Imagine a situation when your mobile phone suddenly rings and when you look at it, there’s no name appearing on the screen of your mobile phone, only the number of the person calling you. Apparently, the person calling you is not one of those listed in your mobile phone’s directory.
Now, you may ask
yourself what to do. Will you answer the call or will you just ignore it? If
you will just ignore the call, I am very sure that you will be bothered because
you will keep thinking who that person was and why he was calling you? How did
that person get your number or to whom did that person get your number? It
seems that someone gave your mobile number to that person calling you without
your consent or permission. You may further think that some other personal data
were likewise shared to that person calling you and such information may be
used against you.
On the other
hand, if you will decide to answer that call, you may not feel at ease
considering that you may be talking to a complete stranger whom you do not know
in the first place and you may feel fearful that such person may bring some
troubles with you in the future. You will be caught in a situation where you
are forced to talk to a complete stranger because you are prompted with your
curiosity to know who that person was and why of all people, you are the lucky
one called or texted by him.
You may wonder
if you have any legal action that you can take against that person who share
your mobile number without your consent. Or you will just wonder what will
happen to you if the personal data that you gave had been use for something
else without your consent and you are left with no right to take any legal
action because there is no existing law that protects your data privacy. You
will be kept in quandary because you can’t see any relevant legal protection in
such kind of situation.
Fret not,
because the right to privacy is acknowledged and embodied in our Supreme Law ,
the 1987 Philippine Constitution, the Civil Code of the Philippines, the
Revised Penal Code and special laws like RA 1405 otherwise known as the Secrecy
of Bank Deposits Act, RA 6426 otherwise known as the Foreign Currency Deposit
Act, RA 9510 otherwise known as the Credit Information System Act, the Anti-Wiretapping Law, the Intellectual
Property Code of the Philippines, the E-Commerce Act of 2000, the Rules on
Electronic Evidence and RA 9160
otherwise known as Anti-Money Laundering Act. Further, the Rape Victim and
Protection Act of 1998 and the Family Courts Act of 1997 are some other laws
that have provisions in the right to privacy.
And cognizant and
consistent to the State’s policy1 to protect the fundamental human
right of privacy, of communication while ensuring free flow of information to
promote innovation and growth, President Benigno Aquino III has signed Republic
Act No. 10173 otherwise known as Data Privacy Act of 2012 last August 15, 2012. Salient features of RA
10173 are the provisions reaffirming the States policy on the right to privacy,
the Government’s policies and procedures relative to Data Privacy, the Security
processes as well as the responsibilities of a data controller, the owner of
the data and the other parties who will use one’s data or information. A
provision of the law also safeguards journalists from being compelled to reveal
the source of any news report or information. To effectively implement RA
10173, forming part of it is the creation of the National Privacy Commission,
which will monitor and ensure compliance of the country with international
standards set for data protection and shall be headed by a Privacy Commissioner
and Deputy Commissioner together with its Secretariat. According to Senator Edgardo Angara, the main
proponent of the law in the Senate and the Chairman of the Senate Committee on
Science, Technology and Engineering, the approval of the then Senate Bill can
help boost the BPO sector by mandating such institutions to secure the
confidentiality of all personal information. Further, Angara said that the
President’s approval is an equivocal sign that the country is taking the
necessary actions to become a functioning knowledge-based, ICT-driven economy.2
To take full
advantage of the benefits that the Data Privacy Act of 2012 could bring to all
of us, one should be first and foremost be familiar and know what is Data
Privacy in the first place.
Why do we need
Data Protection? Why do we need Data Privacy Law? Are our existing laws not
enough to protect one’s data and information?
Does data protection simply
means requiring that the personal data is to be processed with utmost
confidentiality?
The word privacy
is subject to different interpretation or may mean differently depending on the
context it is to be used. We are living in a world of different nations with
different people having diverse beliefs, norms, and cultures coupled with
different viewpoint about how much privacy an individual is entitled to or what comprises a violation
and invasion of one’s privacy.
In this age of
social media and social networking, the need to protect one’s data is
inevitable. One should make this protection of the law to the fullest and make
it works to his advantage. However,
certain questions keep haunting my mind.
Will this relatively new law makes our lives easier or complicated? Will
this new law provides answers or leaves more questions unanswered instead? These
questions are definitely beyond my comprehension? What I am now after is to
answer one specific question which will test my understanding of this new law.
And it goes like this, “Does sharing someone’s mobile number to another person
without the former’s consent constitutes a violation of RA 10173 otherwise
known as Data Privacy Act of 2012?
RA 10173 defines
the data subject3, consent, personal information and enumerates what
are considered sensitive personal information.
