Professional Documents
Culture Documents
The Sim Registration Act of the Republic of the Philippines officially known as Republic Act No.
11934 and also known as SIM Card law became effective on 27th of December 2022 when it was
approved and signed into a law by President Ferdinand ‘Bongbong’ Marcos Jr. The then House Bill No.
14 was passed on the House of the Representative on 19th September 2022 whilst its Senate
counterpart, Senate Bill No. 1310 passed said upper house last 27th of September 2022.
There has already been numerous attempts to create a law in the congress for the registration
of sim card registrations with the latest unsuccessful attempt being vetoed by the President Rodrigo Roa
Duterte. According to Privacy International, the most likely reason for the veto was the expansion of the
original scope of the Bill which included the requirement of providing real names and phone numbers
There are 90 countries today where Sim Card registration is mandatory. Proponents of Sim Card
registration main justification for such measure has mainly focused on its law enforcement aspects,
specifically in combating crimes. However, such law also raises the concern of risks to data protection
and as such, individual’s right to privacy which is a basic human rights recognised by International Laws
The purpose of this study is to analyse the implications of the Sim Registration Act of the
Republic of the Philippines officially known as Republic Act No. 11934 as well as its Implementing Rules
and Regulations with regards to Data Protection that will be covered under this law, and in general the
protection of individual’s right to privacy. Another purpose of this study is to revisit similar laws enacted
1
https://privacyinternational.org/long-read/3018/timeline-sim-card-registration-laws
in other countries and their success rates in combating crimes as well as its effects on data protection
To have an organised study, the researcher has three main queries to be answered:
2. Whether or not the state can guarantee the safety of data privacy with the sim card
registration act
3. Revisiting the success rates of states with sim card registration laws
The research will focus on the implications of the Sim Registration Act of the Republic of the
Philippines officially known as Republic Act No. 11934 as well as its Implementing Rules and Regulations
with regards to Data Protection and Right to Privacy of those who will have to comply with said law.
The research will also provide an analysis of the implementation of the foreign counterparts of
the Sim Registration Act of the Republic of the Philippines again with regards to Data Protection and
The research aims tackle issues in implementation of Sim Registration laws (Philippine and
Foreign laws) in relation to the Right to Privacy with basis in Philippine and International laws.
This study aims to identify major legal issues that arise with Sim Registration laws to help
protect Right of Privacy and harmonise it with Sim Registration Act through relevant doctrines or
concepts within the Philippine jurisdiction and generally accepted principles of International Law with
End Users - refers to any existing subscriber or any individual or juridical entity which purchases a SIM
from the public telecommunications entities (PTEs), its agents, resellers or any entity 2
Public Telecommunications Entities (PTEs) - refers to any person, natural or juridical, government or
private, engaged in the provision of telecommunications services to the public for compensation, as
defined under Republic Act No. 7925, as amended, or the Public Telecommunications Policy Act of the
Philippines3
Post-paid subscription - refers to the subscription wherein service is provided by virtue of a prior
arrangement with a public telecommunications entity, and the end-user thereof is billed at the end of
Prepaid subscription - refers to the subscription wherein credit is purchased in advanced of service use.
The purchased credit is used to pay for mobile phone services at the point the service is accessed or
consumed. If there is no available credit, then access to the requested service is denied 5
Right to Privacy - The right to privacy encompasses the right to protect a person’s intimacy, identity,
(e) Reseller refers to a person, natural or juridical, who dispenses or sells a SIM to an end-user;
2
Republic Act No. 11934 Section 3
3
Ibid
4
Ibid
5
Ibid
6
https://www.humanrights.is/en/human-rights-education-project/human-rights-concepts-ideas-and-fora/
substantive-human-rights/the-right-to-privacy-and-family-life#:~:text=The%20right%20to%20privacy
%20encompasses,is%20not%20arbitrary%20or%20unlawful.
(f) SIM refers to a Subscriber Identity Module which is an embedded circuit that securely stores
International Mobile Subscriber Identity (IMSI) and related keys or an electronic equivalent thereof,
used to identify and authenticate subscribers on mobile devices, such as mobile phones and computers,
and other electronic devices. For purposes of this Act, this shall include e-SIMS and other variations
thereof; and
(g) Spoofing refers to the act of transmitting misleading or inaccurate information about the source of
the phone call or text message, with the intent to defraud, cause harm, or wrongfully obtain anything of
value.
Chapter II
Privacy as a Right
The right to privacy is a concept and tradition that is deeply rooted in the law. In the course of twelfth
and thirteenth centuries, the Latin word ‘ius’ expanded from originally ‘what is fair’ to the concept we
would recognise now as ‘right’. According to canonists, the ius which is the right derived from the
natural law that every and all human beings are all made in the image of God. As such, humans are free
to act, whether for good or bad reasons. According to Giovanni Pico della Mirandola, a Renaissance
philosopher and student of canon law in University of Bologna in 1477, ‘God fixed the nature of all other
things but left man alone to determine his own nature’, and that it is given to man ‘to have that which
he chooses and be that which he wills’. This freedom is called the ‘dignity of man’. 7 It is from this
freedom that one of the roots of privacy as a right can be traced from. This dignity of man was argued to
be universal regardless of religion or origin in the time of the Colonisation of the Americas by Spain
when canonists argued that native Americans should not be deprived of their autonomy and liberty
which arguably also includes privacy.8 Without privacy the concept of right, freedom, autonomy, and
liberty are incomplete the same way as right, freedom, autonomy, and liberty is threatened without
privacy. It can be said that privacy is inherent in dignity, freedom, autonomy, and liberty.
