“Now the right to life has come
to mean the right to enjoy life, -- the right to be let alone."
- Samuel Warren and Louis Brandeis, 1890.
- Samuel Warren and Louis Brandeis, 1890.
PRIVACY is the right
that determines the nonintervention of secret surveillance
and the protection of an individual’s
information.
[1] Privacy is
so vital that it is being recognized and protected even by the laws. Without
it, everyone would stand on a vulnerable terrain, exposed to the power and
control of others. Freedom, thus, is exploited.
R.A.
10173 or otherwise known as the “Data Privacy Act of 2012” is one of the laws
that revere privacy. Such law was criticized but was commended as well. Despite
the harmonious formation of the said law, this entry will tackle instead its
gray areas. The case of Ople vs Torres will be used to elucidate the gray areas
of the aforementioned law.
Ople vs Torres Case Summary
On 12
December 1996, President Fidel V. Ramos issued Administrative Order 308 or
otherwise known as the "Adoption of a National Computerized Identification
Reference System." A.O. 308 establishes a system of identification that is
all-encompassing in scope, affects the life and liberty of every Filipino
citizen and foreign resident, and more particularly, violates their right to
privacy. Such a system requires a delicate adjustment of various contending
state policies: the primacy of national security, the extent of privacy
interest against dossier-gathering by government, the choice of policies, etc. It was published in 4 newspapers of general
circulation thereafter.
Senator Blas F. Ople, then, as a Senator, taxpayer
and of the Government Service Insurance System (GSIS), filed instant petition
against then Executive Secretary Ruben Torres and the heads of the government
agencies, who as members of the Inter-Agency Coordinating Committee are charged
with the implementation of Administrative Order 308. Ople’s contentions
include: (1) the national ID system lays the groundwork for a system which will
violate the individual’s right to privacy; and (2) its issuance is an
encroachment upon the legislative powers of Congress not only due to the fact
that it involved appropriations of public funds but more so because of its
subject matter and scope.
The Supreme Court Ruled
in favor of Senator Blas Ople saying that Administrative Order 308 is intrusive of the right to
privacy. Although such Administrative Order has good intentions (providing Filipino
citizens and foreign residents with the facility to conveniently transact
business with basic service and social security providers and other government
instrumentalities, and requiring a computerized system to properly and
efficiently identify persons seeking basic services on social security and
reduce, if not totally eradicate fraudulent transactions and misrepresentations),
its inadequacies outweigh its adequacies.
Administrative Order 308 fails to provide what specific biological
characteristics and what particular biometrics technology shall be used to
identify people who will seek its coverage. Moreover, it does not state whether
encoding of data is limited to biological information alone for identification
purposes. It
also held that the purpose of the generation the Population Reference Number
was not confined to the sole purpose of identifying each individual but may
also be used for other things remotely related to the avowed purposes of the
administrative order. Moreover, it does not provide for control measures to prevent manipulation, lost
or leakage of information, and there are no penalties or sanctions for unlawful
use or access or unauthorized disclosure of information gathered. Such
shortcomings do impair people’s right to privacy. [2]
Data Privacy Act of 2012
As mentioned earlier, privacy is so vital that it is being recognized and
protected even by the laws. The 1987 Philippine Constitution, specifically
under the Bill of Rights, [3]
provides the following:
Section 1. No person
shall be deprived of life, liberty, or property without due process of law, nor
shall any person be denied the equal protection of the laws.
Section 2. The right of
the people to be secure in their persons, houses, papers, and effects against
unreasonable searches and seizures of whatever nature and for any purpose shall
be inviolable, and no search warrant or warrant of arrest shall issue except
upon probable cause to be determined personally by the judge after examination
under oath or affirmation of the complainant and the witnesses he may produce,
and particularly describing the place to be searched and the persons or things
to be seized.
Section 3.
1. The privacy of communication and
correspondence shall be inviolable except upon lawful order of the court, or
when public safety or order requires otherwise, as prescribed by law.
2. Any evidence obtained in violation of this
or the preceding section shall be inadmissible for any purpose in any
proceeding.
Section 8. The right of
the people, including those employed in the public and private sectors, to form
unions, associations, or societies for purposes not contrary to law shall not
be abridged.
Section
17. No person shall be compelled to be a witness against
himself.
The
Civil Code of the Philippines [4]
provides:
Art. 26. Every person shall respect the dignity, personality, privacy and
peace of mind of his neighbors and other persons. The following and similar
acts, though they may not constitute a criminal offense, shall produce a cause
of action for damages, prevention and other relief:
(1)
Prying into the privacy of another's residence:
(2)
Meddling with or disturbing the private life or family relations of another;
(3)
Intriguing to cause another to be alienated from his friends;
(4)
Vexing or humiliating another on account of his religious beliefs, lowly
station in life, place of birth, physical defect, or other personal condition.
The Revised Penal Code
and the Rules of Court also recognizes the right to privacy. Despite the
significance of the right to privacy, such right is not an absolute right. Other important social interests can be
more important than privacy in particular circumstances.
