YOU HAVE A RIGHT TO BE LET ALONE

Our Concept of the Right to Privacy

The right to privacy or the “right to be let alone” has been immortalized by various Supreme Court decisions and codified in legislations of the Legislature. Yet, with the dynamic evolution of Information and Communication Technology (ICT), the right to privacy of every individual remains and is continually under threat of unlawful invasion. We may say that the basic essence or concept of the right to privacy is still valid at this modern age but the evolution of technology expanded the notion of the fundamental right to privacy as involving what the Philippine Congress proposes to keep inviolate and sacred—personal data privacy.

Various zones of privacy are recognized and enshrined in several provisions of our constitution[1], statutes[2] and special laws.[3] In the past, an attempt to put together a centralized national identification system was thwarted by our Supreme Court in the case of Ople vs. Torres[4] as it impermissibly intrudes on our protected zone of privacy.

Globally, privacy is likewise recognized as a fundamental human right by the Universal Declaration on Human Rights[5] (UN, 1948).

 Data protection is not a new concept to us. Commonwealth Act. No. 591[6] penalizes the disclosure by any person of data furnished by the individual to the NSO with imprisonment and fine. Republic Act. No. 1161[7] prohibits public disclosure of SSS employment records and reports. These laws, however, apply to records and data with the NSO and the SSS.

 Since the 1970s and 1980s privacy regulations aimed at governing how personal data is processed were introduced in Europe. While the Europeans are implementing or considering revisions of their Data Protection Directive which came into force in 1995 our Legislature is still deliberating on a proposed law called the Data Protection Act. It is worthy to note however, that the Data Protection Act of 2011 might have been an offshoot of the Ople vs. Torres case which was decided by our Supreme Court in 1998.

Fundamental Principles underlying the Data Protection Act of 2011

By reading the draft of the Data Protection Act of 2011 and Europe’s Data Protection Directive one cannot fail to observe the similarity between the two. Strikingly similar are the following fundamental principles[8] of data privacy protection:

1. 1.       Individuals should be informed when personal data is collected.
2. 2.       Individuals should be told who is requesting the data and the reason for their request to help them decide whether to release control of all or part of such data.
3. 3.       Individuals should be told how they can access data about themselves in order to verify its accuracy and request changes.
4. 4.       Individuals should be told how their data will be protected from misuse.

In RAND Europe’s Review of the European Data Protection Drive[9], they observed that implementing the foregoing principles “is not easy, particularly in today’s world, where personal data is collected, processed and transferred in vast amounts, either on behalf of the individuals themselves (e.g. by the state to preserve security or improve public services) or for the benefit of commercial organizations.” This is a challenge our country confronts mutually with the whole world.

The Proposed Data Protection Act of 2011 as a Regulatory Means of Protecting Data Privacy for Filipino Citizens

The proposed bill comprised of 44 sections covering various subjects such as scope, establishment of the National Privacy Commission, rights of data subjects, security of personal information, security of sensitive personal information in the government, and penalties for violation.

The Senate bill covers both private and public sectors. It extends its reach to an entity or a data processor via its extraterritorial application[10].

It must be emphasized, at this juncture, that in what appears to be an effort to protect the domestic BPO industry, the proposed bill when eventually enacted into law will not apply to “personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”[11] Many critics are concerned however regarding its effects on our BPO industry and the countries within the European Union. Some say that “while this might make it easier to obtain outsourcing contracts from the USA, it would seem to make it impossible for the Philippines to be considered by the EU to provide ‘adequate’ data protection, since the main purpose of adequacy findings concerns the protection given to data about Europeans.”[12] This might be a serious problem because the European Data Protection Directive imposes restrictions on data transfers to prevent

personal data from being moved to countries where the data protection regime is less stringent.

The question now is how this will affect call center operations? As we all know, the BPOs collect information from residents of foreign jurisdictions. It appears from the above-quoted provision that in order for a Call Center company to be outside the ambit of the law, each of his call center agents must see to it that the collection of personal information from residents of foreign jurisdictions must be in accordance with the privacy laws of such jurisdictions. Interestingly, does this mean that a call center agent must have a good grasp of privacy laws of foreign countries?

The National Privacy Commission (NPC)

Under the proposed bill the NPC will be the administering and implementing agency of the law. It has the power to monitor and ensure compliance of our country with international standards set for data protection[13].

The challenge for the NPC is enforcement of the law. Privacy is an abstract right. The damages suffered are often intangible that is why it is very difficult to assign a pecuniary valuation to it.

As long as the personal data has not been used illegally, it may be difficult to obtain any compensation for damages, even if the data controllers are negligent in handling the personal data and even if this negligence has created a substantial security and privacy risk. This is possible because there may not be immediate foreseeable damages; such as for example when a credit card number is leaked and as previously discussed the leaked data has not yet been abused.

Funding and fiscal adequacy may also be a problem for the still to be created NPC.

The Definition of the Personal Information Controllers (PIC) and Personal Information Processors (PIP) may be Inadequate

It may be inadequate in the sense that a question as to who is a PIC or PIP in an online environment when a browser visits a website, cookies are being sent and stored to and from a number of sources around the globe. “A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website.xxx Although cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals' browsing histories — a major privacy concern that has prompted European and US law makers to take action.”[14]

Other interesting provisions

Interestingly, the bill makes the right to privacy of the data subject transmissible[15] to his heirs after the death of the data subject. It remains to be seen however how this new provision will play a role in the privacy protection law of our country.

Another interesting provision is the extraterritorial application[16] of the law.

Record-keeping, Society’s Way to Remedy its Benign Capacity to Forget

As enunciated by the Supreme Court in Ople vs. Torres “the right to privacy is one of the most threatened rights of man living in a mass society. The threats emanate from various sources — governments, journalists, employers, social scientists, etc.  xxx It is timely to take note of the well-worded warning of Kalvin, Jr., "the disturbing result could be that everyone will live burdened by an unerasable record of his past and his limitations. In a way, the threat is that because of its record-keeping, the society will have lost its benign capacity to forget." 

---

[1] Sections 1, 2, 3(1), 6, 8, and 17 of Article III of the 1987 Constitution

[2] Civil Code (Articles 26, 32, and 723), Revised Penal Code (Articles 229, 280 and 290-292)

[3] Anti-Wiretapping Law, Secrecy of Bank Deposits Act, and the Intellectual Property Code

[4]See G.R. No. 127685, July 23, 1998 at: http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html

[5] Article 12

[6] Sec. 4, Commonwealth Act No. 591 [1940]

[7] Sec. 24 [c] and 28 [e], R.A. 1161, as amended.

[8] See RAND Europe, Review of the European Data Protection Directive at: http://www.rand.org/pubs/technical_reports/2009/RAND_TR710.pdf

[9] Supra

[10] See Section 5 of the Senate Bill at: http://www.senate.gov.ph/lisdata/1218710275!.pdf

[11] See HUNTON & WILLIAMS LLP, Philippines Passes Omnibus Data Protection Law at: http://www.huntonprivacyblog.com/2012/03/articles/philippines-passes-omnibus-data-protection-law/

[12] See  Graham Greenleaf, ASEAN’s New Data Privacy Laws: Malaysia, the Philippines and Singapore at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2049234&http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2049234

[13] Section 6 of the Data Protection Act of 2011

[14] http://en.wikipedia.org/wiki/HTTP_cookie

[15] Section 16 of the Data Protection Act of 2011

[16] Section 5 of the Data Protection Act of 2011