Wednesday, May 7, 2014

DATA PRIVACY ACT

DATA PRIVACY ACT

The Republic Act 10173, the Data Privacy Act of 2012, signed by President Benigno S. Aquino III on August 15, 2012, protects the integrity and confidentiality of individual personal information in information and communication systems in the government and the private sector. The new law penalizes the unauthorized disclosure of personal information. It protects journalists and publishers, as they will not be compelled to reveal the source of a news report.
Republic Act 10173 was patterned on standards set by Directive 95/46/EC of the European Parliament and aligned with Asia Pacific Economic Cooperation Information Privacy Framework, that protect the integrity of personal data. It provides for the creation of a National Privacy Commission that will monitor and ensure compliance of the country with international standards for data protection. The commission will implement the law, receive complaints, issue cease-and-desist orders, compel entities to abide by its orders and monitor compliance, and enforce policies that balance the right of the private person to privacy.
The passage of RA 10173 is expected to boost investment in the fast-growing information technology and business process outsourcing (IT-BPO) industries. Hailing its enactment, the Business Processing Association of the Philippines said the new law brings the Philippines to international standards of privacy protection as much of IT-BPO work involves confidential personal and company information of local and foreign clients.
Excluded in the scope of RA 10173 are, among others, personal information processed for journalistic, artistic, literary or research purposes, information about government officials and other civil servants, information necessary for banks and financial institutions as part of anti-money laundering efforts, and personal data processed by central monetary authorities and law enforcement and regulatory agencies.[1]

DEFINITION OF PERSONAL DATA
Personal Information is defined in the Act as "any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual."
The Act, in addition to defining "Personal Information" that is covered by the law, also expressly excludes certain information from its coverage. These are:
  • Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
·        
    • The fact that the individual is or was an officer or employee of the government institution;
    • The title, business address and office telephone number of the individual;
    • The classification, salary range and responsibilities of the position held by the individual; and
    • The name of the individual on a document prepared by the individual in the course of employment with the government;
  • Information about an individual who is or was performing services under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
  • Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
  • Personal information processed for journalistic, artistic, literary or research purposes;
  • Information necessary in order to carry out the functions of a public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
  • Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Philipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
  • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.[2]

The Right to Privacy

The right to privacy, as an inherent concept of liberty, has long been recognized as a constitutional right. This Court, in Morfe v. Mutuc, thus enunciated:
The due process question touching on an alleged deprivation of liberty as thus resolved goes a long way in disposing of the objections raised by plaintiff that the provision on the periodical submission of a sworn statement of assets and liabilities is violative of the constitutional right to privacy. There is much to be said for this view of Justice Douglas: “Liberty in the constitutional sense must mean more than freedom from unlawful governmental restraint; it must include privacy as well, if it is to be a repository of freedom. The right to be let alone is indeed the beginning of all freedom.” As a matter of fact, this right to be let alone is, to quote from Mr. Justice Brandeis “the most comprehensive of rights and the right most valued by civilized men.”
The concept of liberty would be emasculated if it does not likewise compel respect for his personality as a unique individual whose claim to privacy and interference demands respect. xxx.

x x x x x x x x x

x x x [I]n the leading case of Griswold v. Connecticut, Justice Douglas, speaking for five members of the Court, stated: “Various guarantees create zones of privacy. The right of association contained in the penumbra of the First Amendment is one, as we have seen. The Third Amendment in its prohibition against the quartering of soldiers ‘in any house’ in time of peace without the consent of the owner is another facet of that privacy. The Fourth Amendment explicitly affirms the ‘right of thepeople to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.’ x x x [I]n the leading case of Griswold v. Connecticut, Justice Douglas, speaking for five members of the Court, stated: “Various guarantees create zones of privacy. The right of association contained in the penumbra of the First Amendment is one, as we have seen. The Third Amendment in its prohibition against the quartering of soldiers ‘in any house’ in time of peace without the consent of the owner is another facet of that privacy. The Fourth Amendment explicitly affirms the ‘right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.’

