Our
Concept of the Right to Privacy
The right to privacy or the “right to be let alone” has been
immortalized by various Supreme Court decisions and codified in legislations of
the Legislature. Yet, with the dynamic evolution of Information and Communication
Technology (ICT), the right to privacy of every individual remains and is
continually under threat of unlawful invasion. We may say that the basic
essence or concept of the right to privacy is still valid at this modern age
but the evolution of technology expanded the notion of the fundamental right to
privacy as involving what the Philippine Congress proposes to keep inviolate and
sacred—personal data privacy.
Various zones of privacy are recognized and enshrined in several
provisions of our constitution[1],
statutes[2]
and special laws.[3]
In the past, an attempt to put together a centralized national identification
system was thwarted by our Supreme Court in the case of Ople vs. Torres[4]
as it impermissibly intrudes on our protected zone of privacy.
Globally, privacy is likewise recognized as a fundamental human
right by the Universal Declaration on Human Rights[5]
(UN, 1948).
Data protection is not a
new concept to us. Commonwealth Act. No. 591[6]
penalizes the disclosure by any person of data furnished by the individual to
the NSO with imprisonment and fine. Republic Act. No. 1161[7] prohibits public
disclosure of SSS employment records and reports. These laws, however, apply
to records and data with the NSO and the SSS.
Since the 1970s and 1980s
privacy regulations aimed at governing how personal data is processed were
introduced in Europe. While the Europeans are implementing or considering revisions
of their Data Protection Directive which came into force in 1995 our
Legislature is still deliberating on a proposed law called the Data Protection
Act. It is worthy to note however, that the Data Protection Act of 2011 might
have been an offshoot of the Ople vs. Torres case which was decided by our
Supreme Court in 1998.
Fundamental
Principles underlying the Data Protection Act of 2011
By reading the draft of the Data Protection Act of 2011 and Europe’s
Data Protection Directive one cannot fail to observe the similarity between the
two. Strikingly similar are the following fundamental principles[8]
of data privacy protection:
- 1. Individuals should be informed when personal data is collected.
- 2. Individuals should be told who is requesting the data and the reason for their request to help them decide whether to release control of all or part of such data.
- 3. Individuals should be told how they can access data about themselves in order to verify its accuracy and request changes.
- 4. Individuals should be told how their data will be protected from misuse.
In RAND Europe’s Review of the
European Data Protection Drive[9],
they observed that implementing the foregoing principles “is not easy, particularly
in today’s world, where personal data is collected, processed and transferred
in vast amounts, either on behalf of the individuals themselves (e.g. by the state
to preserve security or improve public services) or for the benefit of
commercial organizations.” This is a challenge our country confronts mutually
with the whole world.
The Proposed Data Protection Act of 2011 as a Regulatory Means of Protecting Data
Privacy for Filipino Citizens
The proposed bill
comprised of 44 sections covering various subjects such as scope, establishment
of the National Privacy Commission, rights of data subjects, security of
personal information, security of sensitive personal information in the
government, and penalties for violation.
The Senate bill covers both
private and public sectors. It extends its reach to an entity or a data
processor via its extraterritorial application[10].
It must be emphasized, at this juncture, that in what appears to
be an effort to protect the domestic BPO industry, the proposed bill when
eventually enacted into law will not apply to “personal information originally
collected from residents of foreign jurisdictions in accordance with the laws
of those foreign jurisdictions, including any applicable data privacy laws, which
is being processed in the Philippines.”[11]
Many critics are concerned however regarding its effects on our BPO industry
and the countries within the European Union. Some say that “while
this might make it easier to obtain outsourcing contracts from the USA, it
would seem to make it impossible for the Philippines to be considered by the EU
to provide ‘adequate’ data protection, since the main purpose of adequacy
findings concerns the protection given to data about Europeans.”[12]
This might be a serious problem because the European Data Protection Directive imposes
restrictions on data transfers to prevent
personal data from being moved to countries where the
data protection regime is less stringent.
