Living in the Information Technology Era

Week 8-9
Learning Objectives:
1. Identify privacy issues associated with information technology;
2. Identify ethical issues associated with information technology;
3. Provide students the necessary knowledge for safe digital communication; and
4. Engage students in real-world problems by collaborating with others.

Technologies’ Impact on Privacy

The Right to Privacy in the Philippines

The Facts:
Mr. A has this estafa case and the case reached the Supreme Court.
Unfortunately, he lost the case. As we all know, when a case reaches the Supreme
Court, the same is published in every website discussing Philippine jurisprudence. Now,
every time someone key-in his name in the web search engines, the estafa case is
displayed as one of its results. Due to such, Mr. A suffered humiliation and
embarrassment from people, who chanced upon such search result of his name.
Because of this, he wants his name be removed from such websites and he therefore
invokes his Constitutional right to privacy.

The Issue:
Can a person request that his name be removed from such websites pertaining to
Supreme Court decided cases as the same is a violation of his right to privacy? Why?
Why not?

The Answer:
1
Living in the Information Technology Era

No. A person cannot ask for such removal as the same does not constitute as a
violation of his right to privacy.

The Philippines has no specific law on privacy. However, the 1987 Constitution tried to
provide under its

Article III (Bill of Rights) provisions for the right to privacy, namely:
Section 2. The right of the people to be secure in their persons, houses, papers,
and effects against unreasonable searches and seizures of whatever nature and
for any purpose shall be inviolable, and no search warrant or warrant of arrest
shall issue except upon probable cause to be determined personally by the judge
after examination under oath or affirmation of the complainant and the witnesses
he may produce, and particularly describing the place to be searched and the
persons or things to be seized.

Section 3. (1) The privacy of communication and correspondence shall be

inviolable except upon lawful order of the court, or when public safety or order
requires otherwise, as prescribed by law.
(2) Any evidence obtained in violation of this or the preceding section shall be
inadmissible for any purpose in any proceeding.

Basically, we can draw out what the Constitution guarantees, as with regard to
right to privacy, are the rights against unreasonable searches and seizures; and the
privacy of communication and correspondence. The situation brought up by such facts
neither falls in the said classification.

Note also that under Section 7, Article III of the Constitution, the right of the
people to information on matters of public concern shall be recognized. A citizen has the
right to access to official records, and to documents and papers pertaining to official

2
Living in the Information Technology Era

acts, transactions, or decisions, subject to the limitations provided by law. Hence, the
case being jurisprudence, one has the right to access such information.

Given the situation, a person cannot invoke that his right to privacy has been
violated because of the publication of his name along with the case he was in as the
right to privacy does not prohibit the publication of matter which is of public or general
interest.

The National Identification System

It‘s been two decades since the government first initiated the establishment of a
national ID system.

In 1996, then President Fidel Ramos issued Administrative Order No. 308
adopting a National Computerized Identification System.

Unfortunately, the order was declared unconstitutional by the Supreme Court. In

striking down A.O. 308, the Supreme Court emphasized that the Court is not per se
against the use of computers to accumulate, store, process, retrieve and transmit data
to improve our bureaucracy. The Supreme Court also emphasized that the right to
privacy does not bar all incursions into the right to individual privacy. This right merely
requires that the law be narrowly focused and a compelling interest justify such
intrusions. Intrusions into the right must be accompanied by proper safeguards and
well-defined standards to prevent unconstitutional invasions.

The right to privacy is a constitutional right, granted recognition independently of

its identification with liberty. It is recognized and enshrined in several provisions of our
Constitution, specifically in Sections 1, 2, 3 (1), 6, 8 and 17 of the Bill of Rights. Zones
of privacy are also recognized and protected in our laws, including certain provisions of

3
Living in the Information Technology Era

the Civil Code and the Revised Penal Code, as well as in special laws (e.g., Anti-
Wiretapping Law, the Secrecy of Bank Deposit Act and the Intellectual Property Code).

The right to privacy is a fundamental right guaranteed by the Constitution.

Therefore, it is the burden of government to show that A.O. 308 is justified by some
compelling state interest and that it is narrowly drawn. The government failed to
discharge this burden.

