GIT Lecture 9 - Cybercrime Laws in The Philippines

Cybercrime Laws
in the Philippines
Saint Louis University – SAMCIS - Computer Applications Department G.I.T. – Living in the IT Era
A brief retrospective view
How it all started
2
The ILOVEYOU worm
On the year 2000,

A Filipino named Onel De Guzman
created a worm that sent messages
through email with an attachment:
“LOVE-LETTER-FORYOU.txt.vbs”
▣ when opened, the file activates a code
that sends an instruction to forward
the same email to all the contacts of
the user.
3
The ILOVEYOU worm
▣ The worm spread to e-mail accounts across the globe,

affecting even the accounts of U.S. Officials.
▣ This prompted the FBI to identify the source of the worm,
which was then traced back to the Philippines.
▣ It is believed that the estimated damages caused by the
worm reached 10 billion USD.
4
Guide Questions
▣ Q 1.1: Upon the arrest of Onel De Guzman,

Were his actions illegal?
5
No
Onel De Guzman was caught but was released shortly
afterwards because there wasn’t any pre-existing laws in
the country for which he can be prosecuted.
6
Want big impact?
Use big image.
7
Beginnings of cybercrime in the philippines
▣ A serious threat was exposed due to Onel De Guzman’s

actions.
▣ Prior to Onel De Guzman’s actions, there were no legal
provision that criminalizes cybercrimes in any way,
providing a way for internet-users to be exploited in a lot of
different ways.
▣ Legislators scrammed to enact a law that would begin to
cover this.
8
Philippine E-commerce Act of 2000
Republict Act 8792
9
▣ R.A. 8792 is an act providing for the recognition and use of

electronic commercial and non-commercial transactions
and documents, penalties for unlawful use thereof and for
other purposes.
▣ In addition, R.A. 8792 was also used to define certain illegal
activities concerning the use of various devices in an effort
to provide a legal provision to deter future actions similar to
what Onel De Guzman did.
10
Important provisions of R.A. 8792
▣ Ch. II. Sec 6. Legal Recognition of Data Messages.
□ Information shall not be denied legal effect, validity or

enforceability solely on the grounds that it is in the data
message purporting to give rise to such legal effect, or
that it is merely referred to in that electronic data
message.
11
Important provisions of R.A. 8792
▣ Ch. II. Sec 6. Legal Recognition of Data Messages.
□ This provision gives text messages, e-mails, or any other

similar modes communication done through electronic
means such as unaltered screenshots, the same legal
validity as physical messages.
12
▣ Ch. II. Sec 7. Legal Recognition of Electronic Documents.
□ Electronic documents shall have the legal effect, validity

or enforceability as any other document or legal writing.
□ For evidentiary purposes, an electronic document shall
be the functional equivalent of a written document under
existing laws.
13
▣ Ch. II. Sec 7. Legal Recognition of Electronic Documents.
□ This provision gives softcopy of documents, the same

legal validity as physical documents.
□ These documents should be recognized for as long as
their authenticity is verified.
14
Prohibited acts: Hacking
▣ Hacking / Cracking
□ Unauthorized access into a computer system/server or
information and communication system;
□ Any access in order to corrupt, alter, steal, or destroy
using a computer, … , without the knowledge and
consent of the owner [of the computer system];
□ Introduction of computer viruses and the like, resulting
in the corruption, destruction, alteration, theft or loss of
electronic data messages or electronic document.
15
Prohibited acts: Hacking
▣ Hacking / Cracking
□ In order for anyone to be prosecuted for having performed

these acts, it is important to focus on the exact wording of
the law, which requires individual to:
access a computer or computer system, with the intention
to corrupt, alter, steal, or destroy.
□ It is important for these intentions to be present for
someone to be considered as “hacking” or “cracking”.
16
Prohibited acts: Piracy
▣ Piracy
□ Unauthorized copying, reproduction, storage, uploading,
downloading, communication, or broadcasting of
protected material, … , through the use of
telecommunication networks, such as, but not limited to,
the internet, in a manner that infringes intellectual
property rights.
17
▣ Penalties
□ Minimum fine of One Hundred Thousand Pesos (Php