Likewise, the law is very specific on what it covers5 and
what are certain acts which are not applicable, what are considered lawful use
of one’s personal information, the acts prohibited in processing the
information of the data subject and the corresponding penalties in violation
thereof.
Section 3(g) defines personal information as any
information whether recorded in a material form or not, from which the identity
of an individual is apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together with other information
would directly and certainly identify an individual. Is mobile number of a person considered
personal information? The answer is no.
To be considered personal information, the same should have been collected, held,
processed and used by a personal information controller. Section 3(h) of the
law defines personal information controller as a person or organization who
controls the collection, holding, processing or use of personal information,
including a person or organization who instructs another person or organization
to collect, hold, process, use, transfer or disclose personal information on
his or her behalf. Likewise, Section
3(i) defines a personal information processor as any natural or judicial person
qualified to act as such under the law to whom a personal information
controller may outsource the processing of personal data pertaining to a data
subject.
The law likewise
enumerates what are considered sensitive
personal information. If a mobile number is not personal information
contemplated by the law, will the same falls under those listed as sensitve
personal information? Section 3 (l) of
the law provides that sensitive personal information are: About an individual’s
race, ethnic origin, marital status, age, color, and religious, philosophical
or political affiliations; About an individual’s health, education, genetic or
sexual life of a person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings; Issued by
government agencies peculiar to an individual which includes, but not limited
to, social security numbers, previous or cm-rent health records, licenses or
its denials, suspension or revocation, and tax returns; and Specifically
established by an executive order or an act of Congress to be kept
classified. When it comes to coverage,
the law applies to the processing of all types of personal information and to
any natural and juridical person involved in personal information processing
including those personal information controllers and processors who, although
not found or established in the Philippines, use equipment that are located in
the Philippines, or those who maintain an office, branch or agency in the
Philippines. In statutory construction, there is this legal maxim that says
“Expressio unius est exclusio alterius”. The expression of one thing is the
exclusion of another or when one or more things of a class are expressly
mentioned others of the same class are excluded. Thus, the mobile number is not a sensitive
personal information.
Let’s zero in on
the issue of consent. Section 3(b)
provides that consent of the data subject refers to any freely given, specific,
inferred or indication of will, whereby the data subject agrees to the
collection and processing of personal information about and/or relating to him
or her. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of the
data subject by an agent specifically authorized by the data subject to do
so. Clearly stated, the data subject
agrees to the collection and processing of his personal information. Since the
mobile number is neither personal information nor sensitive personal
information, ergo consent is not required for sharing someone’s mobile number
because what the laws requires is for the data subject’s consent to the
collection and processing of his personal information or sensitive personal
information.
Now, considering
the premise laid down in the immediately preceding paragraphs, I can now say
with conviction that sharing of the mobile number of someone to another person
does not constitutes a violation of RA 10173 or otherwise known as Data Privacy
Act of 2012. Again, to be considered personal information or sensitive personal
information, such data must be collected, held, and processed by either a person or an organization defined
by law as personal information controller. Section 11 of the law provides that the
processing of personal information shall be allowed, subject to the compliance
to of this Act and should adhere to the principles of tranparency, legitimate
purpose and proportionally. Further, it
states that personal information must be collected for specified and legitimate
purpose, processed fairly and lawfully, among others. In addition, Section 12 provides the criteria
for the lawful processing of personal information4. As such, sharing someone else mobile number
to another person is not the processing of personal information contemplated by
RA 10173 and does not violates any provision of the law. Certainly, there is no
unauthorized processing of personal information and sensitive personal
information (Section 25), no accessing of personal information and sensitive
personal information due to negligence (Section 26), no improper disposal of
personal information and sensitive personal information (Section 27), no
processing of personal information and sensitive personal information for unauthorized
purposes (Section 28), no unauthorized or intentional breach(Section 29), no
concealment of security breaches involving sensitive personal information
(Section 30), no malicious disclosure (Section 31), no unauthorized disclosure
(Section 32), and no combination or series of acts (Section 33).
It is important
to note that not all information are covered by the law. Section 4(a-g)5
provides certain acts which are not applicable.
Section 19 further provides that personal information which are used for
the needs of scientific and statistical research are likewise not included.
Particular provision of the aforementioned provisions of the law which I find
certain application in the case at bar and worth mentioning is that information
about any individual who is or was an officer or employee of a government
institution that relates to the position or functions of the individuals,
including the title, business address and office telephone number (I should
include the mobile number) of the individual is not applicable as
processing of personal information contemplated by the law on Data Privacy.
