Will R.A. no. 10173, otherwise known as the Data Privacy Act of 2012 provide sufficient mechanism to the introduction of a National Identification System in the Philippines without the Constitutional issues that arose in the case of Ople v. Torres (293 SCRA 141, (1998))?
I. Introduction
Poverty has always been the tremendous and almost uncontrollable problem the country has ever and will continue to face. According to the National Statistical Coordination Board (NSCB), poverty incidence among the Philippine population was estimated at 27.9% during the first semester of 2012, which was .9% and .7% lower than the poverty incidence rates of the first semesters of the years 2006 and 2009[i]; thus, poverty incidence, even after six (6) years, still remain virtually unchanged notwithstanding economic growth[ii]. How come? One cause may be attributed to an inefficient public service wherein the provisions of basic social services for the people are hampered by the problem of red tape within the Philippine government bureaucracy. One solution can curb such problem within the government and that is the institution of a National ID System.
The promise of a National ID System is that it will improve government services by cutting the red tape and thus, streamlining legitimate transactions between the government and its people. Further, the basic feature of the system would beneficially aid in preventing the commission of fraud and misrepresentations in obtaining basic social services that are provided by the government. Indeed, a National ID System promises numerous benefits and convenience for both the government and the people. And that is why the Philippine Government had made attempts to implement such a system. One attempt was when former Philippine President Fidel V. Ramos issued Administrative Order no. 308 (A.O. no. 308) on December 12, 1996, which sought for the “Adoption of a National Computerized Identification Reference System”. A.O. no. 308 sought to provide a facility for the benefit of Filipino citizens and foreign residents in order for them “to conveniently transact business with basic service and social security providers and other government instrumentalities”, and also “to properly and efficiently identify persons seeking basic services on social security and reduce, if not totally eradicate, fraudulent transactions and misrepresentations”. However, A.O. no. 308 was deemed as unconstitutional by the Supreme Court in the case of Ople v. Torres (293 SCRA 141).
In the said case, the majority ruled that A.O. no. 308 involves a subject that is not appropriate to be covered by a mere administrative order because the latter, which relates to specific aspects in the administrative operation of government, must be in harmony with the law and should be for the sole purpose of implementing the law and carrying out the legislative policy[iii]. But more importantly, the majority opined that A.O. no. 308 violated the fundamental right to privacy as enshrined by the Constitution. The majority held that even assuming arguendo that the Adoption of a National Computerized Identification Reference System can be contained in an administrative order, the same constitutes a violation against the fundamental right to privacy because A.O. no. 308 was not narrowly drawn and did not contain any provision that will provide safeguards against indiscriminate disclosure of information regarding the data subjects and from other potential abuses[iv]. On the other hand, the dissenters of the same case argued that the determination of the constitutionality of A.O. no. 308 was premature because no injury was committed to anyone; thus, there was no case or controversy that was appropriate or ripe for determination[v]. Unlike the majority, the dissenters did not have high regard to the right to privacy. It must be emphasized however, that the case was resolved in 1998 wherein technologies like the Internet was still new and social networking was still in its infancy. If the case was decided today, I believe that the dissenters would have ruled differently because the significance and benefits of the right to privacy had grew immensely due to the rapid technological advances. The significance of the right to privacy was acknowledged by the Philippine Congress when it enacted into law, R.A. no. 10173, otherwise known as the Data Privacy Act of 2012. Under R.A. no. 10173, personal information in information and communication systems are afforded with protection and other safeguards from unlawful disclosures and other abuses, which are threats to privacy.
Indeed, a National ID System is very promising but there are potential dangers especially to the fundamental right of privacy that must be considered before it is instituted. That is why I believe that the Supreme Court correctly ruled when it deemed A.O. no. 308 as unconstitutional in Ople v. Torres (293 SCRA 141). However, with the enactment of R.A. no. 10173, the majority opinion in the Ople case regarding the potential dangers to the right to privacy may have lost its ground. Thus the question:
Will R.A. no. 10173, otherwise known as the Data Privacy Act of 2012 provide sufficient mechanism to the introduction of a National Identification System in the Philippines without the Constitutional issues that arose in the case of Ople v. Torres (293 SCRA 141, (1998))?
II. Body
In order to answer the above question, there is a need to know the salient features of R.A. no. 10173, otherwise known as the Data Privacy Act of 2012.