A.O. 308 is predicated on two considerations: (1) the need to provide our citizens
and foreigners with the facility to conveniently transact business with basic service and
social security providers and other government instrumentalities and (2) the need to
reduce, if not totally eradicate, fraudulent transactions and misrepresentations by
persons seeking basic services. While it is debatable whether these interests are
compelling enough to warrant the issuance of A.O. 308, it is not arguable that the
broadness, the vagueness, the overbreadth of A.O. 308, if implemented, will put our
people‘s right to privacy in clear and present danger.
The heart of A.O. 308 lies in its Section 4 which provides for a Population Reference
Number (PRN) as a ―common reference number to establish a linkage among
concerned agencies‖ through the use of ―Biometrics Technology‖ and ―computer
application designs.‖ Biometry or biometrics is ―the science of the application of
statistical methods to biological facts; a mathematical analysis of biological data.‖ The
methods or forms of biological encoding include finger-scanning and retinal scanning,
as well as the method known as the ―artificial nose‖ and the thermogram. A.O. 308 does
not state what specific biological characteristics and what particular biometrics
technology shall be used.

Moreover, A.O. 308 does not state whether encoding of data is limited to
biological information alone for identification purposes. The Solicitor General‘s claim
that the adoption of the Identification Reference System will contribute to the

4
Living in the Information Technology Era

―generation of population data for development planning‖ is an admission that the PRN
will not be used solely for identification but for the generation of other data with remote
relation to the avowed purposes of A.O. 308. The computer linkage gives other
government agencies access to the information, but there are no controls to guard
against leakage of information. When the access code of the control programs of the
particular computer system is broken, an intruder, without fear of sanction or penalty,
can make use of the data for whatever purpose, or worse, manipulate the data stored
within the system.

A.O. 308 falls short of assuring that personal information which will be gathered
about our people will only be processed for unequivocally specified purposes. The lack
of proper safeguards in this regard of A.O. 308 may interfere with the individual‘s liberty
of abode and travel by enabling authorities to track down his movement; it may also
enable unscrupulous persons to access confidential information and circumvent the
right against self-incrimination; it may pave the way for ―fishing expeditions‖ by
government authorities and evade the right against unreasonable searches and
seizures. The possibilities of abuse and misuse of the PRN, biometrics and computer
technology are accentuated when we consider that the individual lacks control over
what can be read or placed on his ID, much less verify the correctness of the data
encoded. They threaten the very abuses that the Bill of Rights seeks to prevent.

Identity Theft in the Philippines

Today, personal information is captured, processed, and disseminated in a bewildering
variety of ways, and through increasingly sophisticated, miniaturized, and distributed
technologies: identity cards, biometrics, video surveillance, the use of cookies and
spyware by websites, data mining and profiling, and many others.

5
Living in the Information Technology Era

Identity theft is the deliberate use of someone else's identity, usually as a method to
gain a financial advantage or obtain credit and other benefits in the other person's
name, and perhaps to the other person's disadvantage or loss.

In the Philippines, many syndicated groups used skimming machine to perform

such acts. ATM skimming is like identity theft for debit cards: Thieves use hidden
electronics to steal the personal information stored on your card and record your PIN
number to access all that hard-earned cash in your account. That's why skimming takes
two separate components to work. The first part is the skimmer itself, a card reader
placed over the ATM's real card slot. When you slide your card into the ATM, you're
unwittingly sliding it through the counterfeit reader, which scans and stores all the
information on the magnetic strip. However, to gain full access to your bank account on
an ATM, the thieves still need your PIN number. That's where cameras come in - hidden
on or near the ATMs, tiny spy cameras are positioned to get a clear view of the keypad
and record all the ATM's PIN action. Always pay attention to objects mounted on the
ATM or located close by. A pinhole or off-color piece of plastic could give away the
camera's hiding place. Cameras could even be hidden in brochure racks.
Some ATM skimming schemes employ fake keypads in lieu of cameras to capture PIN
numbers. Just like the card skimmers fit over the ATM's true card slot, skimming
keypads are designed to mimic the keypad's design and fit over it like a glove. If you
notice that the keypad on your ATM seems to protrude oddly from the surface around it,
or if you spy an odd color change between the pad and the rest of the ATM, it could be
a fake.

The Blogger’s Freedom of Expression and the Libel Law

Scope of the Freedom of Expression

Article III (Bill of Rights) Section 4 of the 1987 Philippine Constitution provides
that ―No law shall be passed abridging the freedom of speech, of expression, or of the

6
Living in the Information Technology Era

press, or the right of the people peaceably to assemble and petition the government for
redress of grievances.‖ In addition, to protect the rights of people having an adverse
political beliefs and aspirations, Article III Section 18 (1) further provides ―No person
shall be detained solely by reason of his political beliefs and aspirations.‖

From the two constitutional provisions mentioned earlier, it is clear that the
elements of freedom of expression are the freedom from prior restraint or censorship
and freedom from subsequent punishment.