The question now is how this will
affect call center operations? As we all know, the BPOs collect information
from residents of foreign jurisdictions. It appears from the above-quoted
provision that in order for a Call Center company to be outside the ambit of
the law, each of his call center agents must see to it that the collection of
personal information from residents of foreign jurisdictions must be in
accordance with the privacy laws of such jurisdictions. Interestingly, does
this mean that a call center agent must have a good grasp of privacy laws of
foreign countries?
The
National Privacy Commission (NPC)
Under the proposed bill the NPC will
be the administering and implementing agency of the law. It has the power to
monitor and ensure compliance of our country with international standards set
for data protection[13].
The challenge for the NPC is
enforcement of the law. Privacy is an abstract right. The damages suffered are
often intangible that is why it is very difficult to assign a pecuniary
valuation to it.
As long as the personal data has not
been used illegally, it may be difficult to obtain any compensation for
damages, even if the data controllers are negligent in handling the personal
data and even if this negligence has created a substantial security and privacy
risk. This is possible because there may not be immediate foreseeable damages;
such as for example when a credit card number is leaked and as previously
discussed the leaked data has not yet been abused.
Funding and fiscal adequacy may also
be a problem for the still to be created NPC.
The
Definition of the Personal Information Controllers (PIC) and Personal
Information Processors (PIP) may be Inadequate
It may be inadequate in the sense that a question as to who is a PIC
or PIP in an online environment when a browser visits a website, cookies are
being sent and stored to and from a number of sources around the globe. “A cookie,
also known as an HTTP cookie, web cookie, or browser cookie, is
usually a small piece of data sent from a website and stored in a user's web browser while
a user is browsing a website.xxx Although cookies cannot carry viruses,
and cannot install malware on the host computer, tracking cookies and
especially third-party tracking cookies are commonly used as ways to
compile long-term records of individuals' browsing histories — a major privacy concern that has prompted European
and US law makers to take action.”[14]
Other interesting provisions
Interestingly, the bill makes the right to privacy of the
data subject transmissible[15]
to his heirs after the death of the data subject. It remains to be seen however
how this new provision will play a role in the privacy protection law of our
country.
Another interesting provision is the extraterritorial
application[16]
of the law.
Record-keeping,
Society’s Way to Remedy its Benign Capacity to Forget
As enunciated by the Supreme
Court in Ople vs. Torres “the right to privacy is one of the most threatened
rights of man living in a mass society. The threats emanate from various
sources — governments, journalists, employers, social scientists, etc. xxx It is timely to take note of the well-worded warning of Kalvin, Jr.,
"the disturbing result could be that everyone will live burdened by an
unerasable record of his past and his limitations. In a way, the threat is that
because of its record-keeping, the society will have lost its benign capacity
to forget."
[1]
Sections 1, 2, 3(1), 6, 8, and 17 of Article III of the 1987 Constitution
[2] Civil
Code (Articles 26, 32, and 723), Revised Penal Code (Articles 229, 280 and
290-292)
[3] Anti-Wiretapping Law,
Secrecy of Bank Deposits Act, and
the Intellectual Property Code
[4]See
G.R. No. 127685, July 23, 1998 at: http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html
[5]
Article 12
[6] Sec. 4, Commonwealth Act No. 591 [1940]
[7] Sec. 24 [c] and 28 [e], R.A. 1161, as amended.
[8] See
RAND Europe, Review of the European Data Protection Directive at: http://www.rand.org/pubs/technical_reports/2009/RAND_TR710.pdf
[9]
Supra
[10] See
Section 5 of the Senate Bill at: http://www.senate.gov.ph/lisdata/1218710275!.pdf
[11] See
HUNTON & WILLIAMS LLP,
Philippines Passes Omnibus Data Protection Law at: http://www.huntonprivacyblog.com/2012/03/articles/philippines-passes-omnibus-data-protection-law/
[12]
See Graham Greenleaf, ASEAN’s New Data
Privacy Laws: Malaysia, the Philippines and Singapore at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2049234&http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2049234
[13]
Section 6 of the Data Protection Act of 2011
[15]
Section 16 of the Data Protection Act of 2011
[16]
Section 5 of the Data Protection Act of 2011