R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

R.A. No. 10173 or the Data Privacy Act of

2012

carolinecorro

INTRODUCTION

An acute observer of the social scene, Carmen Guerrero-Nakpil, once said:

“Privacy? What’s that? There is no precise word for it in Filipino, and as far as I
know any Filipino dialect and there is none because there is no need for it. The
concept and practice of privacy are missing from conventional Filipino life. The
Filipino believes that privacy is an unnecessary imposition, an eccentricity that
is barely pardonable or, at best, an esoteric Western afterthought smacking of
legal trickery.”

OVERVIEW OF THE RIGHT TO PRIVACY

The right to privacy is well-entrenched in the 1987 Constitution, particularly in the

Bill of Rights and safeguarded by several provisions of the Civil Code, the Revised
Penal Code, and certain laws which provide penalties for their violation in the
form of imprisonment, fines, or damages.

Pertinent provisions of the Bill of Rights provides:

“Sec. 1. No person shall be deprived of life, liberty, or property without due process
of law, nor shall any person be denied the equal protection of the laws.”

“Sec. 2. The right of the people to be secure in their persons, houses papers, and
effects against unreasonable searches and seizures of whatever nature and for any
purpose shall be inviolable, and no search warrant or warrant of arrest shall issue
except upon probable cause to be determined personally by the judge after
examination under oath or affirmation of the complainant and the witnesses he
may produce, and particularly describing the place to be searched and the persons
or things to be seized.”

“Sec. 3. (1) The privacy of communication and correspondence shall be inviolable

except upon lawful order of the court, or when public safety or order requires
otherwise as prescribed by law.”

“Sec. 6. The liberty of abode and of changing the same within the limits prescribed
by law shall not be impaired except upon lawful order of the court. Neither shall
the right to travel be impaired except in the interest of national security, public
safety, or public health as may be provided by law.”

1 of 7 30/01/2018, 6:26 PM
R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

“Sec. 8. The right of the people, including those employed in the public and private
sectors, to form unions, associations, or societies for purposes not contrary to law
shall not be abridged.”

Sec. 17. No person shall be compelled to be a witness against himself.”

Similarly, the Civil Code provides that “[e]very person shall respect the dignity,
personality, privacy and peace of mind of his neighbors and other persons” and
punishes as actionable torts several acts by a person of meddling and prying into
the privacy of another.1 It also holds a public officer or employee or any private
individual liable for damages for any violation of the rights and liberties of another
person,2 and recognizes the privacy of letters and other private
communications.3

In like manner, the Revised Penal Code makes a crime the violation of secrets by
an officer,4 the revelation of trade and industrial secrets,5 and trespass to
dwelling.6 Invasion of privacy is an offense in special laws like the Anti-
Wiretapping Law,7 the Secrecy of Bank Deposits Act8 and the Intellectual
Property Code.9

Also, the Rules of Court on privileged communication likewise recognize the

privacy of certain information.10

DATA PRIVACY ACT OF 2012

Republic Act No. 10173, also known as the Data Privacy Act of 2012, is an act
protecting individual personal information in information and communications
systems in the government and the private sector, creating for this purpose a
national privacy commission, and for other purposes.

The Data Privacy Act of 2012 aims to protect the fundamental human right of
privacy, of communication while ensuring free flow of information to promote
innovation and growth. It also aims to ensure that personal information in
information and communications systems in the government and in the private
sector are secured and protected.

This Act was approved by President Benigno S. Aquino III on August 15, 2012. It
contains nine (9) chapters and forty five (45) sections. It was published on August
24, 2012. it took effect on September 8, 2012, which was 15 days after its
publication in at least two (2) national newspapers of general circulation. An
independent body known as National Privacy Commision was created to
administer and implement the provisions of this Act and to monitor and ensure
compliance of the country with international standard set for data protection.

This Act is based on standards set by the European Parliament and at par with the

2 of 7 30/01/2018, 6:26 PM
R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

Asia Pacific Economic Cooperation (APEC) Information Privacy Framework

standards. The Data Privacy Act of 2012 mandates the public and private
institutions to protect and preserve the integrity and confidentiality of all personal
data that they might gather, in compliance with international data security
standards.

The enactment of this law hopes to maintain the competitiveness of our country
and boost investments in the information technology-business processing
outsourcing (IT-BPO) sectors and support a healthy information and
communications technology (ICT) industry.

At the outset, it is worthy to enumerate the prominent characteristics of which

may be summarized as follows:

1. Principally deals with the processing of Personal Information (Sec. 3g) and
Sensitive Personal Information (Section 3l);

2. It paved the way for the creation of the National Privacy Commission which has
yet to promulgate the Implementing Rules and Regulations (Sec. 7).

3. The Processing of Personal Information is lawful under the following

circumstances:

a. there is consent of the data subject;

b. necessary to the fulfillment of a contract or of a legal obligation;

c. in response to national emergency, public order and safety;

d. when the life and health, or other vital interests of the data subject are involved;

e. in pursuit of legitimate interests by the personal information controller or by a

third party to whom the data is disclosed provided that the fundamental rights
and freedoms of the data are not violated.

4. On the other hand, processing of Companies who subcontract processing of

personal information to 3rd party shall have full liability and can’t pass the
accountability of such responsibility (Sec. 14).