Defamation Laws in the Philippines

Under Article 353 of the Revised Penal Code of the Philippines, libel is defined
as a public and malicious imputation of a crime, or of a vice or defect, real or imaginary,
or any act, omission, condition, status or circumstance tending to discredit or cause the
dishonor or contempt of a natural or juridical person, or to blacken the memory of one
who is dead. Thus, the elements of libel are: (a) imputation of a discreditable act or
condition to another; (b) publication of the imputation; (c) identity of the person
defamed; and, (d) existence of malice. [Daez v. Court of Appeals, G.R. No. 47971, 31
October 1990, 191 SCRA 61, 67]

In libel cases, the question is not what the writer of an alleged libel means, but
what the words used by him mean. Jurisprudence has laid down a test to determine the
defamatory character of words used in the following manner, viz:

―Words calculated to induce suspicion are sometimes more effective to destroy

reputation than false charges directly made. Ironical and metaphorical language is a
favored vehicle for slander. A charge is sufficient if the words are calculated to induce
the hearers to suppose and understand that the person or persons against whom they
were uttered were guilty of certain offenses, or are sufficient to impeach their honesty,
virtue, or reputation, or to hold the person or persons up to public ridicule. . . . ‖ [Lacsa

7
Living in the Information Technology Era

v. Intermediate Appellate Court, 161 SCRA 427 (1988) citing U.S. v. O‘Connell, 37 Phil.
767 (1918)]

An allegation is considered defamatory if it ascribes to a person the commission

of a crime, the possession of a vice or defect, real or imaginary, or any act, omission,
condition, status or circumstances which tends to dishonor or discredit or put him in
contempt, or which tends to blacken the memory of one who is dead.

There is publication if the material is communicated to a third person. It is not

required that the person defamed has read or heard about the libelous remark. What is
material is that a third person has read or heard the libelous statement, for ―a man‘s
reputation is the estimate in which others hold him in, not the good opinion which he has
of himself.‖ [Alonzo v. Court of Appeals, 241 SCRA 51 (1995)]

On the other hand, to satisfy the element of identifiability, it must be shown that
at least a third person or a stranger was able to identify him as the object of the
defamatory statement. In the case of Corpus vs. Cuaderno, Sr. (16 SCRA 807) the
Supreme Court ruled that ―in order to maintain a libel suit, it is essential that the victim
be identifiable (People vs. Monton, L-16772, November 30, 1962), although it is not
necessary that he be named (19 A.L.R. 116).‖ In an earlier case, the high court also
declared that‖ … defamatory matter which does not reveal the identity of the person
upon whom the imputation is cast, affords no ground of action unless it be shown that
the readers of the libel could have identified the personality of the individual defamed.‖
(Kunkle vs. Cablenews-American and Lyons 42 Phil. 760).

This principle has been recognized to be of vital importance, especially where a

group or class of persons, as in the case at bar, claim to have been defamed, for it is
evident that the larger the collectivity, the more difficult it is for the individual member to
prove that the defamatory remarks apply to him. (Cf. 70 ALR 2d. 1384).

8
Living in the Information Technology Era

Presumption of Malice:
The law also presumes that malice is present in every defamatory imputation. Thus,
Article 354 of the Revised

Penal Code provides that:

―Every defamatory imputation is presumed to be malicious, even if it be true, if no good
intention and justifiable motive for making it is shown, except in the following cases:
1. A private communication made by any person to another in the performance of
any legal, moral or social duty; and
2. A fair and true report, made in good faith, without any comments or remarks, of any
judicial, legislative or other official proceedings which are not of confidential nature, or of
any statement, report or speech delivered in said proceedings, or of any other act
performed by public officers in the exercise of their functions.‖

Paragraph 2 aforequoted refers to a qualifiedly privileged communication, the

character of which is a matter of defense that may be lost by positive proof of express
malice on the part of the accused. Once it is established that the article is of a privileged
character, the onus of proving actual malice rests on the plaintiff who must then
convince the court that the offender was prompted by malice or ill will. When this is
accomplished the defense of privilege becomes unavailing. [Santos v. Court of Appeals,
No. L-45031, 21 October 1991, 203 SCRA 110, 114]

Prescinding from this provision, when the imputation is defamatory, as in this

case, the prosecution need not prove malice on the part of the defendant (malice in
fact), for the law already presumes that the defendant‘s imputation is malicious (malice
in law). The burden is on the side of the defendant to show good intention and justifiable
motive in order to overcome the legal inference of malice.

