specific purpose? What would be the means
of the government to make sure that this sensitive and privileged information
are done for specific purpose?
Furthermore, from the last paragraph
of letter (d) of section 13 it talks about the non-transferability of this
sensitive personal information to third person but what if for example, A,
being the data subject and giving his consent gave his personal information to
B who, in this situation is responsible for processing such information of A.
however in the course of events, B gave a copy of the personal information of A
to C who is a third party and not related to A. The dilemma would now be this:
how will A know and if B gave the personal information of A to C? What will be
the determining factor of A that B really and indeed gave it to a third party?
Will A just be silent and have a leap of faith because anyway he (A) gave his
personal information without bothering himself that this confidentiality will
not be exposed to someone not related to him, without his consent or against
his will? It leaves a doubt on whether or not the confidentiality of
information that the individual gave will not be exposed to someone else
because right from the very start, the individual, giving his information to
the one responsible of processing this information creates a certain suspicion
that the information might be disclose to someone else. Still under the same
section with letter (f) as an exception to wit: “The processing concerns such
personal information as is necessary for the protection of lawful rights and
interests of natural or legal persons....”[ix]
However the confidentiality still remains as an issue for the problem that, how
can the lawful rights and interests of natural or legal persons be protected if
they don’t know from the very start that such personal information might be
given to someone else? How will they determine if their rights and interest are
protected or not because of the hunch that the one processing those personal
information might also be the one sending a copy to someone else?
Section
15 of the Data Privacy Act talks about the Extension of Privilege Communication
wherein privilege communication over privilege information may be invoked by
the personal information controllers in order to secure the personal
information and that it will be kept in confidentiality. Any evidence gathered
on privileged communication will be inadmissible as evidence. But it will be subjected
to laws and regulations. The concept of privacy of communication in
Constitution somehow has its connection to section 15. Under Article 3 of
section 3(1) and 3(2) to which it respectively states: “The privacy of
communication and correspondence shall be inviolable except upon lawful order
of the court or when public safety or order requires otherwise as prescribed by
law. xxx Any evidenced obtained in violation of this or the preceding section
shall be inadmissible for any purpose in any proceeding.”[x]
But what if it involves national interest such that our country will be in
danger? How good is this section if right from the very start, the individual
who is giving such personal information is the one who is in control whether to
put that information or not, whether to change his personal information so that
it will be more advantageous to him? It is because of the risk that the
personal information might be subjected to existing laws and regulations so
much so that the personal information that he will give are now change so that
he will not prejudice himself. Another gray would section 17 which speak of
transmissibility of rights of the data subject. From here, when the data
subject is already dead or incapacitated, the lawful heirs or assigns may take
over and be the one who can invoke the rights of the data subject. The question
here is that how will they prove that the transfer to the lawful heirs and
assigns was done with the consent of the data subject prior to his death? How
will they verify at least some of the personal information is true or not if
the data subject is already dead? Another is on section 20 where it talks about
Security of Personal Information and subsection (e) of the said section speaks
of those who are involved in the processing of the personal information, that
this personal information should be kept confidential if they are not meant for
public disclosure. This obligation will continue even after termination of
employment, leaving public service or transfer to another office. Then the
question here is that what will happen to the personal information of the data
subject if the personal information controller leaves the public service? Supposing
that every now and then employees, agents or representatives or even the
personal information controller himself leave the public service because of
contractual relations, will the person still give his personal information to
the new personal information controller or the new personal information
controller will just review the personal information that was being processed
by the old personal information controller. Can this situation clearly defeats
the very purpose of confidentiality because of the fact that every now and
then, after contractual relations new persons will come and work for this said
commission and it can be possible that they will know the individual’s personal
information.
Conclusion:
At present, one cannot really escape
the changes in reality in so far as technology is concerned so much so that the
congress adapts technology in order to be equipped with the trend of reality in
technology. It is in technology that the congress can incorporate it with the
laws that they pass. However, it creates a danger if the application of
technology is being done in a wrong concept just like not being knowledgeable
enough on technology and mixed it in creating a law. Thus, the danger that the
law will harm the very rights of individual, may it be natural or legal person.
Law is there to guide people towards their right to privacy. For if this right
to privacy is being abused then people should not think themselves as free men
for they are not at liberty. In the words of Karl Marx on his critique to human
rights, “Liberty, therefore, is the right to do everything that harms no one
else. The limits within which anyone can act without harming someone else are
defined by law….”[xi] and R.A. 10173 is there to exemplify that
technology can be a handmade of law. However, because of some gray areas in the
law, it can somehow harm the very rights each individual and somehow will not
take full effect in implementing the said act.
[i]
Blas Ople v. Ruben D. Torres et al., G.R. No. 127685, July 3, 1998, available
at http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html,
(last accessed May 7, 2014).
[iii]
Id., Sec. 4
[iv]
Id., Sec 3 (b)
[v]
Book 2, LUIS B. REYES, Revised Penal Code: Criminal Law, p. 201, 17th
ed., 2008.
[vi]
Id., Section 3 (g), (l)
[vii]
Id., Section 4
[viii]
Id., Section 8, 11
[ix]
Id., Section 13 (f)
[x]
ISAGANI A. CRUZ, Constitutional Law, p. 141, 2007 ed.
[xi]
Jeremy Waldron, Nonsense
Upon Stilts: Bentham, Burke and Marx on the Rights of Man, Methuen &
Co., 1987, at pp. 33–34.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home