Wednesday, May 7, 2014

The "Unclears" of R.A. 10173

“Now the right to life has come to mean the right to enjoy life, -- the right to be let alone."
- Samuel Warren and Louis Brandeis, 1890.

PRIVACY is the right that determines the nonintervention of secret surveillance and the protection of an individual’s information. [1] Privacy is so vital that it is being recognized and protected even by the laws. Without it, everyone would stand on a vulnerable terrain, exposed to the power and control of others. Freedom, thus, is exploited. 

            R.A. 10173 or otherwise known as the “Data Privacy Act of 2012” is one of the laws that revere privacy. Such law was criticized but was commended as well. Despite the harmonious formation of the said law, this entry will tackle instead its gray areas. The case of Ople vs Torres will be used to elucidate the gray areas of the aforementioned law.

Ople vs Torres Case Summary
On 12 December 1996, President Fidel V. Ramos issued Administrative Order 308 or otherwise known as the "Adoption of a National Computerized Identification Reference System." A.O. 308 establishes a system of identification that is all-encompassing in scope, affects the life and liberty of every Filipino citizen and foreign resident, and more particularly, violates their right to privacy. Such a system requires a delicate adjustment of various contending state policies: the primacy of national security, the extent of privacy interest against dossier-gathering by government, the choice of policies, etc.  It was published in 4 newspapers of general circulation thereafter.

Senator Blas F. Ople, then, as a Senator, taxpayer and of the Government Service Insurance System (GSIS), filed instant petition against then Executive Secretary Ruben Torres and the heads of the government agencies, who as members of the Inter-Agency Coordinating Committee are charged with the implementation of Administrative Order 308. Ople’s contentions include: (1) the national ID system lays the groundwork for a system which will violate the individual’s right to privacy; and (2) its issuance is an encroachment upon the legislative powers of Congress not only due to the fact that it involved appropriations of public funds but more so because of its subject matter and scope.

The Supreme Court Ruled in favor of Senator Blas Ople saying that Administrative Order 308 is intrusive of the right to privacy. Although such Administrative Order has good intentions (providing Filipino citizens and foreign residents with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities, and requiring a computerized system to properly and efficiently identify persons seeking basic services on social security and reduce, if not totally eradicate fraudulent transactions and misrepresentations), its inadequacies outweigh its adequacies.

Administrative Order 308 fails to provide what specific biological characteristics and what particular biometrics technology shall be used to identify people who will seek its coverage. Moreover, it does not state whether encoding of data is limited to biological information alone for identification purposes. It also held that the purpose of the generation the Population Reference Number was not confined to the sole purpose of identifying each individual but may also be used for other things remotely related to the avowed purposes of the administrative order. Moreover, it does not provide for control measures to prevent manipulation, lost or leakage of information, and there are no penalties or sanctions for unlawful use or access or unauthorized disclosure of information gathered. Such shortcomings do impair people’s right to privacy. [2]

Data Privacy Act of 2012

            As mentioned earlier, privacy is so vital that it is being recognized and protected even by the laws. The 1987 Philippine Constitution, specifically under the Bill of Rights, [3] provides the following:

Section 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.

Section 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

Section 3.
1.      The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.
2.      Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding.

Section 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.

Section 17. No person shall be compelled to be a witness against himself.

            The Civil Code of the Philippines [4] provides:

Art. 26. Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons. The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief:

(1) Prying into the privacy of another's residence:
(2) Meddling with or disturbing the private life or family relations of another;
(3) Intriguing to cause another to be alienated from his friends;
(4) Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.

            The Revised Penal Code and the Rules of Court also recognizes the right to privacy. Despite the significance of the right to privacy, such right is not an absolute right. Other important social interests can be more important than privacy in particular circumstances.

            Data Privacy Act of 2012 now comes into picture as it is one of the laws that protect the right to privacy.  Chapter I section 2 of the said law states that, “It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.” [5] Basically, the purpose of the law is data protection. In this regard, the National Privacy Commission was created to administer and implement the provisions of the said Act, and to monitor and ensure compliance of the country with international standards set for data protection, and other vital functions as provided in Chapter II Section 7 of R.A. 10173. It applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

R.A. 10173 fills up the shortcomings of A.O. 308. R.A. 10173 provides the framework on how personal information will be processed, recognizes the right of the data subject, and provides penalties and imprisonment for any breach of the measures provided for the privacy of the individual’s personal and sensitive information. R.A. 10173 defines who a data controller and a data processor is in the event that sensitive and personal information would be taken from individuals and providing for their responsibilities in maintaining the privacy of such as well as their liabilities should they fail to conduct the proper procedures.  Even the superioirs or heads of the National Privacy Commission may be held liable in some instances.

Now come the unclears. Considering the vast amount of personal information to be handled and protected, there will surely be problems that need to be refined about R.A. 10173.

One of the glaring problems that I see is about the penalty provided for in Section 26 (Accessing Personal Information and Sensitive Personal Information Due to Negligence) of the said law. I perceive such penalty incommensurate to the violation.