Data
Privacy Act of 2012 now comes into picture as it is one of the laws that protect
the right to privacy. Chapter I section
2 of the said law states that, “It is the policy of the State to protect the
fundamental human right of privacy, of communication while ensuring free flow
of information to promote innovation and growth. The State recognizes the vital
role of information and communications technology in nation-building and its
inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured
and protected.” [5] Basically,
the purpose of the law is data protection. In this regard, the National Privacy
Commission was created to administer and implement the provisions of the said
Act, and to monitor and ensure compliance of the country with international
standards set for data protection, and other vital functions as provided in Chapter
II Section 7 of R.A. 10173. It applies to the processing of all types of
personal information and to any natural and juridical person involved in
personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those who
maintain an office, branch or agency in the Philippines subject to the
immediately succeeding paragraph: Provided, That the requirements of
Section 5 are complied with.
R.A. 10173 fills up the
shortcomings of A.O. 308. R.A. 10173 provides the framework on how personal
information will be processed, recognizes the right of the data subject, and
provides penalties and imprisonment for any breach of the measures provided for
the privacy of the individual’s personal and sensitive information. R.A. 10173
defines who a data controller and a data processor is in
the event that sensitive and personal information would be taken from
individuals and providing for their responsibilities in maintaining the privacy
of such as well as their liabilities should they fail to conduct the proper
procedures. Even the
superioirs or heads of the National Privacy Commission may be held liable in
some instances.
Now come the unclears. Considering the
vast amount of personal information to be handled and protected, there will
surely be problems that need to be refined about R.A. 10173.
One of the glaring problems that
I see is about the penalty provided for in Section 26 (Accessing Personal Information and Sensitive Personal Information Due
to Negligence) of the said law. I perceive such penalty incommensurate to
the violation.
To illustrate; A filed a life
insurance policy application with B, personal information controller of the
insurance company, that included A’s confidential personal information. A
received a privacy policy from B saying, among other things, “We take steps to
make our computer data bases secure and to safeguard the information we have
about you.” However, employee C, a coworker of employee B, was allowed by B to
use his computer as C was not able to access the internet and send an email to
a client using the computer designated to him. Due to carelessness, employee C inadvertently
clicked the tab function which contains personal information of a client A. As
a consequence, he was able to see the personal information of client A although
not authorized to access it. Would employee C be penalized for accessing
personal information due to negligence as provided for in Chapter VIII Section
26 of R.A. 10173? I find such penalty callous for the violation committed if C
will be penalized. If ever that such act will indeed be penalized, a reduction
of the penalty is highly proposed.
According to William F. Pelgrin, social networking sites have become very
popular avenues for people to communicate with family, friends and colleagues
from around the corner or across the globe. While there can be benefits from
the collaborative, distributed approaches promoted by responsible use of social
networking sites, there are information security and privacy concerns. People
who provide private, sensitive or confidential information about themselves or
other people, whether wittingly or unwittingly, pose a higher risk to
themselves and others. [7]
According to Boyd
and Ellison, [8] we
define social networking sites as web-based services that allow individuals to
(1) construct a public or semi-public profile within a bounded system, (2)
articulate a list of other users with whom they share a connection, and (3)
view and traverse their list of connections and those made by others within the
system. The nature and nomenclature of these connections may vary from site to
site.
While we use the
term “social network site” to describe this phenomenon, the term “social
networking sites” also appears in public discourse, and the two terms are often
used interchangeably. We chose not to employ the term “networking” for two
reasons: emphasis and scope. “Networking” emphasizes relationship initiation,
often between strangers. While networking is possible on these sites, it is not
the primary practice on many of them, nor is it what differentiates them from
other forms of computer-mediated communication (CMC).
What makes social
network sites unique is not that they allow individuals to meet strangers, but
rather that they enable users to articulate and make visible their social
networks. This can result in connections between individuals that would not
otherwise be made, but that is often not the goal, and these meetings are
frequently between “latent ties” (Haythornthwaite, 2005) who share some offline
connection. On many of the large SNSs, participants are not necessarily
“networking” or looking to meet new people; instead, they are primarily
communicating with people who are already a part of their extended social
network. To emphasize this articulated social network as a critical organizing
feature of these sites, we label them “social network sites.”
Although
the issues of online privacy has been a problem for the general public for a
long time it has started to grow rapidly due to technology, to be more precise
in case of sharing services- smart phones that easily enables anyone to make
content and share it with just one click of a button. Due to high penetration
of smartphones with photo and video creation and sharing opportunities, the
amount of personal content available online is has been increasing rapidly.
Posting contents such as picture and video gives rise to new privacy concerns
due to their context revealing details about the physical and social context of
the subject.
The growing amount of online personal content exposes users to a new set of privacy concerns. Digital cameras, and lately, a new class of camera phone applications that can upload photos or video content directly to the web, make publishing of personal content increasingly easy. Privacy concerns are especially acute in the case of multimedia collections, as they could reveal much of the user’s personal and social environment (Dagmar Mäe). [9]
The growing amount of online personal content exposes users to a new set of privacy concerns. Digital cameras, and lately, a new class of camera phone applications that can upload photos or video content directly to the web, make publishing of personal content increasingly easy. Privacy concerns are especially acute in the case of multimedia collections, as they could reveal much of the user’s personal and social environment (Dagmar Mäe). [9]
Consent of the data subject as defined in R.A.