100,000.00) and a maximum commensurate to the
damage incurred, and;
□ Mandatory imprisonment of 6 months to 3 years;
18
Guide Questions: R.A. 8792
▣ Does connecting to an open WiFi Network (WiFi

with no password), without the consent of the
owner of the network, constitute to a violation of
RA 8792?
19
No!
By merely accessing it, there was no clear intent to
“corrupt, alter, steal, or destroy”.
At least according to RA 8792, this is not illegal.
20
“
More recently, the following law is the
most comprehensive cybercrime law
enacted in the Philippines.
To date, this is the cornerstone of
cybercrime protection for citizens in the
Philippines.
21
Cybercrime Prevention Act of 2012
Republict Act 10175
22
▣ R.A. 10175 is an act that adopts sufficient powers to

effectively prevent and combat cybercrime offenses
by facilitating their detection, investigation, and
prosecution at both the domestic and international
levels, and by providing arrangements for fast and
reliable international cooperation.
23
DEFINTION
▣ A cybercrime is a crime committed with or through
the use of information and communication
technologies such as radio, television, cellular phone,
computer and network, and other communication
device or application.
24
Three Types of Cybercrimes

1. Offenses against the confidentiality, integrity and
availability (CIA) of computer data and systems;
2. Computer-related offenses;
3. Content-related offenses;
** There is a fourth offense, which refers to “offenses related to infringements
of copyright and related rights”. This, however, is not included in the RA 10175
because a separate law is currently in that punishes such offenses.
25
Jurisdiction of RA 10175
Who can be charged with violations of this law?
1. Any violation committed by a Filipino national regardless of the
place of commission.
2. Any of the elements was committed within the Philippines or
committed with the use of any computer system wholly or partly
situated in the country.
3. When by such commission any damage is caused to a natural or
juridical person who, at the time the offense was committed, was
in the Philippines.
26
Explanation
1. Pag isang Pilipino ang nagkasala, kahit nasaan pa siyang lupalop ng
mundo, ay pwedeng kasuhan ng paglabag sa RA 10175.
2. Kung may kahit na anong parte ng krimen na nangyari sa
Pilipinas, kasama na ang paggamit ng kahit na anong computer sa
Pilipinas para sa gawaing maaaring maparusahan ng paglabas sa
bata s na ito.
3. Kung ang biktima, sa panahon na nangyari ang isang krimen, ay
nasa loob ng Pilipinas, ang sinumang gumawa ng krimen ay
maaari din maparusahan.
27
▣ Ch. II. Sec 4 (a). CIA of Computer Data and Systems
1. Illegal Access
□ The access to the whole or any part of a computer
system without right.
▪ Without right means having no consent from the owner of
the computer system.
▪ Access is the instruction, communication with, storing /
retrieving data from, or [making] use of any resources of a
computer system or communication network.
28
▣ Does connecting to an open WiFi Network (WiFi

with no password) without the consent of the
owner of the network constitute to a violation of
RA 10175?
29
YES!
Illegal access is to “make use of any resources” without right (consent).
Even if this is not punishable under RA 8792, it is under RA 10175.
30
2. Illegal Interception
□ The interception made by technical means without right
of any non-public transmission of computer data.
□ Interception is listening to, recording, monitoring or
surveillance of the content of communications, (…),
through the use of electronic eavesdropping or tapping
devices, at the same time that the communication is
occurring.
31
32
▣ Example:
□ Have you experienced receiving coming from
“bpionline.com.ph” with a subject line of “Update your
security details now”?
□ These e-mails ask the recipients to go to a site to login by
placing their credentials.
□ Unknown to many, the purpose of those websites is to
intercept or to just get your user credentials so they can
access your real online banking accounts.
33
3. Data Interference
□ The intentional or reckless alteration, damaging,
deletion or deterioration of computer data, electronic
document, or electronic data message, without right,
including the introduction or transmission of viruses.
34
▣ Consider this situation:
□ You have a friend who will send a file to you through a
flash drive.
□ Unknown to both of you, the flash drive has a virus in it.
□ After you copied the file you need from the flash drive
of your friend, you noticed that your files and folders
suddenly disappeared and only a shortcut icon appeared
on your personal folder.
▣ Is your friend liable for any violation of RA 10175?
35
YES!
Data interference includes “the intentional or reckless alteration, damaging,
deletion or deterioration of computer data.” In the situation, even if you friend
lent you his/her flash drive in good faith (has no intentions to infect your
computer with a virus), it is still considered as recklessness in his/her part and it
also caused an “alteration”, or “deletion”, or even “deterioration” of data.
36
4. System Interference
□ The intentional alteration or reckless hindering or
interference with the functioning of a computer or
computer network by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing
computer data or program, electronic document, or
electronic data message, without right or authority,
including the introduction or transmission of viruses
37
Explanation
▣ This is more or less an extension of the previous offense,
whereby the affected entity is not just data but the whole
system.
▣ The previous situation can also apply here if, instead of just
having the files “damaged” or “altered”, the whole computer
system went into error.
38
Example of Data / System Interference
▣ Cryptojacking or Cryptomining Malware
□ Refers to software programs and malware

