Will the Data Privacy Act of 2012 provide a sufficient mechanism to the introduction of the National I.D. System in the Philippines without the issues challenged in the case of Ople vs. Torres?
“They: the makers of the constitution: conferred, as against the government, the right to be let alone-the most comprehensive of rights, and the rights most valued by civilized men.”
-Justice Louis P. Brandeis
“BIG BROTHER IS WATCHING YOU”
After learning the subject matter for this blog, I immediately thought of the movie “The Net” that my grade school teacher made us watch in our Computer Lab class. I vaguely remember the whole movie, but it was about a woman whose identity was erased by the government to cover-up a conspiracy. The deletion of the identity was made possible because the government kept a database containing the social security number and other pertinent personal information of its citizens. Of course, it is a Hollywood movie but the plot may not be as far-fetched as we think. With the technology that we have now, who knows? It might lead to a situation, where, as George Orwell describes it, “the Big Brother is watching you.”
THE RIGHT TO BE LET ALONE
The right to privacy is a fundamental right that is enshrined in the 1987 Constitution, particularly Article III, the Bill of Rights. The following provisions relate to the right to privacy:
Section 3.(1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.
(2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding.
Section 2.The right of the people to be secure in their persons, houses, persons, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.
Section 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety or public health, as may be provided by law.
Section 8. The right of the people, including those employed in the public and private sectors, for form union, associations, or societies, for purposes not contrary to shall not be abridged.
Section 17. No person shall be compelled to be a witness against himself.
As one of the rights recognized in the Bill of Rights, it limits the inherent powers of the State. This means that the State may not interfere with these rights unless there is “existence of grave and imminent danger of a substantive evil which the state has the right to prevent.” [i]
OPLE vs. TORRES
The right to privacy has been given primacy against arbitrary state intrusion as held in a plethora of jurisprudence, one of which is the case of Ople vs. Torres. In this case, the Court invalidated Admin Order No. 308 entitled “Adoption of National Computerized Identification Reference System” on the ground that such order intrudes on the citizenry’s protected zone of privacy[ii].
Identification System is nothing new in other parts of the world. It has reached the shores of the Philippines in an attempt to make government transactions systematic. This idea that each will be given a Population Reference Number (PRN) as a “common reference number to establish a linkage among concerned agencies” through the use of biometrics technology[iii] has opened up various discourse on matters relating to the extent of government intrusion as opposed to the constitutional right to privacy of an individual. It is a question of how comfortable are we to submit our personal information to authorities with a possible threat of misuse of information. It is a question of how willing are we to sacrifice our fundamental right to privacy for the general welfare of all. It is a question as to whether the Data Privacy Act is a guarantee to safeguard our privacy.
The highly ambitious Identification Reference System seeks to “conveniently transact business with basic service and social security providers and other government instrumentalities; and to properly and efficiently identify persons seeking basic services on social security and reduce, if not totally eradicate fraudulent transactions and misrepresentations.”[iv] The Court held that, the two purpose of the law were “vague and overbreadth” and “not compelling enough to warrant AO No. 308” to justify the government’s intrusion of the right to privacy. I agree with the Court. As I have learned in my Constitutional II class, no matter how righteous the purpose of a law, when the means employed in accomplishing it is clashing with the constitutional parameters, in this case the right to privacy, such law/order should not be allowed.
THE DATA PRIVACY ACT OF 2012
Fourteen years later, after the Court struck down A.O. No. 38, the Data Privacy Act of 2012 or RA 10173 has been enacted. Its purpose is “to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth; the state recognizes the vital role of information and communications systems in the government and in the private sector are secured and protected”. [v] And now the question is, is this the law that will steer the proposed National I.D System into reality? Will the provisions of R.A 10173 provide a sufficient mechanism to the introduction of the said system in the Philippines without infringing the right to privacy?
