Privacy? What’s that? There is no precise word for it in Filipino, and as far as I know any Filipino dialect and there is none because there is no need for it. The concept and practice of privacy are missing from conventional Filipino life. The Filipino believes that privacy is an unnecessary imposition, an eccentricity that is barely pardonable or, at best, an esoteric Western afterthought smacking of legal trickery.[i]
The right to privacy is one of the most threatened rights of man living in a mass society.[ii] The essence of privacy is the right to be left alone. In context, the right to privacy means the right to be free from unwarranted exploitation of one’s person or from intrusion into one’s private activities in such a way as to cause humiliation to a person’s ordinary sensibilities.[iii]
As the digital age advance, the concept of privacy now yields to convenience. Before the computers were invented, people didn’t mind personally carrying huge amount of cash for payment of groceries, clothing and other personal effects. Now, for “convenience” contemporary people do some shopping using “credit card”. The convenience brought by credit card is insurmountable, it now remove’s the burden of carrying cash every time you step from your homes. However, such “convenience” opens to possible risk. By using credit card, a holder effectively cedes his “privacy” to credit card companies. Credit card companies, based from your purchases data, can detect your spending pattern, your whereabouts, and even your product preferences. This scenario is also true in post-paid plan subscriptions for cellular phones and internet surfing. These data when transmitted to hands of unscrupulous persons may cause harm against the life and properties of the data owner.
Thus, a need for data protection is necessary in order to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The passage of Republic Act 10173 “AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES” otherwise known as the “Data Privacy Act of 2012″ which aims to protect the confidentiality and secrecy of data as well as their transmission in the Philippines effectively combats the high risk which is inherent in digital age.
As declared in the section 2 of RA 10173 “the State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.” The Data Privacy Act (RA 10173) mandates public and private enterprises to protect all personal and confidential information exchanged during internet-based transactions.[iv]
In order to ensure compliance, the law makes certain acts punishable, such as, Unauthorized Processing of Personal Information and Sensitive Personal Information, Accessing Personal Information and Sensitive Personal Information Due to Negligence, Improper Disposal of Personal Information and Sensitive Personal Information, Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes, Unauthorized Access or Intentional Breach, Concealment of Security Breaches Involving Sensitive Personal Information, Malicious Disclosure, Unauthorized Disclosure, and any Combination or Series of Acts.
One of the punishable acts under the law is the “unauthorized disclosure”. Section 32 of RA 10173, any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
Moreover, any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).
Because of the gravity of the penalties (imprisonment and fine) imposed, it would be worthy to discuss the extent of the coverage of said punishable act. One may ask, will one person’s act, disclosing the mobile number of another, without the latter’s consent, a violation of R.A. No. 10173, thus punishable by fine and imprisonment?
Such proposition, actually contains four basic questions, these are: do a cellular phone number constitutes a “personal information”?, do keeping of phone numbers constitute “processing” under the act?, Do an individual by keeping cellular phone numbers already classified as “personal information processor/controller”?, finally, will the act of disclosing a cellular phone to a third person, without the owner’s consent, be punishable under RA 10173?
The Data privacy act of 2012 applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers or processors who, although nor found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.[v]
On the first question, do a cellular phone number constitute “personal information”? Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.
The law did not give an example of “personal information”, maybe to avoid possible legal hermeneutic battle in the future. The term personal information can include anything, as long as that information can be used in ascertaining the identity of a person and such information do not fall under the definition of “sensitive personal information”[vi]. Thus it may include bank accounts, credit card transactions and medical histories. How about cellular phone numbers, do constitute “personal information”?
A mobile phone (also known as a cellular phone, cell phone, and a hand phone) is a device that can make and receive telephone calls over a radio link while moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile phone operator, allowing access to the public telephone network. In addition to telephony, modern mobile phones also support a wide variety of other services such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared, Bluetooth), business applications, gaming and photography.[vii]
A mobile phone usually contains subscriber identity module or subscriber identification module (SIM) is an integrated circuit that securely stores the international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers).[viii]
A SIM card contains its unique serial number (integrated circuit card identifier), international mobile subscriber identity (IMSI), security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to and two passwords: a personal identification number (PIN) for ordinary use and a personal unblocking code (PUK) for PIN unlocking.
SIM cards are identified on their individual operator networks by a unique International Mobile Subscriber Identity (IMSI). Mobile network operators connect mobile phone calls and communicate with their market SIM cards using their IMSIs. The format is:
- The first three digits represent the Mobile Country Code (MCC).
- The next two or three digits represent the Mobile Network Code (MNC).