Salient Features of R.A. no. 10173
In declaring its policy, the law not only acknowledged the significance of protecting the fundamental right of privacy but also recognized the vital role of information and communications technology in nation building and its inherent obligation to ensure that personal information in information and communications systems in government and in the private sector must be secured and protected[vi]. Thus, in order to keep its avowed policy, the law created the National Privacy Commission, the functions of which are, inter alia, ensure compliance of personal information controllers and ultimately ensure that the Data Privacy Act is implemented[vii]. But it must be emphasized that the Commission was also empowered to receive complaints, investigate and adjudicate matters relating to personal information and to review, approve, reject or require modification of privacy codes in order to meet the standard that will ensure data protection[viii]. Thus, the law created a quasi – judicial body that possesses the required expertise in the field of information technology and data privacy. With such creation, persons aggrieved may now seek for remedies within the Commission instead of going to judicial courts, which do not possess the level of expertise that the Commission does. Also, the creation would obviously produce convenience and speed up the process in adjudicating a matter affecting personal information.
Another salient feature of the law is that it provides for numerous safeguards that will secure and protect personal information. Several of those safeguards are found in Chapter III of the law, which provides for General Data Privacy Principles, Criteria for Lawful Processing of Personal Information and the Sensitive Personal Information and Privileged Information. [ix] Under the General Data Privacy Principles, the processing of personal information shall be allowed subject of course, to the provisions of the Data Privacy Act and other laws and the same be made for legitimate purpose and proportionality. The General Data Privacy Principles enunciate that personal information must be collected for specified and legitimate purposes only, processed in a fair and lawful manner, and in a way such that it is compatible with the declared and specified purpose and that the processing must be made for as long as necessary for the fulfillment of the purposes for which the data was obtained or as necessary for the establishment, exercise or defense of legal claims or for legitimate purposes or as provided by law[x]. It is important to note that in reading the General Principles, such principles emphasize that the processing of personal information must be lawful and for a legitimate purpose. So one may ask, when is the processing considered lawful? Under the law, the processing shall be considered lawful and permitted only if: 1. The processing is not prohibited by law and; 2. When at least one of the conditions exist[xi]:
a. Data subject has given his or her consent;
b. The processing is necessary and is related to the fulfillment of a contract with the data subject;
c. The processing is necessary for compliance with a legal obligation to which the personal information is subject;
d. The processing is necessary to protect vitally important interests of the data subject, including life and health;
e. The processing is necessary because of a national emergency, public order and safety or in order to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate;
f. The processing is necessary because of legitimate interests pursued by a personal information controller of by a third party to whom the data was disclosed subject to fundamental rights enshrined under the Constitution.
In view of the above principles, criteria and conditions, it is worthy to note that the Data Privacy Act of 2012 is sufficiently detailed and narrowly drawn such that the potential dangers or threats to privacy are sufficiently allayed. But notwithstanding the foregoing, the law still provides for several other safeguards. One of them concerns Sensitive Personal Information and Privileged Information[xii]. Under the law, the processing of Sensitive Personal Information and Privileged Information are, as a general rule, prohibited unless the case warranting the processing falls under the exceptions expressly enumerated under Sec. 13, of the Data Privacy Act. Thus, if the case does not fall under the exceptions, the processing is prohibited.
Moving forward, the Data Privacy Act also expressly enumerated the statutory rights of the data subject, thereby strengthening and providing more safeguards for the protection of their personal information and right to privacy. Under the law, the data subject has the right to be informed and be furnished information regarding the processing of his personal information and to reasonably access, upon demand matters pertaining to the processing of his personal information including, inter alia, the names and addresses of the recipients, the manner by which the data were processed and the reasons for the disclosure of the personal information to recipients[xiii].
Another salient but peculiar feature of the Data Privacy Act is the weight of responsibility given to a personal information controller. As discussed above, the National Privacy Commission was created with the function of ensuring that personal information controllers comply with the provisions the Data Privacy Act. The Data Privacy Act not only provides the duties of a personal information controller as gleaned from Sec. 20 of the same law, but the same also expressly provides, among others, that each personal information controller is responsible for personal information under its custody, including information that have been transferred to a third party for processing, whether domestically or internationally[xiv]. Such a responsibility is amplified by the penalties prescribed under Chapter VIII of the law.