components developed to take over a computer's
resources and use them for cryptocurrency mining
without a user's explicit permission.
□ There are reports that malware are now embedded on
certain websites to run on a visitor's computer.
39
▣ When you download through torrent sites like

“thepiratebay”, you basically give them the authority to use
your computer’s CPU (whether mobile or desktop) to
“mine” cryptocurrencies.
▣ This is one of the reasons why, in most cases, downloading a
lot of files can cause your computer to heat up. Your
computer’s CPU is being used to calculate and solve blocks
of encrypted data to mine cryptocurrencies.
40
▣ Website defacing
41
5. Misuse of Devices
□ The use, production, sale, procurement, distribution, or
otherwise making available, without right, of a device or
computer password designed primarily for the purpose
of committing any of the offenses under this Act;
□ The possession of an item referred to above.
42
Example of Misuse of Devices
▣ Use of Skimming Devices / Keyloggers
43
Example of Misuse of Devices
Use of Skimming Devices

□ Ivaylo Sashov Galapov was a
Bulgarian man arrested in
Pampanga, when the
security guards of BPI
Family Savings Bank
noticed him inserting ATM
cards in succession.
□ He was arrested for
violation of R.A. 8792 and Credits: ABS-CBN News Website
R.A. 10175.
44
6. Cyber-squatting
□ The acquisition of a domain name over the internet in bad faith
to profit, mislead, destroy reputation, and deprive others from
registering the same, if such a domain name is:
i. Similar, identical, to an existing trademark (…) at the time of
the domain name registration:
ii. Identical with the name of a person other than the registrant;
iii. Acquired without right or with intellectual property interests
in it.
45
▣ MikeRoweSoft
□ In January 2004, Mike Rowe was a grade 12 student who
operated a profitable web design business as a part time
job. He registered the website with the domain name
MikeRoweSoft.com.
□ Lawyers from Microsoft asked him to stop using the
website. Mike Rowe asked for $10,000 in return.
□ Microsoft said no and proceeded to filing a case against
him.
46
▣ MikeRoweSoft
□ Perhaps due to the stress that the whole process would
entail, not withstanding the fact that this legal process
would cost a lot of money, Mike Rowe decided to give
away the website.
□ News outlets reported that what he got in return was an
XBOX console.
□ But after some research, the following reddit thread
appears apparently from Mike Rowe himself.
47
▣ I found this on reddit, Mike Row had this to say:
48
▣ Ch. II. Sec 4 (b). Computer-Related Offense
7. Computer-Related Forgery
□ The input, alteration, or deletion of any computer data without
right resulting in inauthentic data with the intent that it be
considered or acted upon for legal purposes as if it were
authentic.
49
Example of Computer-Related Forgery
▣ Hacking into the iSLU portal to change your grade from 65

to 95.
□ This has no monetary value and is therefore considered
as “forgery” and not “fraud”.
50
8. Computer-Related Fraud
□ The unauthorized input, alteration, or deletion of computer data
or program or interference in the functioning of a computer
system, causing damage thereby with fraudulent intent.
51
Example of Computer-Related Fraud
The only difference between forgery and fraud, it is now

considered fraud instead of forgery if the damage incurred has
“monetary value”.
Some examples include:
▣ Hacking into a bank’s database and changing your account
balance from “Php 500” to “Php 5,000”.
▣ Asking people to send you “prepaid load”, as they
maliciously deceive you from believing that they are your
“relatives from abroad”.
52
9. Computer-Related Identity Theft