- The next digits represent the Mobile Subscriber Identification Number (MSIN). Normally there will be 10 digits but would be fewer in the case of a 3-digit MNC or if national regulations indicate that the total length of the IMSI should be less than 15 digits.[ix]
Hence, each cellular phone number is unique and would pertain solely to a particular user. Although in its face, one may not readily identify the owner of a particular cellular phone number, but when put together with other information, such as phone book of another person or some other sources, would directly and certainly identify an individual. Indeed, a cellular phone number is “personal information” under RA 10173.
Do keeping of phone numbers constitute “processing” under the act? Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
The definition is comprehensive and categorical – no exclusions, thus a mere storage or recording of cellular phone number would constitute processing under the act. The act, however, fails to clearly distinguish between “automatic processing” and “manual processing” of data. However, under the “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” to which the data privacy act was heavily based[x], the data protection must apply as much to automatic processing of data as to manual processing. The scope of the protection must not in effect depend on the techniques used; otherwise this would create a serious risk of circumvention. Nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files. The content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data. Files or sets of files as well as their cover pages, which are not structured according to specific criteria, shall under no circumstances fall within the scope of the directive.[xi]
Moreover, RA 10173 defined filing system as any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
Hence, before the storage/recording of cellular phone would constitute processing under the act, it must be made under “automatic processing”. Its applicability in “manual processing” is conditional upon showing that the data was structurally filed according to specific criteria. Storing some else cellular phone number on one’s cellular phone’s memory, including the keeping of these numbers in hard copies – structurally made – would be “processing” as defined by law.
Next would be the definition of “Personal information controllers”. Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term, however, does not include a person or organization who performs such functions as instructed by another person or organization; and an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
Unlike personal information, the definition of “personal information controllers” contains two (2) exclusions: (1) a person or organization who performs such functions as instructed by another person or organization; (2) and an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
The first exclusion should be read in relation to Section 14, which provides that a personal information controller may subcontract the processing of personal information. Provided, that the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. Provided further, that personal information processor shall comply with all the requirements of the act (RA 10173) and other applicable laws. The first exclusion is actually not exclusion per se, it is but a mere “distinction” made by law between “information controllers” and “information processors”. The acts of both are regulated under RA 10173.
The second exclusion are those individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs. Who are those covered by this proviso? It would seem that the law did not elaborate this provision. And in the absence of rules and regulations, implementing the policies enshrined on this act, rules on statutory construction permits that in interpreting a vague provisions of law, due regard may be given its international origin in order to promote uniformity in its application and the observance of good faith in international trade relations. The generally accepted principles of international law and convention on electronic commerce shall likewise be considered.[xii]
In the words of Senator Edgardo Angara, “the Data Privacy Act was based heavily from Directive 95/46/EC of the European Parliament and Council and is at par with the Asia Pacific Economic Cooperation (APEC) Information Privacy Framework standards”. Based on APEC Information Privacy Framework, “Privacy Framework” applies to persons or organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information.” The APEC Framework further provides that “individuals will often collect, hold and use personal information for personal, family or household purposes. For example, they often keep address books and phone lists or prepare newsletters. The Framework is not intended to apply to such personal, family, or household activity”.
The Directive 95/46/EC of the European Parliament and Council on the other hand provides that “Directive shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”.
We must therefore distinguish, between information for the purposes in connection with the individual’s “personal, family or household affairs” and those that are not. If such information is processed for the purposes pertaining to the former, then the data privacy act will not apply. One can assume that you will only become a “data controller/processor” as defined in the law, when you’re engaged in business of processing information; i.e. for a fee, you perform services to the public by processing personal information, or when those personal information reached your hands as “incidental” effect of your being engaged in business, notwithstanding that the industry where your business belong is totally not related in information processing.
Keeping of mobile phone numbers of friends and families, for personal purposes, although qualifies as “processing” would not make the holder of those information an “information controller or processor” under the data privacy act of 2012. Hence, the disclosure to a third party of someone else’s cellular phone number without the consent of the data owner is not punishable under the act.
However, the author would like to put a caveat on the miscellaneous provision of the act, which provides that “any doubt in the interpretation of any provision of this Act shall be liberally interpreted in a manner mindful of the rights and interests of the individual about whom personal information is processed”. Any doubt as to the impact of this “interpretative provision” will be cleared, upon issuance and promulgation of the implementing rules and regulations for the act.
[i] Morfe vs Mutuc, G.R. No. L-20387, January 31, 1968, citing: Carmen Guerrero-Nakpil, Consensus of One, Sunday Times Magazine, Sept. 24, 1967
[ii] Ople vs. Torres, G.R. N. 127685, July 23, 1998
[iii] Social Justice Society vs Dangerous Drugs Board, G.R. No. 157870, November 3, 2008
[v] Section 5 of RA 10173
[vi] Sensitive personal information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
[xii] MCC Sales Corporation vs. Ssanyong Corporation, G.R. No. 170633, October 17, 2007