9
Living in the Information Technology Era

In order to constitute malice, ill will must be personal. So if the ill will is
engendered by one‘s sense of justice or other legitimate or plausible motive, such
feeling negatives actual malice. [Aquino, Ramon C., The Revised Penal Code, Vol. III,
Bk. II, 1997 Ed., citing People v. de los Reyes, Jr., 47 OG 3569]

It is established doctrine that the malice that attends the dissemination of the
article alleged to be libelous must attend the distribution itself. It cannot be merely a
resentment against a person, manifested unconnectedly several months earlier or one
displayed at a much later date.

How Committed:
Under Article 355 of the Revised Penal Code, libel may be committed by means
of writing, printing, lithography, engraving, radio, phonograph, painting, theatrical
exhibition, cinematographic exhibition, or any similar means.

Persons Responsible:
Any person who shall publish, exhibit, or cause the publication or exhibition of
any defamation in writing or by similar means, shall be responsible for the same. The
author or editor of a book or pamphlet, or the editor or business manager of a daily
newspaper, magazine or serial publication, shall be responsible for the defamations
contained therein to the same extent as if he were the author thereof.

Defenses:
In every criminal prosecution for libel, the truth may be given in evidence to the
court and if it appears that the matter charged as libelous is true, and, moreover, that it
was published with good motives and for justifiable ends, the defendants shall be
acquitted.

10
Living in the Information Technology Era

Proof of the truth of an imputation of an act or omission not constituting a crime

shall not be admitted, unless the imputation shall have been made against Government
employees with respect to facts related to the discharge of their official duties.

In such cases if the defendant proves the truth of the imputation made by him, he
shall be acquitted.

It is important to remember that any of the imputations covered by Article 353 is

defamatory and, under the general rule laid down in Article 354, every defamatory
imputation is presumed to be malicious, even if it be true; if no good intention and
justifiable motive for making it is shown. There is malice when the author of the
imputation is prompted by personal ill-will or spite and speaks not in response to duty
but merely to injure the reputation of the person who claims to have been defamed.
Truth then is not a defense, unless it is shown that the matter charged as libelous was
made with good motives and for justifiable ends.

Online Libel in the Philippines

The Supreme Court (SC) of the Philippines upheld the constitutionality of most parts of
the Cybercrime Prevention Act of 2012, including the contentious provision that
punishes online libel.

The execution of the law was suspended in October 2012 by a temporary

restraining order issued by the Supreme Court, following criticisms and protests among
the media and human rights advocates.

11
Living in the Information Technology Era

However, with this new ruling of the Supreme Court, a person or entity who posts
something (in words or pictures) — which can be proven false, and is intended to harm
the reputation of another by tending to bring the target into ridicule, hatred, scorn or
contempt of others — may be arrested, detained, and imprisoned because of libel.
Yes, in the Philippines, libel is still a criminal offense. It is defamation in its very
essence, but covers published work on print, television and other traditional media. The
same is now true for new media like the internet.

This online/internet libel law, however, punishes only the original author of the
post. Those who ―liked,‖ ―shared,‖ ―re-tweeted‖ or re-blogged a post will not be criminally
liable, unless the person added a comment that may deemed to be libelous by a
complainant.

Computer Hackers and the Cybercrime Law

The ILOVEYOU Virus

Where were you when the ILOVEYOU bug started spreading on May 4th, 2000?
Was your computer one of the tens of millions of PCs the Love Letter attacked?

Sixteen years ago, a young Filipino computer student made history by unleashing the
world‘s first global Internet-borne virus. Known as the Love Bug, the virus spread from
East to West in a single day, inflicting $5.5 billion in damages, corrupting files, and
shutting down computer systems at major corporations, newsrooms, Wall Street firms
and government offices across the world.

The worm arrived in people‘s email boxes with a provocative subject line, ―I
LOVE YOU: A love letter for you.‖ When recipients opened the attachment, ―LOVE-
LETTER-FOR-YOU.TXT.vbs,‖ they unwittingly infected their own computer with the self-
replicating worm as well as the computers of everyone in their contact list.