□ The intentional acquisition, use, misuse, transfer, possession,
alteration or deletion of identifying information belonging to
another, whether natural or juridical, without right.
53
Example of Computer-Related Identity Theft
▣ Fake profiles in Facebook, Instagram, and other websites.
□ There must be a use of “identifying information” which
includes pictures of another person and his/her other personal
details but not someone’s NAME.
□ This is because it is completely possible for anyone to have the
same name as another person, as well as for fan pages bearing
the name of another person.
□ If the intentions in the use of such profiles are for malicious
purposes, such as pretending to be the actual person even if
not, is already a violation of this law.
54
▣ Ch. II. Sec 4 (c). Content-Related Offense
10. Cybersex
□ The willful engagement, maintenance, control, or
operation, directly or indirectly, of any lascivious
exhibition of sexual organs or sexual activity, with the aid
of a computer system, for favor or consideration.
55
Guide Questions on RA 10175
▣ What if two individuals, who happen to be

partners in life, gave their consent to each other to
record any sexual act they are doing?
▣ Is this a case of cybersex?
56
NO!
Even if both partied consented, and even if these acts are publicly denounced,
they do not constitute to cybersex since the act is not done for “any favour or
consideration”. For the purposes of this law, there must be an element of
“engagement in business” for the act to be considered as prohibited.
57
11. Child Pornography
□ The unlawful or prohibited acts defined and punishable
by Republic Act No. 9775 or the Anti-Child Pornography
Act of 2009, committed through a computer system.
□ Any representation, whether visual, audio thereof, by
electronic, … , or any other means, of a child engaged or
involved in real or simulated explicit sexual activities.
58
▣ Are “hentai” clips considered as a violation if this law?
59
NO!
UNLESS: the hentai clip itself contains a character which is explicitly identified
as a minor. If so, the said material is prohibited and the creator / distributor of
the said material are liable for violations of this law.
60
12. Online Libel
□ Libel is the public and malicious imputation of a crime,
real or imaginary, or any act, omission, condition, status,
or circumstance tending to cause the dishonor, discredit,
or contempt of a natural or juridical person, or to blacken
the memory of one who is dead.
61
12. Online Libel
□ Elements of Libel:
1. Allegation of a discreditable act or condition
concerning another;
2. Publication of the charge;
3. Identity of the person defamed; and
4. Existence of malice.
62
▣ Consider the following post:

□ “Hoy Maria David! Ikaw malandi ka! Alam naman
ng lahat na kahit kanino pumapatol ka! Tuwing gabi
nasa park ka, kasama mo nanay mo! Magkano ba ang
rate natin ngayon? 500 hundred, tatlong oras? Ha?
Pokpok! Pokpok! Pokpok kayo ng nanay mo!”
63
▣ Is the person who posted it liable for any crime?
64
YES!
The statements in the post contains: 1. An allegation against Maria David; 2.
Publicized since it was posted in a social media site; 3. The identity of Maria
David was clear; 4. There was no doubt that the intentions were to defame
Maria David, including her mother.
All elements of libel are existent in this post.
65
▣ If you liked / reacted the said post, are you liable?
66
NO!
Liking or reacting may be a sign of approval to the said post, but no statement
was mentioned in anyway that makes any allegation towards Maria David.
Hence, the first element of libel is not present.
67
▣ If you shared the said post, are you liable?
68
NO!
The shared post might contain a message that is already established as libelous,
BUT the statements were not made by the person who shared it. Thus, the
person who shared the same post cannot be held liable.
69
▣ If you commented “OO NGA!”, are you liable?
70
NO!
Similar to liking or reacting, commenting “oo” is a sign of approval but is not a
statement that discredits or alleges Maria David. Thus, the person is not liable.
71
▣ If you commented “OO NGA! Pokpok talaga

kayong mag-ina!!” on the post, are you liable?
72
YES!
This statement is not merely an approval but also states an allegation towards
Maria David herself. Thus making the person liable for libel since the comment
can be seen publicly as well.
73
The concept of PRIVACY
Privacy under the civil code
The Right to Privacy
▣ This is the right of an individual "to be free

from unwarranted publicity, or to live
without unwarranted interference by the
public in matters in which the public is not
necessarily concerned.”
Guide Question
▣ Does the state (government) have the right to

disturb private individuals in their homes?
No!
The State recognizes the right of the people to be secure in their houses. No
one, not even the State, except "in case of overriding […] and only under the
stringent procedural safeguards," can disturb them in the privacy of their
homes.
77
Privacy in the Civil Code
Art. 26. of the Civil Code of the Philippines:

▣ Every person shall respect the dignity, personality,
privacy and peace of mind of his neighbors and other
persons.
Prohibited Acts under the Civil Code
1. Prying into the privacy of another's residence;

2. Meddling with or disturbing the private life or family
relations of another;
3. Intriguing to cause another to be alienated from his
friends;
4. Vexing or humiliating another on account of his
religious beliefs, lowly station in life, place of birth,
physical defect, or other personal condition.
Guide Question
(Hing vs Choachuy, 2013)
▣ May an individual install surveillance cameras on his own

property facing the property of another?
No!
A man’s house is his castle, where his right to privacy cannot be
denied or even restricted by others.
It includes any act of intrusion into, peeping or peering inquisitively
into the residence of another without the consent of the latter.
81
Privacy in the Civil Code
▣ On the installation of cameras:

▣ The installation of surveillance cameras, should not cover
places where there is reasonable expectation of privacy,
unless the consent of the individual, whose right to privacy
would be affected, was obtained.
Guide Question
▣ Does an employee / student have a reasonable

expectation of privacy in the workplace /
school?
Questions and Cases
According to a court decision, employees in

workplace have less or no expectation of
privacy. Similarly, students have less or no
expectation of privacy within school grounds.
Example Case
▣ Case: (Zulueta vs C.A., 1996)

□ Cecilia is the wife of Alfredo, a doctor of medicine.
□ Cecilia entered the clinic of her husband and in the
presence of witnesses, forcibly opened the drawers and
cabinet and took 157 documents consisting of private
correspondence between Dr. Martin and his alleged
paramours, greetings cards, cancelled checks, diaries, Dr.
Martin’s passport, and photographs.
□ The said items were used as evidence in legal separation
case.
Guide Question
▣ Was the right to privacy of Dr. Alfredo Martin violated?
Yes!
In the decision of the court: “A person, by contracting marriage, does
not shed his/her integrity or his right to privacy as an individual and
the constitutional protection is ever available to him or to her.”
87
Example Case
With respect to the legal separation case, what was the

decision of the court?
▣ The documents and papers are inadmissible as evidence.
▣ The Court said: “the intimacies between husband and wife do
not justify any one of them in breaking the drawers and
cabinets of the other and in ransacking them for any telltale
evidence of marital infidelity.”
Reasonable Expectation of Privacy
When does a person have a reasonable expectation of privacy?
1. When the person believes that one could undress in privacy

without being concerned that an image of him or her is being
taken;
2. When a reasonable person would believe that one’s private
area would not be visible regardless of whether the person is in
a public or private place.
Guide Question
Does a person have a reasonable expectation of

privacy inside a fitting room while, say, trying
out a set of clothes?
Yes!
A person would normally expect to change his or her clothes without
worrying about anyone who could see him / her.
In addition, a fitting room is properly secluded to ensure that no one
else can see what a person inside is doing. Thus, a person has a
reasonable expectation of privacy inside a fitting room
91
Photo and Video
Voyeurism Act of 2009
Republic Act 9995
Punishable Acts: R.A. 9995
1. The unconsented taking of a photo or video of a person or

group of persons engaged in a sexual act or any similar
activity, or capturing an image of the private area of a person,
under circumstances in which the said person has a
reasonable expectation of privacy;
2. The copying or reproduction of such photo or

video recording of the sexual act;
Punishable Acts
3. The selling or distribution of such photo or video recording;
3. The publication or broadcasting, whether in print or

broadcast media, or the showing of such sexual act or any
similar activity through VCD/DVD, the internet, cellular
phones, and other similar means or devices without the
written consent of the persons featured.
Guide Questions
The phrase “private area of a person” appears on the first

punishable act under R.A. 9995.
What does the “private area of a person” include?
Guide Questions
The “private area of a person” includes naked or

undergarment-clad genitals, pubic area, buttocks,
or the female breast.
Guide Question
Will one be liable for the non-commercial