x x x x x x x x x

So it is likewise in our jurisdiction. The right to privacy as such is accorded recognition independently of its identification with liberty; in itself, it is fully deserving of constitutional protection. The language of Prof. Emerson is particularly apt: “The concept of limited government has always included the idea that governmental powers stop short of certain intrusions into the personal life of the citizen. This is indeed one of the basic distinctions between absolute and limited government. Ultimate and pervasive control of the individual, in all aspects of his life, is the hallmark of the absolute state. In contrast, a system of limited government, safeguards a private sector, which belongs to the individual, firmly distinguishing it from the public sector, which the state can control. Protection of this private sector — protection, in other words, of the dignity and integrity of the individual — has become increasingly important as modern society has developed. All the forces of a technological age — industrialization, urbanization, and organization — operate to narrow the area of privacy and facilitate intrusion into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.”
In Ople v. Torres[3], this Court traced the constitutional and statutory bases of the right to privacy in Philippine jurisdiction, to wit:
Indeed, if we extend our judicial gaze we will find that the right of privacy is recognized and enshrined in several provisions of our Constitution. It is expressly recognized in section 3 (1) of the Bill of Rights:

Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.

Other facets of the right to privacy are protected in various provisions of the Bill of Rights, viz:

Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.

Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

x x x x x x x x x

Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law.

x x x x x x x x x

Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.

Sec. 17. No person shall be compelled to be a witness against himself. Zones of privacy are likewise recognized and protected in our laws. The Civil Code provides that “[e]very person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another. It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, and recognizes the privacy of letters and other private communications. The Revised Penal Code makes a crime the violation of secrets by an officer, the revelation of trade and industrial secrets, and trespass to dwelling. Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposits Act and the Intellectual Property Code. The Rules of Court on privileged communication likewise recognize the privacy of certain information.

Unlike the dissenters, we rescind from the premise that the right to privacy is a fundamental right guaranteed by the Constitution, hence, it is the burden of government to show that A.O. No. 308 are justified by some compelling state interest and that it is narrowly drawn.[4]

Data Privacy Act
Republic Act No. 10173 or the “Data Privacy Act of 2012” is the tool which legislators assert to become the solution of the disturbance of the constitutional guaranty of life, liberty and property in relation ones own privacy provides that: It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. It further provides that: This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.[5]


With this in mind, one may be able to assert that in enacting the “Data Privacy Act” the guaranty of privacy is not absolutely guarded by such a mandate. For instance, in a situation where by an owner of a company gives out his employees’ data and information to another company or person which is not in any way connected to the employees, who uses such information and data to sell and advertise the company’s products to the employees. And at the same time, the company or person who gives out the employee data receives commission from every sale, which the second company acquires.

Under the Republic Act 10173 “Data Privacy Act” - A personal information controller, refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. This exlucudes:
·       (1) A person or organization who performs such functions as instructed by another person or organization; and
·       (2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

Under SEC 21. Principle of Accountability. – Each personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.
(a) The personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party.
(b) The personal information controller shall designate an individual or individuals who are accountable for the organization’s compliance with this Act. The identity of the individual(s) so designated shall be made known to any data subject upon request. However, uander Article 1167 of The New Civil Code, If a person obliged to do something fails to do it, the same shall be executed at his cost. This same rule shall be observed if he does it in contravention of the tenor of the obligation. Furthermore, it may be decreed that what has been poorly done be undone.
In this regard, we must be mindful that in such situation, both laws may be applicable. Now, while it is obvious that both laws operate differently, the question is for this law is that, can a person be penalized under both or if not why? RA 10173 doesn’t purport clearly the rules applicable in a case like this. To my view, a law which doesn’t perfectly provide for the specific, in line with the importance of a person’s life, liberty, or property and in accordance with a persons privacy must be given solution, because, ones privacy in put to peril, an individual is only given a chance to be on earth once, the importance of protecting once person is a duty that our leaders need to attend to.


Ron Mikhail Uy
2013-0428
Tech and The Law TTH 5:30-8:30



[3] Opel vs Torres 354 Phil. 948 (1998)
[4] Gamboa vs Chan GR No. 193636

[5] Ibid, Section 4.
[6] Republic Act 10173, Section 2.

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home