PROTECTION OF INFORMATION AND PRIVACY (R.A. No. 10173 “Data Privacy Act of 2012)
“I want my government to do something about my privacy – I don’t want to just do it on my own.” -Evgeny Morozov
Information is like a trade secret of the famous fast food restaurants that we have in our country. They keep this trade secret with utmost diligence to protect it from being known to others, especially against their competitors. What would happen if everyone knows about their trade secret? Their competitors can destroy their business, and most of all, everyone can absolutely make their own “happy meal” that tastes exactly as the one which you could have in these fast food restaurants. Since R.A. No. 10173 otherwise known as the Data Privacy Act of 2012 has been passed into law, our personal information can be gathered and it also enables the National Privacy commission to use our personal information. As the owners of our own trade secrets, are we willing to give it away to others?
Often times, information goes hand in hand together with the term privacy. We protect our personal information to keep ourselves in private, not to be disturb by others. Now what is privacy? Privacy is the condition or state of being free from public attention to intrusion into or interference with one’s acts or decisions.  In other words it is the doing of things alone without the interference from others, to do things in secrecy. Privacy as a right was described once by Justice Brandeis as the “right to be let alone . . . the most comprehensive of rights and the right most valued by civilized men”. Indeed, if we extend our judicial gaze we will find that the right of privacy is recognized and enshrined in several provisions of our Constitution. It is expressly recognized in section 3 (1) of the Bill of Rights:
“Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”
Other facets of the right to privacy are protected in various provisions of the Bill of Rights, viz:
“Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.”
“Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.”
“Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest national security, public safety, or public health as may be provided by law.”
“Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.”
“Sec. 17. No person shall be compelled to be a witness against himself.
Zones of privacy are likewise recognized and protected in our laws. The Civil Code provides that “every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another. It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, and recognizes the privacy of letters and other private communications. The Revised Penal Code makes a crime the violation of secrets by an officer, the revelation of trade and industrial secrets, and trespass to dwelling. Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposits Act and the Intellectual Property Code. The Rules of Court on privileged communication likewise recognize the privacy of certain information” 
Provisions of law pertaining to our right to privacy are scattered around the Bill of Rights. These are some provisions of the law which recognize and protect our right to privacy. The right to privacy is nevertheless not absolute. The right is not violated when the interference is made upon lawful order of the court or when public safety or order requires otherwise as prescribed by law. In other words this means that whenever the need for public safety arises, upon a lawful order of our court, or if provided by the law, our right to privacy cannot be deemed to be violated nor cannot prevail over it. 
Let us go back to the discussion on information, specifically on personal information. Along with the advances in information technology, personal information can be accessed or retrieved by a person, or an interested party having good connections, or someone who pays a certain amount of money as a consideration for the personal information being sought, as to what others would say “Information can make money”. These are only some of the several reasons why the Data Privacy Act of 2012 has been passed into law, if not to stop, then to regulate these issues.
Republic Act no. 10173, also known as “Data Privacy Act of 2012” was signed by President Benigno Aquino Jr. last August 15, 2012. It is an act protecting an individual’s personal data in Information and Communication System in the Government and Private Sector. It protects personal information from the government as well as from the private sector. The law also created a National Privacy Commission which is the one who has the primary duty to administer and implement R.A. no. 10173 and to ensure compliance of the country with international standards set for data protection. So basically R.A. No. 10173’s purpose is to protect data.
Under R.A. No. 10173, we would encounter several terms which are commonly used under it and might not be so familiar to us, such as Data Subject, Personal Information, Personal Information Controller and Processor, Sensitive Personal Information, Privileged Information. To enlighten us, the law provides for their definition under Section 3 (c) (g) (h) (i) (k) (l).
“SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective meanings hereafter set forth:
(c) Data subject refers to an individual whose personal information is processed.
(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
(k) Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
(l) Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified. 
Personal information and sensitive personal information do have a great weight or are very significant. As a personal data controller, it is their duty and obligation to keep personal information with utmost confidentiality. Sensitive personal information is likewise be handled with additional care and protect it with utmost diligence.  These terms are the most commonly used under the law and for this discussion, there are several other terms defined therein and we could refer to the full text of the law for the other terms.
As to the scope of Data Privacy Act of 2012, it applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing. So what about outside the Philippines? The law also provides that it also applies to those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.
On the duties of personal information controller or processors, they must observe certain rules on the processing or handling personal informations to be allowed to disclose such to the public, and to adhere to the principles of transparency, legitimate purpose and transparency. The collection of personal information must be “for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only” to be processed fairly and lawfully.
Accuracy and relevancy are also important in the processing of personal information and it must be kept up to date. In case where the data is inaccurate or incomplete, it must be rectified, supplemented, destroyed, or further processing be restricted. The adequacy and excessiveness of the personal information must also be observed. In addition, personal information must only be kept as long as it is necessary for the fulfilment of its purpose. 
The processing of personal information is lawful according to the law if at least one of the following exists: The data subject has given his or her consent; when the processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract; necessary for compliance with a legal obligation to which the personal information controller is subject; the processing is necessary to protect vitally important interests of the data subject, including life and health; necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution. It should also be noted that in proper cases, the lack of consent of the data subject will not prevent the processing. 