12
Living in the Information Technology Era

The author of the virus is believed to be Onel de Guzman, then 25, a student at
AMA Computer University in Makati.

What many people did not realize at the time was that de Guzman‘s original
intention for creating the worm was altruistic at its roots. In the Philippines, an hour‘s
worth of Internet access cost as much as half a day‘s wage: 100 pesos, the equivalent
of two dollars.

For his graduation thesis in computer science, de Guzman wrote a program that
would enable the average Filipino to get free Internet access by stealing passwords
from the rich. His school rejected his thesis because of its bandit nature, so he could not
graduate. Undeterred, de Guzman, with the help of friends, unleashed his virus the day
before the university held its graduation ceremony.

The Philippine authorities filed theft and other charges against Mr. de Guzman,
but dropped them in August because of insufficient evidence. The case against him was
weakened because at the time, the Philippines did not have laws governing computer
espionage.

Cybercrime Prevention Act of 2012 (Republic Act 10175)

The following are the punishable acts according to Chapter II of the Cybercrime
Prevention Act of 2012:

SEC. 4. Cybercrime Offenses. — The following acts constitute the offense of

cybercrime punishable under this Act:
(a) Offenses against the confidentiality, integrity and availability of
computer data and systems:

13
Living in the Information Technology Era

(1) Illegal Access. – The access to the whole or any part of a computer
system without right.

(2) Illegal Interception. – The interception made by technical means

without right of any non-public transmission of computer data to, from, or
within a computer system including electromagnetic emissions from a
computer system carrying such computer data.
(3) Data Interference. — The intentional or reckless alteration, damaging,
deletion or deterioration of computer data, electronic document, or
electronic data message, without right, including the introduction or
transmission of viruses.

(4) System Interference. — The intentional alteration or reckless hindering

or interference with the functioning of a computer or computer network by
inputting, transmitting, damaging, deleting, deteriorating, altering or
suppressing computer data or program, electronic document, or electronic
data message, without right or authority, including the introduction or
transmission of viruses.

(5) Misuse of Devices.

(i) The use, production, sale, procurement, importation, distribution,
or otherwise making available, without right, of:

(aa) A device, including a computer program, designed or

adapted primarily for the purpose of committing any of the
offenses under this Act; or
(bb) A computer password, access code, or similar data by
which the whole or any part of a computer system is capable

14
Living in the Information Technology Era

of being accessed with intent that it be used for the purpose

of committing any of the offenses under this Act.

(ii) The possession of an item referred to in paragraphs 5(i)(aa) or

(bb) above with intent to use said devices for the purpose of
committing any of the offenses under this section.

(6) Cyber-squatting. – The acquisition of a domain name over the internet

in bad faith to profit, mislead, destroy reputation, and deprive others from
registering the same, if such a domain name is:
(i) Similar, identical, or confusingly similar to an existing trademark
registered with the appropriate government agency at the time of
the domain name registration:

(ii) Identical or in any way similar with the name of a person other
than the registrant, in case of a personal name; and

(iii) Acquired without right or with intellectual property interests in it.

(b) Computer-related Offenses:

(1) Computer-related Forgery. —
(i) The input, alteration, or deletion of any computer data without
right resulting in inauthentic data with the intent that it be
considered or acted upon for legal purposes as if it were authentic,
regardless whether or not the data is directly readable and
intelligible; or

15
Living in the Information Technology Era

(ii) The act of knowingly using computer data which is the product
of computer-related forgery as defined herein, for the purpose of
perpetuating a fraudulent or dishonest design.

(2) Computer-related Fraud. — The unauthorized input, alteration, or

deletion of computer data or program or interference in the
functioning of a computer system, causing damage thereby with
fraudulent intent: Provided, That if no damage has yet been caused, the
penalty imposable shall be one (1) degree lower.

(3) Computer-related Identity Theft. – The intentional acquisition, use,

misuse, transfer, possession, alteration or deletion of identifying
information belonging to another, whether natural or juridical, without right:
Provided, That if no damage has yet been caused, the penalty
imposable shall be one (1) degree lower.

(c) Content-related Offenses:

(1) Cybersex. — The willful engagement, maintenance, control, or
operation, directly or indirectly, of any lascivious exhibition of sexual
organs or sexual activity, with the aid of a computer system, for favor or
consideration.