NO ABSOLUTE SAFEGUARD
As much as I believe in the noble intent of the legislators in enacting this law, I do not believe that it has teeth as a law to safeguard the fundamental right of an individual to privacy. Why? Because of the likes of Julian Assange. Who can forget what the founder Julian Assange did when he leaked diplomatic cables and other classified information. The leak compromised diplomatic relations and posed internal security risks in the most powerful countries in the world. The information-security breached happened in countries where there exists the most sophisticated and modern database in the world. How were they able to breach the security of the thousands of files containing classified information? The fact is, almost everything can be hacked now. As technology evolves, the author also evolves.
The proposed National Computerized Identification Reference may be compromised by the likes of Julian Assange. R.A. 10173, Chapter VIII which provides for the penalties of unlawful and unauthorized processing of personal information will only be relevant in this issue if the perpetrators are caught, without prejudice to the provisions of R.A 10175. The said penalty provisions impose fine and imprisonment ranging from one year to seven years depending on the degree of the breach. Only those few years in exchange for the loss of privacy which cannot be absolutely restored?
PROVISIONS OF R.A. 10173
1.Section 3(h) and (i) in relation to Section 14
Section 3 (h) states the definition of Personal Information Controller, “it refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person to collect, hold, process, use, transfer or disclose personal information on his or her behalf.”
Section 3 (i), on the other hand, states the definition of Personal Information Processor which refers to “any natural or juridical person qualifies to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.”
Section 14 states that “a personal controller may subcontract the processing of personal information: Provided, that the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with all the requirements of this Act and other applicable laws.”
In the above provisions, it is without a doubt that the Personal Information Controller has a crucial and very dominant role in the handling of personal information of the data subjects. I imagine him as the Architect in the movie “The Matrix: Revolutions”, only less theatrical. In the said definition, the word “control” caught my attention. It can be both a harmless and a terrifying word. The personal information controller has the control in the handling and usage of personal information. Like all of us, he is only human, subject to temptations. As such, there is a possibility of abuse or misuse of the personal information like identity scam or theft.
What’s more is that, the job can be subcontracted to a third party personal controller, provided, the two controllers exercise proper safeguards of confidentiality. The problem with this scenario is that when more parties are involved, the higher the probability of intrusion of privacy of the data subject, the greater the risk of confidentiality breach. The moment the data subject submits the personal information to the personal controller, he loses control of the usage of such data. The data subject will now be content in exercising his rights as a data subject under Chapter IV Section 16, which, in a worst case scenario, could be very well an exercise in futility when damage to privacy has been done.
2. Section 5
This section provides protection afforded to journalists and their sources, “nothing in this act shall be construed as to have amended or repealed the provisions of Republic Act No. 52, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor or reporter.”
Assuming that the collection of personal information was declared for the purpose of systematic identification of all prisoners in the country, where each was given identification number. A prisoner escaped and was identified. Due to the personal information he submitted, possibly credit card number, he was tracked down by the Personal Information Controller. And here comes a journalist, willing to do anything to obtain an exclusive on this matter, successfully bribes the Personal Information Controller as to the whereabouts of the fugitive. The next day, he publishes his interview with the fugitive. His defense would be Section 5, that he cannot be compelled to reveal the source of any news report which was related to him under the guise of confidentiality. Is this fair?
3. Section 11(a)
This section states that personal information must be, “collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.”
Under this section, there are two ways for collecting personal information, one, collecting after the purpose of such collection has been determined, and the second one, collecting before the purpose of such collection has been determined. The tricky part here is that data collection may transpire even before the specific and legitimate purpose has been determined, provided it must be processed in a way compatible with such declared, specified and legitimate purposes only. Notwithstanding the proviso clause, this might set a dangerous precedence which could paved way to cases of mishandling of data that could lead to violation of right to privacy, right against unreasonable searches and seizures, right to liberty of abode, right to form unions and associations, and the right against self-incrimination.
4. Section 12
The foregoing section states the criteria for lawful processing of personal information, and which enumerates the six instances where processing of personal information shall be permitted. The first is when data subject has given his or her consent to process his personal information. It is but logical that consent be freely given by data subject, otherwise, the purpose of this law shall be thwarted. The succeeding instances enumerated therein do not require consent from the data subject. The processing personal information, even without consent of data subject, shall be collected if it is necessary to the fulfillment of a contract entered by the data subject; compliance with a legal obligation of the data subject; when it is to protect important interests of the data subject, including life and health; and for purposes of the legitimate interests pursued by personal information controller or by a third party except where such interests are overridden by fundamental rights protected by the Constitution.