To illustrate; A filed a life insurance policy application with B, personal information controller of the insurance company, that included A’s confidential personal information. A received a privacy policy from B saying, among other things, “We take steps to make our computer data bases secure and to safeguard the information we have about you.” However, employee C, a coworker of employee B, was allowed by B to use his computer as C was not able to access the internet and send an email to a client using the computer designated to him. Due to carelessness, employee C inadvertently clicked the tab function which contains personal information of a client A. As a consequence, he was able to see the personal information of client A although not authorized to access it. Would employee C be penalized for accessing personal information due to negligence as provided for in Chapter VIII Section 26 of R.A. 10173? I find such penalty callous for the violation committed if C will be penalized. If ever that such act will indeed be penalized, a reduction of the penalty is highly proposed.

According to William F. Pelgrin, social networking sites have become very popular avenues for people to communicate with family, friends and colleagues from around the corner or across the globe. While there can be benefits from the collaborative, distributed approaches promoted by responsible use of social networking sites, there are information security and privacy concerns. People who provide private, sensitive or confidential information about themselves or other people, whether wittingly or unwittingly, pose a higher risk to themselves and others. [7]

According to Boyd and Ellison, [8] we define social networking sites as web-based services that allow individuals to (1) construct a public or semi-public profile within a bounded system, (2) articulate a list of other users with whom they share a connection, and (3) view and traverse their list of connections and those made by others within the system. The nature and nomenclature of these connections may vary from site to site.

While we use the term “social network site” to describe this phenomenon, the term “social networking sites” also appears in public discourse, and the two terms are often used interchangeably. We chose not to employ the term “networking” for two reasons: emphasis and scope. “Networking” emphasizes relationship initiation, often between strangers. While networking is possible on these sites, it is not the primary practice on many of them, nor is it what differentiates them from other forms of computer-mediated communication (CMC).

What makes social network sites unique is not that they allow individuals to meet strangers, but rather that they enable users to articulate and make visible their social networks. This can result in connections between individuals that would not otherwise be made, but that is often not the goal, and these meetings are frequently between “latent ties” (Haythornthwaite, 2005) who share some offline connection. On many of the large SNSs, participants are not necessarily “networking” or looking to meet new people; instead, they are primarily communicating with people who are already a part of their extended social network. To emphasize this articulated social network as a critical organizing feature of these sites, we label them “social network sites.”

Although the issues of online privacy has been a problem for the general public for a long time it has started to grow rapidly due to technology, to be more precise in case of sharing services- smart phones that easily enables anyone to make content and share it with just one click of a button. Due to high penetration of smartphones with photo and video creation and sharing opportunities, the amount of personal content available online is has been increasing rapidly. Posting contents such as picture and video gives rise to new privacy concerns due to their context revealing details about the physical and social context of the subject.
The growing amount of online personal content exposes users to a new set of privacy concerns. Digital cameras, and lately, a new class of camera phone applications that can upload photos or video content directly to the web, make publishing of personal content increasingly easy. Privacy concerns are especially acute in the case of multimedia collections, as they could reveal much of the user’s personal and social environment (Dagmar Mäe). [9]

Consent of the data subject as defined in R.A. 10173 refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so. Furthermore, sections 12 and 13 of the said law provide;

Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

Section 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations:Provided,That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information:Provided, further,That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;    
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations:Provided,That such processing is only confined and related to thebona fide members of these organizations or their associations:Provided, further,That the sensitive personal information are not transferred to third parties:Provided, finally,That consent of the data subject was obtained prior to processing;       
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

            Given the abovementioned social networking service concerns and the required consent provided by R.A. 10173, comes now the vagueness of the said law. Can personal information placed in the networking sites be considered as an implied consent? Assuming that the answer is in the affirmative, can a third person be allowed to use such information considering that it is placed online publicly? Does the law cover personal information stockpiled or transmitted through gadgets like cellular phones?

Subsection 2, Paragraph f, Section 20 of the law provides, “the Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects.”
Allowing the personal infomation controller to be exempt from notifying the data subject, based on reasonable judgment, can raise the possibility for a controller to escape responsibility in protecting data privacy.  


As Flores (2013) puts it, “undeniably the changes and developments of technologies affected the daily life of every person. There is no change that brought all positive. Though, admittedly, the continuous developments that being made involving communications have turn the world in a more modern way of living for its citizens. It made life a lot easier for many but as expectedly, the changes and developments have its down side that laws have to be made and applied for others’ right to be protected and preserved. There are those that are really open to unnecessary public scrutiny.” [10]

At the end of the day, everyone wants proper administration of justice and protection of rights. The downsides and efficacies of RA 10173 should be taken into account in order to make it as harmonious and effective as possible.


[1] Privacy definition, available at, (last visited 5 May 2014). 

[2] Blas Ople vs. Ruben Torres, GR No.. 127685, 23 July 1998, available at, (last visited 5 May 2014).

[3]Article III of the 1987 Philippine Constitution, available at, (last visited 5 May 2014).

 [4] Civil Code of the Philippines, available at, (last visited 5 May 2014). 

[5] RA 10173, available at, (last visited 5 May 2014).

[6]Randy H., (2006).  Negligence Cases for Data Security Breaches, available at, (last visited 5 May 2014).

[7] William P., (2010). Security and Privacy on Social Networking Sites, available at, visited 5 May 2014).

[8] Social Networking Sites, available at,, (last visited 5 May 2014).

 [9], (last visited 5 May 2014).

No comments:

Post a Comment