In addition to these important provisions of the said law, the rights of the data subject are also embodied therein. The data subject has the right to be informed about the personal information shall be, are being or have been processed, to be furnished of the information to be processed before the entry thereof, to verify the accuracy and the correctness of the personal information, and in case it is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purposes which they are collected, he can suspend, withdraw, block, remove or destroy the personal information, and whenever these things harmed his rights, he can ask for damages. These rights of the data subject are also transmissible to his lawful heirs or his assignee in case of his death or when he is incapacitated and incapable to exercise his rights. 
Chapter 8 of R.A. No. 10173 provides several penalties in case of violation. Penalties are ranging from fines up to the extent of imprisonment. The penalties stated under the law guarantees not only the data subject, but also the information controllers, the benefit of protection.
While it is true that R.A. no. 10173 provides for the protection of personal information of an individual, there are some parts of the said law which are vague or otherwise known as “gray areas”. They are called as such because they may be so general that they need to be more specific or particular. Regarding this, I have my own personal questions on some provisions of the law.
With regards to the penalty, the penalties consist of fines and imprisonment, hence, making it a special penal law. Relating this matter on the Rules on Electronic Evidence, under Rule 1 Section 2 of which states that:
“Section 2. Cases Covered. –These rules shall apply to all civil actions and proceedings, as well as quasi-judicial and administrative cases.”
If a person committed a violation under the Data Privacy Act, how would the offended party make a stand if it is a criminal case and according to the law, electronic evidences are not applicable to criminal cases?
One of the rights of the data subject is to be informed that his personal information shall be, are being or have been processed, as well as to be furnished of the information to be processed before the entry thereof. These rights are also transmissible under Section 17 to his lawful heirs and his assignee in case of his death or when he is incapacitated or incapable of exercising his rights, so it means that the right to be informed of the processing of the data subject’s personal information is also transmissible. Nevertheless, Section 13 prohibits the processing of sensitive personal information of the data subject, subject to some exceptions and one of which is under Par. (c) of the same section “when the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his consent prior to the processing.”
Would Section 13 (c) disregard the right of the data subject to be informed when he is incapacitated or incapable to do exercise such right that his personal information shall be, are being, or have been processed? Considering the fact that the data subject’s right to be informed is transmissible to the lawful heirs or his assignee? Can the data subject’s lawful heirs or assignee give consent to the processing of his sensitive personal information instead of him for the reason that he is incapable or incapacitated to exercise it? What if the sensitive personal information had already been processed without informing and getting the consent of the heirs or assignee of the data subject, would the personal information controller or the personal information processor be held liable for unauthorized processing of personal information and sensitive personal information under Section 25?
For example, A has been hospitalized, he is on comatose. Here comes B and C, a personal information controller and processor, they sought to have the sensitive personal information of A, which is unable to give his consent and exercise his right because he is obviously incapable or incapacitated, and the processing of sensitive personal information is necessary to protect the life and health of A. Somehow the personal information controller and processor succeeded in getting hold of A’s sensitive personal information and eventually processed it. A has lawful heirs. Would the personal information controller or processor be liable for not getting the consent and informing the heirs of A about the said processing? Would they be liable for unauthorized processing of sensitive personal information?
Nowadays, people are fond of using social networking sites. Prior to the using of the features of a particular social network, people would have to register. Upon registering, they provide their names, email addresses, birthdates, civil status, nationality, other social networks would require a “secret question” and you provide a “secret answer” in case that you have forgotten your password, and other personal information they may require. Now after you have been registered, you can now have access to this social networking sites. One of the features of a social network is to be able to “view” the profile of another person. The question is, would these social networks be considered a personal information controller that can be covered by R.A. no. 10173? If yes, then can they also be held liable for improper disposal of personal information and sensitive personal information? Can the viewers of your profile on these social networking sites be held liable for accessing personal information and sensitive personal information due to negligence if accidentally viewed?
Regarding the issue on unsolicited emails, calls or text messages, would the companies that advertise through unsolicited emails, calls and text messaging be held under the said law?
These are only some of the several issues regarding R.A. No. 10173. Yes, it provides for protection of data, the data subject, and controllers, but there are areas on the said law which are still vague, maybe because as of now there is no jurisprudence about these matters, and they have not been tested yet.
The law left me so many questions as of now, but absolutely, I am not losing hope that these questions will be answered as soon as possible by our government. We are in a country that is “under construction” and I believe that in time, it would lead to a better result. The world is moving forward, and I think it is time for us to move along with it.
- Black’s Law Dictionary 1315 (9th ed. 2009).
- Samuel D. Warren, Louis D. Brandeis (December, 1890). “The Right to Privacy”. Retrieved from http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
- Ople v. Torres, G.R. No. 127685, July 23, 1998.
- Section 3(1), Bill of Rights, 1987 Constitution of the Republic of the Philippines.
- Section 3, R.A. No. 10173 “Data Privacy Act of 2012”.
- Section 8, R.A. No. 10173 “Data Privacy Act of 2012”
- Section 11, R.A. No. 10173 “Data Privacy Act of 2012”
- Section 12, R.A. No. 10173 “Data Privacy Act of 2012”
- Section 16, R.A. No. 10173 “Data Privacy Act of 2012”
- R.A. No. 10173, “Data Privacy Act of 2012”
- Palabrica, Raul J. (August 31, 2012). Data Privacy Act. Retrieved May 4, 2013 from http://business.inquirer.net/79534/data-privacy-act-of-2012