Section 12(e) is very interesting as I believe that this would be an exercise of police power. It states that, “the processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate.”
Police power has been defined as the most essential, insistent and the least limitable of powers, extending as does to all the great public need, negatively, it has been defined as “that inherent and plenary power in the State which enables it to prohibit all that is hurtful to the comfort, safety and welfare of society.[vi]
Under Section 12 (e), the state can invoke its police power under the guise of reasonableness and use the processed information from the National I.D System and overlook the provisions of confidentiality of R.A. 10173. This is of course, without prejudice to the tests of valid exercise of police power. However, there exists a presumption that when the state exercises its police power, such act is valid. Now, suppose a national emergency has transpired such as threat to national defense or terrorism, the state can invoke this provision to gather intelligence information in an effort to protect itself from terrorism. Such act would be very commendable. But there would be another side to this story too. One where there is recklessness involved in using the personal information to conduct searches to unwary citizens which could very well trample the right to privacy. Again, it cannot be emphasized enough that the use of personal information may lead to cases of mishandling of information.
5. Section 13 (a)
According to the said section, “the processing of sensitive personal information and privileged information shall be prohibited, except in the following cases: (a) the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing.”
I have pointed out earlier under Section 11, the data subject may consent to the data collection even before the specified and legitimate purposes have been determined. However, since this section deals with sensitive personal information and privileged information, there is a requirement of prior consent, from both parties involved, in the case of privileged communication.
I find the usage of the word “consent” vague, although it was defined under Section 3 (b). Consent is given freely for a specific purpose and can be given on behalf of the data subject. It connotes approval or permission to use data after knowledge of the purpose of processing such sensitive personal information. There is a bit of a gray area here, suppose the data subject consented to the use of the personal information for purpose 1 and but did not consent to the usage for purpose 2, what happens now?
Suppose in the proposed uniform I.D system, not all Filipinos consented to provide sensitive information required for a particular purpose, what happens now? It seems like the purpose of the identification system when it comes to processing of sensitive information will not be accomplished since consent of data subject is mandatory. And what about those who are uneducated and illiterate, should we take their consent less seriously assuming that they have no knowledge of the implications of possible invasion of their right to privacy?
KNOWLEDGE IS POWER
Cliché but true, knowledge is power. Knowledge combined with technological advances will be more potent as an instrument when used to enhance the lives of the people. The proposed National Computerized Identification Reference System, is an example of what the national government can do with the knowledge of personal information processed from data subjects. However, possession and control of such knowledge is too great a power to entrust without being critical about it. Once you surrender your personal information, you are rendered immobilized as to who, when, or how will it be accessed. It is as if, your personal information and privacy will be at the mercy of those who have knowledge of it. The truth is, the existence of R.A. 10173 will not downplay several scenarios that could potentially lead to misuse of information, and thus interfere with the fundamental right to privacy. The risks are too high to gamble upon because it involves a fundamental, human and basic right of a person.
The Philippines is a young country in terms of modernization and technological advances. Nonetheless, we pride ourselves with ideals of democracy and freedom. As a nation that had experienced numerous human rights violations during the Martial Law years, any discourse on the intrusion of right to privacy, curtailment of freedom of speech or any law which threatens to limit the provisions of the Bill of Rights, would be a sensitive issue. The Philippines, is simply not ready for the National I.D. System.
[i] Philippine Blooming Mills Employees Organization vs. Philippine Blooming Mills Co., Inc., 50 SCRA 189, 202-203 (1973)
[ii] Blas F. Ople vs. Ruben Torres. G.R. No. 127685, July 23, 1998. http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html
[v] R.A. 10173, Data Privacy Act of 2012.
[vi] Ermita-Malate Hotel and Motel Operators Association, Inc. vs. Mayor of Manila, L-24693, July 31, 1967.