On a personal
note, for me when someone asked the mobile number of a certain person, I would
assumed that the purpose of that person asking for the said mobile number is to
communicate with the owner of the said mobile number. The person who will receive the call has the
choice to entertain the person calling him or just ignore it. I don’t think the mere act of calling him
will do some harm or will put him in danger. The person concerned has all the
opportunity to discern and accept the calls on his convenient time and could
directly ask the caller about the calls and discuss the purpose of his
calls. I don’t think his privacy is
invaded when somebody try to call him and ask for some information. After all,
the concerned person certainly has control of what information he could reveal
or up to what extent he is willing to share to that particular person calling
him. Reading the provisions of the law, I can say that the act aforementioned
is not an invasion of one’s privacy as contemplated by the law, thus, cannot be
considered a violation of RA 10173. Nowhere in the provisions of the law can we
find referring to such act by the person
sharing the mobile number of a person without the latter’s consent. Further, if
confronted with the situation that I
have to share certain data or information to another person without the
former’s consent, I have to determine the purpose of the person asking for such
data or information. After
having read the provision of RA 10173, I
would now be in the position to determine if I will be violating the law or not
and have to be more prudent in sharing data or information to others.
Considering that
the law is subject to different interpretations, the provisions of the law are
clear that any doubt in the interpretation of any provision shall be liberally
interpreted in a manner mindful of the rights and interest of the individual
(Chapter IX, Section 38). This provision
of the law to my mind gives more leeway or certain advantage to the owner of
the data as this is consistent to the policy of the state in recognizing the
fundamental right to privacy.
Now, let’s go
over the provisions on penalties for violating the law. It is imperative for
everyone to know the provisions of the law and the penalties accompanying
certain violations because the legal maxim provides “Ignorance of the law
excuses no one from complying therewith”.
Thus, allow me to enumerate these violations with corresponding
penalties of imprisonment ranging from one (1) year to five (5) years and fine
in an amount ranging from P 500,000.00 to P 4,000,000.00. These violations are Unauthorized Processing
of Personal Information and Sensitive Personal Information, Accessing Personal Information
and Sensitive Personal Information Due to Negligence, Improper Disposal of
Personal Information and Sensitive Personal Information, Processing of Personal
Information and Sensitive Personal Information for Unauthorized Purposes,
Unauthorized Access or Intentional Breach, Concealment of Security Breaches
Involving Sensitive Personal Information, Malicious Disclosure, Unauthorized
Disclosure and Combination of these acts. But just to reiterate, the issue here
in sharing the mobile number of someone to another does not violate any of the
above mentioned provisions. However, the law also provides us the venue for our
complaints as provided for in Section 7(a-q), the National Privacy Commission6
In conclusion,
let me reiterate that sharing the mobile number of someone to another is not a
violation of RA 1073 or otherwise known as Data Privacy Act. Firstly, what the
law requires is the processing of
personal information The sharing of mobile number does not entail
processing considering that the law defines in
Section 3(j) that
processing refers to any operation or any set of operations performed upon
personal information, including, but not limited to, collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data. Secondly, the mobile number is neither
a personal information nor a sensitive personal information as contemplated by
the law. In statutory construction, it
is well-settled that when the law is clear, there is no room for
interpretation, only application.
Likewise, it is also the rule in
statutory construction that further pave the way for excluding the mobile
number as one of the sensitive personal information since the mobile number is
not listed in Section 3(l). Following
the maxim the expression of one thing is the exclusion of another or when one
or more things of a class are expressly mentioned others of the same class are
excluded. Thirdly, consent in giving the mobile number of a person to another
person is not required since what the law requires is the consent of the
subject matter in processing of all types of personal information and sensitive
personal information. Why do we need to ask consent of the data subject in
sharing his mobile number when in the first place the same is not required
because the mobile number is neither a personal information and sensitive
personal information that are to be processed and controlled. Lastly, not all information are covered by the
law since there are certain exemptions expressly stated in the provisions of
the law particularly in Section 4a-g5. The law qualifies the
information, the process and the conditions where RA 10173 should be apply or
not. It is the opposite of a well-settled principle in statutory construction that
when the law does not qualify, we should not qualify because certainly, the law
clearly qualifies thus we should also qualify.