(simply sharing without asking for money)
copying or reproduction of said photo or video?
Yes!
The mere copying or reproduction of said material will make one
liable under the law regardless of the reason or whether one profits or
not from such act. In fact, the mere showing of the material on one’s
cellphone would violate the law.
98
Guide Questions
If the persons in the photo knew and consented

to the video recording or taking of the photo; can
anyone reproduce, distribute, or broadcast it?
No!
The person merely consented to the taking of the photo or the video
recording and did not give written consent for its reproduction,
distribution, and broadcasting.
100
Penalty
The penalty for the commission of any of the said

prohibited acts would incur a penalty of:
3 years to 7 years imprisonment AND a fine of

Php 100,000.00 to Php 500,000.00
Data Privacy Act
Republic Act 10173
Data Privacy Act of 2012
1. Protects the privacy of individuals while ensuring free flow

of information to promote innovation and growth.
2. Regulates the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of personal
data.
3. Ensures that the Philippines complies with
international standards set for data protection.
Important Definitions
1. Personal Information Controller

▣ The individual, corporation, or body who decides what
to do with data.
2. Personal Information Processor
▣ One who processes data for a Personal Information
Controller. The PIP does not process information for
the PIP’s own purpose.
Important Definitions
3. Consent
▣ Where the data subject agrees to the collection and
processing of his personal data. The agreement must
inform:
□ purpose, nature, and extent of processing;
□ period of consent/instruction;
□ rights as a data subject
Definitions
4. Breach
▣ A security incident that:
□ Leads to unlawful or unauthorized processing of
personal, sensitive, or privileged information;
□ Compromises the availability, integrity, or
confidentiality of personal data.
What is Personal Information?
Personal Information Sensitive Personal Information

▣ Refers to any information or ▣ This is a type of personal
opinion about a particular information that may be used to
individual that can be used in harm or discriminate other
identifying a person. This people when mishandled. This
includes: include:
□ name □ race or ethnic origin;
□ address □ political opinions
□ phone number □ religious affiliations;
□ date of birth □ criminal record;
□ E-mail address □ biometric information.
Processing Personal Information
▣ The processing of personal information shall

be allowed and shall adhere to the following:
□ Principles of transparency;
□ Legitimate purpose; and
□ Proportionality
PRINCIPLE OF TRANSPARENCY
▣ The data subject must know:

□ The kind of personal data collected
□ How the personal data will be collected
□ Why personal data will be collected
▣ The data processing policies of the PIC must be known to
the data subject.
▣ The information to be provided to the data subject must be
in clear and plain language.
Legitimate Purpose Principle
▣ Data collected must be always be collected only for the

specific, explicit, and legitimate purposes of the PIC.
▣ Data that is not compatible with the purpose for which the
data was collected shall not be processed.
PRINCIPLE OF PROPORTIONALITY
▣ The processing of personal data should be limited to such

processing as is adequate, relevant, and not excessive in
relation to the purpose of the data processing.
▣ Efforts should be made to limit the processed data to the

minimum necessary.
PROCESSING SENSITIVE PERSONAL INFO.
1. The data subject has given his or her consent;

2. The processing of personal information is necessary and
is related to the fulfillment of a contract with the data
subject or in order to take steps at the request of the data
subject prior to entering into a contract;
3. The processing is necessary for compliance with a
legal obligation to which the personal information
controller is subject;
PROCESSING SENSITIVE PERSONAL INFO.
4. The processing is necessary to protect vitally important

interests of the data subject, including life and health;
5. The processing is necessary in order to respond to national
emergency, to comply with the requirements of public order
and safety, or to fulfill functions of public authority (…); or
6. The processing is necessary for the purposes of the
legitimate interests pursued by the personal information
controller (…), except where such interests are overridden by
fundamental rights and freedoms of the data subject (…).
Rights of the Data Subject
1. Right to be informed.
2. Right to object.
3. Right to access.
4. Right to rectification.
5. Right to erasure or blocking.
6. Right to damages.
7. Right to data portability.
8. Right to file a complaint.
1. Right to be Informed
▣ This is the right to be informed that your personal data shall

be, are being, or have been processed, including the existence
of automated decision-making and profiling
▣ The disclosure must be made before the entry of the data
into the processing system or at the next practical
opportunity
2. Right to Object
▣ The right to object to the processing of personal data,

including processing for direct marketing, automated
processing, or profiling.
□ If you do not want to share any information, or you do not want
any other person to collect information from you, then you have
the right to say NO.
▣ This includes the right to be given an opportunity to withhold
consent to the processing in case of any changes or any
amendment to the information supplied or declared.
2. Right to Object
There are several exceptions where you cannot invoke