(2) Child Pornography. — The unlawful or prohibited acts defined and

punishable by Republic Act No. 9775 or the Anti-Child Pornography Act
of 2009, committed through a computer system: Provided, that the
penalty to be imposed shall be (1) one degree higher than that provided
for in Republic Act No. 9775.

16
Living in the Information Technology Era

(3) Unsolicited Commercial Communications. — The transmission of

commercial electronic communication with the use of computer
system which seek to advertise, sell, or offer for sale products and
services are prohibited unless:

(i) There is prior affirmative consent from the recipient; or

(ii) The primary intent of the communication is for service and/or
administrative announcements from the sender to its existing users,
subscribers or customers; or

(iii) The following conditions are present:

(aa) The commercial electronic communication contains a
simple, valid, and reliable way for the recipient to reject.
receipt of further commercial electronic messages (opt-out)
from the same source;
(bb) The commercial electronic communication does not
purposely disguise the source of the electronic message;
and
(cc) The commercial electronic communication does not
purposely include misleading information in any part of the
message in order to induce the recipients to read the
message.

(4) Libel. — The unlawful or prohibited acts of libel as defined in Article

355 of the Revised Penal Code, as amended, committed through a
computer system or any other similar means which may be devised in
the future.

SEC. 5. Other Offenses. — The following acts shall also constitute an offense:

17
Living in the Information Technology Era

(a) Aiding or Abetting in the Commission of Cybercrime. – Any person who

willfully abets or aids in the commission of any of the offenses enumerated in
this Act shall be held liable.

(b) Attempt in the Commission of Cybercrime. — Any person who willfully

attempts to commit any of the offenses enumerated in this Act shall be held
liable.

The following are the punishment for such acts:

SEC. 8. Penalties. — Any person found guilty of any of the punishable acts
enumerated in Sections 4(a) and 4(b) of this Act shall be punished with imprisonment of
prison mayor or a fine of at least Two hundred thousand pesos (PhP200,000.00) up to a
maximum amount commensurate to the damage incurred or both.

Any person found guilty of the punishable act under Section 4(a)(5) shall be
punished with imprisonment of prison mayor or a fine of not more than Five hundred
thousand pesos (PhP500,000.00) or both.

If punishable acts in Section 4(a) are committed against critical infrastructure, the
penalty of reclusion temporal or a fine of at least Five hundred thousand pesos
(PhP500,000.00) up to maximum amount commensurate to the damage incurred or
both, shall be imposed.

Any person found guilty of any of the punishable acts enumerated in Section
4(c)(1) of this Act shall be punished with imprisonment of prison mayor or a fine of at
least Two hundred thousand pesos (PhP200,000.00) but not exceeding One million
pesos (PhP1,000,000.00) or both.

18
Living in the Information Technology Era

Any person found guilty of any of the punishable acts enumerated in Section
4(c)(2) of this Act shall be punished with the penalties as enumerated in Republic Act
No. 9775 or the ―Anti-Child Pornography Act of 2009‖: Provided, That the penalty to be
imposed shall be one (1) degree higher than that provided for in Republic Act No. 9775,
if committed through a computer system.

Any person found guilty of any of the punishable acts enumerated in Section
4(c)(3) shall be punished with imprisonment of arresto mayor or a fine of at least Fifty
thousand pesos (PhP50,000.00) but not exceeding Two hundred fifty thousand pesos
(PhP250,000.00) or both.

Any person found guilty of any of the punishable acts enumerated in Section 5
shall be punished with imprisonment one (1) degree lower than that of the prescribed
penalty for the offense or a fine of at least One hundred thousand pesos
(PhP100,000.00) but not exceeding Five hundred thousand pesos (PhP500,000.00) or
both.
---------------------------------------------------------------------------------------------------------------------
The Data Privacy Act (RA 10173):
What is The Data Privacy Act of the Philippines?

The Data Privacy Act (DPA), or Republic Act No. 10173 was passed by the Philippines
Congress in 2012 and finally implemented five years later in 2016. RA 10173 assures
the ―free flow of information to promote innovation and growth‖(Republic Act. No. 10173,
Ch. 1, Sec. 2) while protecting the users‘ fundamental rights to privacy.

How is it implemented?
RA 10173 protects and maintains the right of customers to confidentiality by setting a
legal list of rules for companies to regulate the collection, handling, and disposal of all
personal information.

19
Living in the Information Technology Era

Companies legally responsible for keeping their customers‘ data protected from third
parties or any form of misuse, internally or externally.