Our personal information and sensitive
personal information are now protected because there are now clear provisions
that govern the same. Therefore, with this RA 10173 or otherwise known as Data Privacy Act of
2012 that governs personal data and data privacy, we have the right to take any
legal action, if anything happens to our personal data. In addition, the
protection to personal data can be realized if we will be able provide
safeguards and safety nets against abuse of some provisions that permit the
commission of some acts that would otherwise amount to invasion of data
privacy. Let us all read and analyze RA
10173 or otherwise known as Data Privacy Act of 2012 because this is for all of
us who value the sanctity of privacy. With regards to the privacy of data vis-à-vis
with the laws protecting it, let me remind you of the Supreme Court’s stand on
the right to privacy. Accordingly, the
Supreme Court says that in
no uncertain terms that they underscore that the right to privacy does not bar
all incursions into individual privacy. It merely requires that the law be
narrowly focused and a compelling interest justify such intrusions. Intrusions
into the right must be accompanied by proper safeguards and well-defined
standards to prevent unconstitutional invasions. Further, the Supreme Court
reiterates that any law or order that invades individual privacy will be
subjected to strict scrutiny. The reason for this stance was laid down in Morfe
v. Mutuc7.
Let me
ask you the following questons: If someone ask from you the mobile number of a certain
person without the latter’s consent or permission, would you be willing to give
it to him instantly? Will you think many times over before sharing it? Or will
you not oblige to the request? Decide
based on your knowledge of the law because at the end of the day, it is you who
will suffer the consequences and it is you who will be benefited if there is
any benefit you could derive from it.
________________________________________
1 RA 10173 Section 2 – Declaration of Policy – It
is the policy of the State to protect the fundamental human right of privacy,
of communication while ensuring free flow of information to promote innovation
and growth.
2 http://www.computerworld.com.ph/news/245-president-aquino-approves-data-privacy-act
(a) The subject has given hir or her
consent;
(b) The processing of personal information
is necessary and is related to the fulfillment of a contract with the data
subject or in order to take steps at the request of the data subject prior to
entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controler is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necesaary in order to respond to national emergency, to comply with the requiremets of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processingis necessary for the purpose of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
5RA 1017 Section 4 Scope – This Act applies to the processing of all types of pesonal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established n the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragrap: Provide, that the requirements of Section 5 are complied with.
2 http://www.computerworld.com.ph/news/245-president-aquino-approves-data-privacy-act
3. RA
10173 Section 3 (c) – Data subject refers to an individual whose personal
information is processed
4 RA 10173 Section 12 – Criteria for lawful
processing of personal information – The processing of personal information
shall be permitted only if not otherwise prohibite by law, and when at least
one of the following conditions exists:
(c) The processing is necessary for compliance with a legal obligation to which the personal information controler is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necesaary in order to respond to national emergency, to comply with the requiremets of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processingis necessary for the purpose of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
5RA 1017 Section 4 Scope – This Act applies to the processing of all types of pesonal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established n the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragrap: Provide, that the requirements of Section 5 are complied with.
The Act does not apply to the following:
(a)
Information about any individual who is or was an officer or employee of
a government institution that relates to the position or functions of the
individual, including: (1) The fact that the individual is or was an officer or
employee of the government institution (2)
The title, business address and office telephone number of the
individual (3) The classification, salary range and responsibilities of the
position held by the individual (4) The name of the individual on a document
prepared by the individual in the course of employment with the government;
(b) Information about an individual who is
or was performing service under contract for a government institution that
relates to the services performed, including the terms of the contract, and
the name of the individual given in the
course of the performance of those services
(c) Information relating to any
discretionary benefit of a financial nature such as the granting of a license
or permit given by the government to an individual, including the name of the
individual and the exact nature of the benefit;
(d)
Personal information processed for journalistic, artistic, literary or
research purpsoses;
(e)
Information necessary in order to carry out the functions of public
authority which includes the processing of personal data for the performance by
the independent, central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functons. Nothing in this Act shall be construed as to
have amended or repealed Republic Act No. 1405 otherwise known as the Secrecy
of Bank Deposit Act; and Republic Act No. 6426 ,otherwise known as as the
Foreign Currency Deposit Ac; and Republic Act No. 9510, otherwise known as the
Credit Information System Act (CISA);
(f) Information necessary for banks and
other financial institutions under the jurisdictionof the independent,central
monetary authority or Bangko Sentral ng Pilipinas to comply with Repb\ublic Act
9510, and Republic Act No. 9160 as amended, otherwise known as the Anti-Money
Laundering Act nad other applicable laws;
(g)
Personal information originally collected from residents of foreign
jurisdiction in accordance with the laws of those foreign jurisdiction ,
including any applicable data privacy which is being processed in the Philippines .
6
Functions of the National Privac Commision – To administer ad implement the
provisions of this Act, and to monitor and ensure compliance of the country
with inernational standards set for data protection, there is hereby created an
independent body to be known as the National Privacy Commission, which shall
have the functions enumerated in Section 6 (a-q) of RA 10173;
7 Morfe v. Mutuc, supra, at 444-445 citing Emerson, "Nine Justices in Search of a Doctrine," 64