your right to object:
□ Personal data is needed pursuant to a subpoena issued by a

court.
□ Processing is necessary for or related to a contract or service to
which the data subject is a party;
□ Information is being processed as a result of a legal obligation.
3. Right to Access
▣ The right to find out whether a PIC holds any personal

data about you.
▣ The right to reasonable access to personal data that were
processed, sources of personal data, names and addresses of
recipients, manner/method of processing, information on
automated process, date when personal data was last accessed
and modified, designation, name or identity, and address of
the PIC
4. RIGHT TO RECTIFICATION
▣ This involves the right to dispute the inaccuracy or error in

the personal data and have the PIC correct it immediately.
▣ It also includes access to new and retracted information, and
simultaneous receipt thereof.
▣ Recipients previously given erroneous data must be
informed of inaccuracy and rectification upon reasonable
request of the data subject.
5. RIGHT TO ERASURE OR BLOCKING
▣ This is the right to suspend, withdraw, or

order the blocking, removal, or destruction of
his or her personal information from the
personal information controller’s filing system
5. RIGHT TO ERASURE OR BLOCKING
The right to erase or block can be invoked in the

following circumstances:
□ There are data which are incomplete, outdated, false, or
unlawfully obtained.
□ The data was used for unauthorized purposes.
□ The data is no longer necessary for purposes of
collection.
□ The processing of data was found to be unlawful.
□ The PIC or PIP violated the rights of the data subject.
6. RIGHT TO DAMAGES
▣ This is the right to be indemnified (receive

compensation) for any damages sustained due to
inaccurate, incomplete, outdated, false, unlawfully
obtained, or unauthorized use of personal data.
□ If there are circumstances where you discovered

that your personal data was mishandled, you have
the right to ask for compensation for the damage it
has caused you.
7. RIGHT TO DATA PORTABILITY
▣ The right to obtain a copy of data undergoing processing in

an electronic or structured format, commonly used, and
allows for further use by the data subject.
▣ Takes into account the right to have control over personal
data being processed based on consent, contract, for
commercial purposes, or through automated means.
8. RIGHT TO FILE A COMPLAINT
▣ In circumstances wherein the PIC or the PIP has breached the

privacy of the data subject, a complaint may be filed through
complaints@privacy.gov.ph
▣ National Privacy Commission – Government agency

responsible for implementing R.A. 10173.
Questions and Cases
May a teacher/professor search the

contents of a student’s cellular phone?
No!
Any search through a student’s cellular phone without justification
under a law or regulation is UNLAWFUL, and may be considered as
unauthorized processing of data.
126
Questions and Cases
However, there are exceptions:
▣ If it was done with student’s consent ( except if the

student is a minor.)
▣ If it is required by the student’s life and health, or by
national emergency.
Questions and Cases
Is an implied (indirect) form of

consent valid?
An example of this is the following paragraph that appears in
several websites:
▣ “By continuing to avail of xxx products and services:, you explicitly
authorize xxx, its employees, duly authorized representatives, related
companies and third-party service providers, to use, process and
share personal data needed in the administration of your xxx”
No!
Consent under the Data Privacy Act has three requirements, none of which are
seen in an implied consent:
Consent must be freely given;
Details about what consent is being asked must be specific.
And there must be an informed indication of will.
129
Guide Questions
Are handwritten signatures

considered sensitive personal
information?
No!
It is possible that one may share a similar signature as another person.
Moreover, some signatures do not, in any way, show signs of identity
of a person. Nonetheless, these may be considered personal
information when used to identify an individual such as a signature
affixed on the name of a person.
131
Guide Questions
Are usernames, password, IP and MAC address,

location cookies and birthday (month and day
only) are considered personal information?
Yes*!
*Only when they are combined with other pieces of information that
may allow an individual to be distinguished from others.
Remember that a username, say “iloveyou3000”, does not identify
any particular person unless it is combined with other information.
133
Guide Questions
In addition:
▣ There are a lot of people who share the same birthday as
others. This makes it impossible to use birthdays to identify
any person.
▣ IP addresses alone cannot identify who a person is because it
is possible that two or more people make use of a single
computer / server.
Prohibited Acts: R.A. 10173
1. Unauthorized processing of personal information