What does that mean for data collectors/companies?

The Act applies to any process of personal data by anyone in government or private
sectors.
All personal data must have legitimate reasons for collection as well as should be clear
to both parties giving and receiving information. With that being said, all collection must
be done with the customer the customers‘ proper consent.

All personal information used must also be relevant solely used for its intended and
state purposes. Companies must protect customer information from collection to proper
disposal, avoiding access from unauthorized parties.

What is “personal information?”

―‗Personal information‘‖ refers to any information, whether recorded in a material form or
not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put together with
other information would directly and certainly identify an individual‖ (Republic Act. No.
10173, Ch. 1, Sec. 3).

What is “sensitive personal information?”

―(1) About an individual‘s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

(2) About an individual‘s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such

20
Living in the Information Technology Era

person, the disposal of such proceedings, or the sentence of any court in such
proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records, licenses or its
denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept

classified.‖
(Republic Act. No. 10173, Ch. 1, Sec. ).

What is “consent?”

Consent of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and processing of
personal information about and/or relating to him or her. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of the data subject
by an agent specifically authorized by the data subject to do so (RA. No. 10173, Ch. 1,
Sec. 1).

What are the rights of the data subject?

The data subject or the individual sharing his/her personal information has to be
fully informed of several factors of the data collecting process. This list includes, but isn‘t
limited to:
(1) the reason for use
(2) methods for access
(3) the identity and contact details of the personal information controller
(4) how long the information will be stored for

21
Living in the Information Technology Era

(5) access to their rights.

What steps do I need to take in compliance with the Data Privacy Act?

Companies essentially have to ensure that their data collection methods are
flawless as well as consistently share the entire process with data subjects, including a
breach of security. To do this, companies should
1. Appointing a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure

What happens if I do not comply?

Improper/unauthorized processing, handling or disposal of personal information can be

penalized by imprisonment up to six years and a fine of not less than Five hundred
thousand pesos (PHP 500,000).

Sprout Solutions puts data privacy with the utmost priority and takes advanced
measures to maintain confidentiality in information handling.

-------------------------------------------------------------------------------------------------------------------
Case Study:
Cambridge Analytica Ltd (CA) was a British political consulting firm which
combined misappropriation of digital assets, data mining, data brokerage, and data
analysis with strategic communication during the electoral processes. It was started in
2013 as an offshoot of the SCL Group. After closing operations with legal proceedings
including bankruptcy, members of the SCL Group have been continuing operations

22
Living in the Information Technology Era

under the legal entity Emerdata Limited. The company closed operations in 2018 in the
course of the Facebook–Cambridge Analytica data scandal, although related firms still
exist

CA's data analysis methods were to a large degree based on the academic work of
Michal Kosinski. In 2008, Kosinski had joined the Psychometrics Centre of Cambridge
University where he then developed with his colleagues a profiling system using general
online data, Facebook-likes, and smartphone data. He showed that with a limited
number of "likes", people can be analysed better than friends or relatives can do and
that individual psychological targeting is a powerful tool to influence people.

CA would collect data on voters using sources such as demographics, consumer

behaviour, internet activity, and other public and private sources. According to The
Guardian, CA used psychological data derived from millions of Facebook users, largely
without users' permission or knowledge. Another source of information was the "Cruz
Crew" mobile app that tracked physical movements and contacts and according to
the Associated Press, invaded personal data more than previous presidential campaign
apps. Today in the United States we have somewhere close to four or five thousand
data points on every individual ... So, we model the personality of every adult across the
United States, some 230 million people.

— Alexander Nix, chief executive of Cambridge Analytica, October 2016.

The use of personal data collected without knowledge or permission to establish
sophisticated models of user's personalities raises ethical and privacy issues. CA
operated out of the United States; its operations would be illegal in Europe with its
stricter privacy laws. While Cruz was outspoken about protecting personal information
from the government, his database of CA has been described as "political-
voter surveillance".

23
Living in the Information Technology Era

Regarding CA's use of Facebook users, a speaker for CA indicated that these users
gave permission when signing up with the provider, while Facebook declared that
"misleading people or misusing information" is in violation of Facebook's policies. In
2015, Facebook indicated that it was investigating the matter. In March 2018, Facebook
announced that it had suspended the accounts of Strategic Communication
Laboratories for failing to delete data on Facebook users that had been improperly
collected

24