5. Data subject has the right to know if their personal information is being processed.
The person can demand information such as the source of info, how their personal
information is being used, and copy of their information. One has the right to
request removal and destruction of one’s personal data unless there is a legal
obligation that required for it to be kept or processed. (Secs. 16 and 18)

6. If the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data
privacy rights. (Sec. 17)

3 of 7 30/01/2018, 6:26 PM
R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

7. Personal information controllers must ensure security measures are in place to

protect the personal information they process and be compliant with the
requirements of this law. (Secs. 20 and 21)

8. In case a personal information controller systems or data got compromised, they

must notify the affected data subjects and the National Privacy Commission. (Sec.
20)

9. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Sec. 22)

10. Contracts, which involve the access of sensitive personal information from one
thousand (1,000) or more individuals, shall register their Personal Information
Processing System with the Commission (Sec. 24).

11. Penalties of imprisonment ranging from three (3) years to six (6) and a fine not
less than One Million Pesos (Php1,000,000.00) but not to exceed Five Million
Pesos (Php5,000,000.00) shall be imposed on the processing of personal
information and sensitive personal information based on the following acts:

a. Unauthorized Processing (Sec. 25);

b. Accessing due to Negligence (Sec. 26);

c. Improper disposal (Sec. 27);

d. Processing for Unauthorized Purposes (Sec. 28);

e. Unauthorized Access or Intentional Breach (Sec. 29);

f. Concealment of Security Breaches (Sec. 30);

g. Malicious Disclosure (Sec. 31); and

h. Unauthorized Disclosure (Sec. 32).

11. An accessory penalty consisting in the disqualification to occupy public office for a
term double the term of criminal penalty imposed shall he applied if the offense is
committed by a public officer (Sec. 36).

SCOPE

Section 4 of Republic Act No. 10173 or the Data Privacy Act of 2012 provides that
this Act shall apply to the processing of all types of personal information and to
any natural and juridical person involved in personal information processing
including those personal information controllers and processors who, although
not found or established in the Philippines, use equipment that are located in the

4 of 7 30/01/2018, 6:26 PM
R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

Philippines, or those who maintain an office, branch or agency in the Philippines.

However, this Act does not apply to the following:

1. Information about any individual who is or was an officer or employee of a

government institution that relates to the position or functions of the individual;

2. Information about an individual who is or was performing service under contract

for a government institution that relates to the services performed, including the
terms of the contract, and the name of the individual given in the course of the
performance of those services;

3. Personal information processed for journalistic, artistic, literary or research

purposes;

4. Information necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the independent,
central monetary authority and law enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions. Nothing in this Act shall be
construed as to have amended or repealed Republic Act No. 1405, otherwise
known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise
known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise
known as the Credit Information System Act (CISA);

5. Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other
applicable laws; and

6. Personal information originally collected from residents of foreign jurisdictions in

accordance with the laws of those foreign jurisdictions, including any applicable
data privacy laws, which is being processed in the Philippines.

Is the Disclosure of Someone’s Mobile Number to a third person

without the owner’s consent a Violation of R.A. No. 10173?

At the outset, it must be born in mind that the Data Privacy Act of 2012 principally
regulates the processing of personal information and sensitive personal
information of an individual.

Processing refers to any operation or any set of operations performed upon

personal information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.

5 of 7 30/01/2018, 6:26 PM
R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

Personal Information is defined as any information, whether recorded in a

material form or not, from which the identity of an individual is apparent or can
be reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify an
individual.

Data subject refers to an individual whose personal information is processed.

Firstly, the mobile number alone cannot be considered a personal information

pursuant to the above-definition considering that the identity of an individual may
not be reasonably ascertained by the entity holding such information. Hence, even
if the mobile number is put together with other information, it would not serve
the purpose of direct identification of the person who owns said mobile number.

Secondly, the mere act of A in disclosing the mobile number of B to a third

person does not fall within the definition of Processing considering it does not
involve the use of data. In other words, a mobile number alone can hardly be
considered “data.”

In relation thereto, Commonwealth Act. No. 591 penalizes the disclosure by any
person of data furnished by the individual to the NSO with imprisonment and
fine. Republic Act. No. 1161 prohibits public disclosure of SSS employment records
and reports. These laws, however, apply to records and data with the NSO and the
SSS. In the instant scenario, there is no “processing” nor “data” to speak of.

In fine, there being no data nor any personal information to be processed in the
given problem, A’s act did not violate the Data Privacy Act.

CONCLUSION

At any rate, even if the National Privacy Commission has not yet come out with its
Implementing Rules and Regulations, a plain reading of the provisions of the
Data Privacy Act of 2012 clearly shows the legislature’s continuing concern to the
protection of the right to privacy consistent with the continuing advancement in
technology. As succinctly explained in Whalen vs. Roeis:11

“We are not unaware of the threat to privacy implicit in the accumulation of vast
amounts of personal information in computerized data banks or other massive
government files. The collection of taxes, the distribution of welfare and social
security benefits, the supervision of public health, the direction of our Armed
Forces and the enforcement of the criminal laws all require the orderly
preservation of great quantities of information, much of which is personal in
character and potentially embarrassing or harmful if disclosed. The right to collect
and use such data for public purposes is typically accompanied by a concomitant
statutory or regulatory duty to avoid unwarranted disclosures.”

6 of 7 30/01/2018, 6:26 PM
R.A. No. 10173 or the Data Privacy Act of 2012 https://carolinecorro.wordpress.com/2013/07/05/r-a-no-10173-or-the-d...

In Ople vs. Torres,12 the Supreme Court underscored in no uncertain terms, that
the right to privacy does not bar all incursions into individual privacy. The right is
not intended to stifle scientific and technological advancements that enhance
public service and the common good. It merely requires that the law be narrowly
focused and a compelling interest justify such intrusions. Intrusions into the right
must be accompanied by proper safeguards and well-defined standards to prevent
unconstitutional invasions. Any law or order that invades individual privacy will
be subjected by the Court to strict scrutiny.13

7 of 7 30/01/2018, 6:26 PM