and sensitive personal information.
▣ Process (sensitive) personal information without the consent
of the data subject or without being authorized under the
Data Privacy Act or any other law.
2. Accessing personal information and sensitive
personal information due to negligence.
▣ Provided access to (sensitive) personal information due to
negligence or was unauthorized under the Data Privacy Act or
any existing law.
3. Improper disposal of (sensitive) personal

information.
▣ Negligently dispose, discard or abandon the (sensitive) personal
information of an individual in an area accessible to the public
or placed the (sensitive) personal information of an individual
in a container for trash collection.
4. Processing of personal information and sensitive
personal information for unauthorized purposes.
▣ Process personal information for purposes not
authorized by the data subject or not otherwise
authorized by the Data Privacy Act or under existing
laws.
5. Unauthorized access or intentional breach.

▣ Knowingly and unlawfully violate data confidentiality and
security data systems where personal and sensitive personal
information is stored.
6. Malicious disclosure.
▣ Discloses to a third party unwarranted or false
information with malice or in bad faith relative to any
(sensitive) personal information obtained by such PIC or PIP.

GIT Lecture 9 - Cybercrime Laws in The Philippines

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GIT Lecture 9 - Cybercrime Laws in The Philippines

Uploaded by

Copyright:

Available Formats

Cybercrime Laws

On the year 2000,

▣ The worm spread to e-mail accounts across the globe,

▣ Q 1.1: Upon the arrest of Onel De Guzman,

▣ A serious threat was exposed due to Onel De Guzman’s

▣ R.A. 8792 is an act providing for the recognition and use of

▣ Ch. II. Sec 6. Legal Recognition of Data Messages.

□ Information shall not be denied legal effect, validity or

▣ Ch. II. Sec 6. Legal Recognition of Data Messages.

□ This provision gives text messages, e-mails, or any other

▣ Ch. II. Sec 7. Legal Recognition of Electronic Documents.

□ Electronic documents shall have the legal effect, validity

▣ Ch. II. Sec 7. Legal Recognition of Electronic Documents.

□ This provision gives softcopy of documents, the same

□ In order for anyone to be prosecuted for having performed

□ Minimum fine of One Hundred Thousand Pesos (Php

▣ Does connecting to an open WiFi Network (WiFi

▣ R.A. 10175 is an act that adopts sufficient powers to

Three Types of Cybercrimes

▣ Does connecting to an open WiFi Network (WiFi

▣ Cryptojacking or Cryptomining Malware

□ Refers to software programs and malware

▣ When you download through torrent sites like

▣ Use of Skimming Devices / Keyloggers

Use of Skimming Devices

▣ I found this on reddit, Mike Row had this to say:

▣ Hacking into the iSLU portal to change your grade from 65

The only difference between forgery and fraud, it is now

9. Computer-Related Identity Theft

▣ What if two individuals, who happen to be

▣ Are “hentai” clips considered as a violation if this law?

▣ Consider the following post:

▣ Is the person who posted it liable for any crime?

▣ If you liked / reacted the said post, are you liable?

▣ If you shared the said post, are you liable?

▣ If you commented “OO NGA!”, are you liable?

▣ If you commented “OO NGA! Pokpok talaga

▣ This is the right of an individual "to be free

▣ Does the state (government) have the right to

Art. 26. of the Civil Code of the Philippines:

1. Prying into the privacy of another's residence;

(Hing vs Choachuy, 2013)

▣ May an individual install surveillance cameras on his own

▣ On the installation of cameras:

▣ Does an employee / student have a reasonable

According to a court decision, employees in

▣ Case: (Zulueta vs C.A., 1996)

▣ Was the right to privacy of Dr. Alfredo Martin violated?

With respect to the legal separation case, what was the

When does a person have a reasonable expectation of privacy?

1. When the person believes that one could undress in privacy

Does a person have a reasonable expectation of

1. The unconsented taking of a photo or video of a person or

2. The copying or reproduction of such photo or

3. The selling or distribution of such photo or video recording;

3. The publication or broadcasting, whether in print or

The phrase “private area of a person” appears on the first

What does the “private area of a person” include?

The “private area of a person” includes naked or

Will one be liable for the non-commercial

If the persons in the photo knew and consented

The penalty for the commission of any of the said

3 years to 7 years imprisonment AND a fine of