Another salient but also peculiar feature of the law is found under Chapter VII, which provides for the Security of Sensitive Information in Government. Under Sec. 23, an agency personnel or employee can access sensitive personal information if allowed by the head of an agency, who under Sec. 22, is the one responsible for complying with the security requirements provided by the information and communications industry and the Commission. Observing Chapter VII, it can be gleaned from the provisions contained therein that the term “processing” is absent but instead use the term “access”; thus, it can be inferred that the government employees is limited only to an access to such sensitive personal information unless the case involved falls within the exceptions provided under Sec. 13 of the same law.
The last but one of the most important salient features of the law is the penalties. The prohibited acts and corresponding penalties would logically toughen the safeguards already mentioned above. Furthermore, the law provides for an additional penalty of disqualification occupy public office when the prohibited act is committed by a public officer. Under the Chapter VIII of the Data Privacy Act, the following acts are penalized[xv]:
1. Unauthorized Processing of Personal Information– punishable by imprisonment from one (1) year to three (3) years and a fine ranging from P500,000.00 to not more than P1,000,000.00[xvi];
2. Unauthorized Processing of Sensitive Personal Information – punishable by imprisonment from three (3) to six (6) years and a fine ranging from P500,000.00 to P4,000,000.00[xvii];
3. Accessing Personal Information Due to Negligence – punishable by imprisonment from one (1) year to (3) years and a fine ranging from P 500,000.00 to P1,000,000.00[xviii];
4. Accessing Sensitive Personal Information Due to Negligence – punishable by imprisonment from three (3) to six (6) years and a fine ranging from P500,000.00 to not more than P4,000,000.00[xix];
5. Improper Disposal of Personal Information – punishable by imprisonment from six (6) months to two (2) years and a fine ranging from P100,000.00 to not more than P500,000.00[xx];
6. Improper Disposal of Sensitive Personal Information – punishable by imprisonment from one (1) to three (3) years and a fine not less than P100,000.00 to not more than P1,000,000.00[xxi];
7. Processing of Personal Information for Unauthorized Purposes – Punishable by imprisonment from one (1) year and six(6) months to five (5) years and a fine ranging from P500,000.00 to P1,000,000.00[xxii];
8. Processing of Sensitive Personal Information for Unauthorized Purposes – punishable by imprisonment from two (2) years to seven (7) years and a fine ranging from P500,000.00 to not more than P2,000,000.00[xxiii];
9. Unauthorized Access or Intentional Breach – punishable by imprisonment from one (1) to three (3) years and a fine ranging from P500,00.00 to not more than P2,000,000.00[xxiv];
10. Concealment of Security Breaches Involving Personal Information – punishable by imprisonment from one (1) year and six (6) months to five (5) years and a fine ranging from P500,000.00 to not more than P1,000,000.00[xxv];
11. Malicious Disclosure – punishable by imprisonment from one (1) year and six (6) months to five (5) years and a fine ranging from P500,000.00 to P1,000,000.00[xxvi];
12. Unauthorized Disclosure – punishable by imprisonment from one (1) year to three (3) years and a fine ranging from P500,000.00 to P1,000,000.00 if the disclosure involved is personal information; if sensitive personal information, punishable by imprisonment from three (3) to five (5) years and a fine ranging from P500,000.00 to not more than P2,000,000.00[xxvii].
Are the Salient Features of R.A. no. 10173 Sufficient?
Now that the salient features of the law have been discussed, we can now determine whether the Data Privacy Act of 2012 possess sufficient mechanisms for the introduction of a National ID System without the Constitutional issues that arose in the Ople case. So is it sufficient? IT DEPENDS. In the Ople Case, A.O. no. 308 was nullified based on two grounds: 1. A.O. no. 308 involves a subject not appropriate to be covered by a mere administrative order and; 2. A.O. no. 308 violated the right to privacy.
With regard to the first ground, if the National ID System will be promulgated by way of another administrative order, then such shall fail. This is because an administrative order must be based upon a law; there is nothing in the contents of the Data Privacy Act of 2012 that it speaks of a National ID System.