10173 refers to any freely given, specific,
informed indication of will, whereby the data subject agrees to the collection
and processing of personal information about and/or relating to him or her.
Consent shall be evidenced by written, electronic or recorded means. It may
also be given on behalf of the data subject by an agent specifically authorized
by the data subject to do so. Furthermore, sections 12 and 13 of the said law
provide;
Section 12. Criteria for Lawful Processing of Personal
Information. – The processing of personal information
shall be permitted only if not otherwise prohibited by law, and when at least
one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is
necessary and is related to the fulfillment of a contract with the data subject
or in order to take steps at the request of the data subject prior to entering
into a contract;
(c) The processing is necessary for compliance with a
legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally
important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to
national emergency, to comply with the requirements of public order and safety,
or to fulfill functions of public authority which necessarily includes the
processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of
the legitimate interests pursued by the personal information controller or by a
third party or parties to whom the data is disclosed, except where such
interests are overridden by fundamental rights and freedoms of the data subject
which require protection under the Philippine Constitution.
Section 13. Sensitive Personal Information and
Privileged Information. – The processing of sensitive personal
information and privileged information shall be prohibited, except in the
following cases:
(a) The data subject has given his or her consent,
specific to the purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by
existing laws and regulations:Provided,That such regulatory enactments
guarantee the protection of the sensitive personal information and the
privileged information:Provided,
further,That the consent of
the data subjects are not required by law or regulation permitting the
processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life
and health of the data subject or another person, and the data subject is not
legally or physically able to express his or her consent prior to the
processing;
(d) The processing is necessary to achieve the lawful
and noncommercial objectives of public organizations and their associations:Provided,That such processing is only
confined and related to thebona
fide members of these organizations or their associations:Provided, further,That the sensitive personal
information are not transferred to third parties:Provided, finally,That consent of the data subject
was obtained prior to processing;
(e) The processing is necessary for purposes of
medical treatment, is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal
information is ensured; or
(f) The processing concerns such personal information
as is necessary for the protection of lawful rights and interests of natural or
legal persons in court proceedings, or the establishment, exercise or defense
of legal claims, or when provided to government or public authority.
Given
the abovementioned social networking service concerns and the required consent
provided by R.A. 10173, comes now the vagueness of the said law. Can personal
information placed in the networking sites be considered as an implied consent?
Assuming that the answer is in the affirmative, can a third person be allowed
to use such information considering that it is placed online publicly? Does the
law cover personal information stockpiled or transmitted through gadgets like
cellular phones?
Subsection 2, Paragraph f, Section 20 of the law provides, “the
Commission may exempt a personal information controller from notification
where, in its reasonable judgment, such notification would not be in the public
interest or in the interests of the affected data subjects.”
Allowing
the personal infomation controller to be exempt from notifying the data
subject, based on reasonable judgment, can raise the possibility for a
controller to escape responsibility in protecting data privacy.
Conclusion
As Flores (2013) puts it, “undeniably the changes and developments of
technologies affected the daily life of every person. There is no change that
brought all positive. Though, admittedly, the continuous developments that
being made involving communications have turn the world in a more modern way of
living for its citizens. It made life a lot easier for many but as expectedly,
the changes and developments have its down side that laws have to be made and
applied for others’ right to be protected and preserved. There are those that
are really open to unnecessary public scrutiny.” [10]
At the end of the day, everyone wants proper administration of justice
and protection of rights. The downsides and efficacies of RA 10173 should be taken
into account in order to make it as harmonious and effective as possible.
___________________________
[1] Privacy definition, available
at, http://thelawdictionary.org/privacy/
(last visited 5 May 2014).
[2] Blas Ople vs. Ruben Torres, GR No.. 127685, 23 July 1998, available at, http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html
(last visited 5 May 2014).
[4] Civil Code of the Philippines, available
at, http://www.chanrobles.com/civilcodeofthephilippines1.htm
(last visited 5 May 2014).
[5] RA 10173, available at, http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html
(last visited 5 May 2014).
[6]Randy H., (2006). Negligence Cases for Data Security Breaches,
available at, http://www.dealertracksfi.com/content/good-deeds-get-rewarded-negligence-cases-for-data-security-breaches
(last visited 5 May 2014).
[7] William P., (2010). Security and
Privacy on Social Networking Sites, available at, http://msisac.cisecurity.org/newsletters/2010-03.cfm(last visited 5 May 2014).
[8] Social Networking Sites,
available at, http://www.danah.org/papers/JCMCIntro.pdf, (last visited 5
May 2014).
[9] http://onecornermind.blogspot.com/2013/07/privacy-necessity_5.html,
(last visited 5 May
2014).
No comments:
Post a Comment