On the other hand, if the National ID System is promulgated by way of a statute then any argument as to any usurpation of legislative power shall definitely be rendered to be without basis. Further, if the National ID System is promulgated by way of a statute or legislative act, then the Data Privacy Act of 2012 can apply suppletorily. In such a case, the numerous safeguards under such law will undoubtedly subdue the potential dangers and fears that a National ID System creates. With this, the potential dangers and threats to the fundamental right to privacy as opined by the majority in the Ople case would be substantially subdued. And even assuming arguendo that the statute or law containing the National ID System is not narrowly drawn and that it contain no or less safeguards that will ensure protection to data privacy, the Data Privacy Act of 2012 will cure such a defect because the latter will apply suppletorily and as observed, is narrowly drawn, detailed and provides for numerous safeguards that will ensure protection and security to data privacy and ultimately, to the right to privacy. Simply put, the Data Privacy Act possesses sufficient mechanisms to ensure that the fundamental right to privacy will be protected and secured when a National ID System should in case becomes a law and subsequently implemented.
It also must be emphasized that R.A. no. 10173 was based upon the EU Parliament Data Privacy Directive[xxviii] and the APEC Privacy Framework.[xxix] With this, the international standards for data privacy protection set by the EU Parliament Privacy Directive and the APEC Framework, was also instituted in R.A. no. 10173, bolstering the claim that the latter possess sufficient safeguards for the protection of data privacy. Thus, such international standards can apply when the National ID System is promulgated and implemented.
III. Conclusion
As discussed above, a National ID System is very promising. The only major setback from making such system to be enacted into law by our legislature is the potential dangers and threats it has against the fundamental right to privacy, which is enshrined and guaranteed by our Constitution. However, because of the enactment of R.A. no. 10173, otherwise known, as the Data Privacy Act of 2012, such potential dangers and threats shall be substantially allayed provided however, that the Data Privacy Act will apply to the law containing the National ID System. If it would thus apply, then the safeguards provided under the law will certainly help ensure that the personal information and sensitive personal information under the National ID Law will be secured and protected from unlawful processing, disclosure, access and other abuses. In view of all the foregoing, I submit that R.A. no. 10173, otherwise known as the Data Privacy Act of 2012, provides for sufficient mechanisms and safeguards that will ensure that the fundamental right to privacy will be protected and secured when a National ID System should in case becomes a law and subsequently implemented.
It is worthy to note of H.B. no. 6895 or “An Act Establishing the Filipino Identification System”[xxx]. The House Bill basically provides for the institution of a National ID System. If such bill will be enacted into law, it will help improve government services by cutting the red tape and thus, streamlining legitimate transactions between the government and the people.
[i] Poverty Incidence Unchanged, as of first semester 2012 – NSCB. National Statistics and Coordination Board, April 13, 2013. http://www.nscb.gov.ph/poverty/defaultnew.asp. Accessed May 4, 2013.
[ii] Olchondra, Riza and Burgonio, TJ. Stellar Economic Growth at 6.6%. Inquirer Business, Feb. 1, 2013. http://business.inquirer.net/105219/neda-ph-economy-grew-by-6-6-in-2012. Accessed May 4, 2013.
[iii] Ople v. Torres (293 SCRA 141).
[iv] Id. Majority Opinion penned by Justice Puno
[v] Id. See dissenting opinions of Justice Kapunan and Justice Mendoza
[vi] Sec. 2, R.A. no. 10173
[vii] Sec. 7, id.
[viii] Sec. 7 (b)(j), id.
[ix] Chapter III, Processing of Personal Information, (Sec. 11-15) R.A. no. 10173; See definition of Processing under Sec. 3(j).
[x] Sec. 11, R.A. no. 10173.
[xi] Sec. 12 (a-f), R.A. no. id.
[xii] See Sec. 3(k) and Sec. 3(l) for definitions, id.
[xiii] See Sec. 16, id.
[xiv] Sec. 21. Principle of Accountability, id.
[xv] Under Sec. 33 of R.A. no. 10173, any combination or series of acts as defined in Sections 25-32 shall make the offender liable for imprisonment ranging from three(3) years to six (6) years and a fine not less than P1,000,000.00 but not more than P5,000,000.00
[xvi] Sec. 25, R.A. no 10173.
[xvii] Id.
[xviii] Sec. 26, id.
[xix] Id.
[xx] Sec. 27, id.
[xxi] Id.
[xxii] Sec. 28,id.
[xxiii] Id.
[xxiv] Sec. 29, id.
[xxv] Sec. 30,id.
[xxvi] Sec. 31, id.
[xxvii] Sec. 32,id.
[xxviii] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. Accessed May 4, 2013.
[xxix] APEC Privacy Framework. http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx. Accessed May 4, 2013.
[xxx] Copy downloadable at http://www.congress.gov.ph/
No comments:
Post a Comment