The right to Privacy is also recognised by the Common law. According to the Harvard Law Review 9,
‘individual shall have full protection in person and in property is a principle as old as the common law;
but it has been found necessary from time to time to define anew the exact nature and extent of such
7
James Griffin (2007). The Human Right to Privacy. San Diego Law Review, Volume 44, Issue 4. University of San
Diego – School of Law - https://core.ac.uk/download/pdf/225567428.pdf
8
James Griffin (2007). The Human Right to Privacy. San Diego Law Review, Volume 44, Issue 4 University of San
Diego – School of Law - https://core.ac.uk/download/pdf/225567428.pdf
9
Samuel D. Warren and Louis D. Brandeis (December 1890). Harvard Law Review Volume IV, No. 5 -
https://faculty.uml.edu//sgallagher/Brandeisprivacy.htm
protection’. As such, through the times, it has been necessary for the law also to evolve as new
developments in political, social, and economic scene arise. These evolutions are necessary to keep up
with the changing times. These evolutions carry with it the necessity to recognise new rights as laws
One of these rights is the right to privacy. A specific instance of development that led to the concept of
the right to privacy as a modern concept are the advent of publications. Harvard Law Review specifically
mentioned that
‘Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of
private and domestic life; and numerous mechanical devices threaten to make good the
prediction that "what is whispered in the closet shall be proclaimed from the house-tops." For
years there has been a feeling that the law must afford some remedy for the unauthorized
circulation of portraits of private persons; and the evil of invasion of privacy by the newspapers,
long keenly felt, has been but recently discussed by an able writer. The alleged facts of a
somewhat notorious case brought before an inferior tribunal in New York a few months ago,
directly involved the consideration of the right of circulating portraits; and the question whether
our law will recognize and protect the right to privacy in this and in other respects must soon
The Universal Declaration on Human Rights which was adopted by the United Nations General Assembly
on 10 December 1948. The said declaration guarantees individual human rights of everyone everywhere
in the globe. The right to privacy was not specifically worded in said declaration. However, its Article 12
is interpreted as the right to privacy. Article 12 Universal Declaration on Human Rights states
‘Article 12
10
Samuel D. Warren, and Louis D. Brandeis (December 1890). Harvard Law Review V. IV, No. 5 -
https://faculty.uml.edu//sgallagher/Brandeisprivacy.htm
No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the
The United Nations Human Rights Council has affirmed in its twentieth session ‘Affirms that the same
rights that people have offline must also be protected online, in particular freedom of expression, which
is applicable regardless of frontiers and through any media of one’s choice, in accordance with articles
19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political
Rights’.12 Said resolution might be the first United Nations Resolution affirming human rights in the
digital realm, declaring that human rights must be protected and promoted in the digital realm with the
Said resolution may ran in contrary in some jurisdictions where mass surveillance of private
communications of both online and mobile platforms are legislated. This raises the issue of the right to
In Philippine law, the concept of privacy may be seen in the 1987 Constitution, particularly in the Right
to due process14, Right against unreasonable searches and seizure15, the Right to privacy of
communication and Correspondence16, Liberty of abode17, the Right to and freedom of association18, and
exploitation of one’s person or from intrusion into one’s private activities in such a way as to cause
humiliation to a person’s ordinary sensibilities’20 as well as ‘the most comprehensive of rights and the
right most valued by civilized men’21. The Philippine Supreme Court also confirmed that the right to
privacy exists independently of its identification with liberty, and fully deserving of constitutional
protection.22
A Philippine law regarding privacy that can be related to Sim Card Registration Act is the Data Privacy Act
of 2012. Said law is applicable as protection to all types of personal information and to any natural and
b. Information about an individual who is or was performing service under contract for a
government institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance of those
services;
c. Information relating to any discretionary benefit of a financial nature such as the granting of
a license or permit given by the government to an individual, including the name of the
e. Information necessary in order to carry out the functions of public authority which includes
the processing of personal data for the performance by the independent, central monetary
20
Hing v. Choachuy, Sr., G.R. No. 179736, June 26, 2013.
21
Morfe v. Mutuc, G.R. No. L-20387, supra note 1.
22
Ibid
23
Republic Act 10173 – Data Privacy Act of 2012 Section 4
authority and law enforcement and regulatory agencies of their constitutionally and
statutorily mandated functions. Nothing in this Act shall be construed as to have amended
or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act;
Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic
Act No. 9510, otherwise known as the Credit Information System Act (CISA);
f. Information necessary for banks and other financial institutions under the jurisdiction of the
Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the
accordance with the laws of those foreign jurisdictions, including any applicable data privacy
Certain safeguards of processing of personal are given, amongst which are that processing of personal
data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality24, collection must be for a declared, specified, and legitimate purpose25, personal data
shall be processed fairly and lawfully26, and that personal data shall not be retained longer than
necessary.27
Data Privacy Act of 2002 also penalises the following under its Chapter VIII 28
24
Implementing Rules and Regulations of Republic Act No. 10173, also known as the “data privacy act of 2012”
Section 18
25
Implementing Rules and Regulations of Republic Act No. 10173, also known as the “data privacy act of 2012”
Section 19
26
Implementing Rules and Regulations of Republic Act No. 10173, also known as the “data privacy act of 2012”
Section 19
27
Implementing Rules and Regulations of Republic Act No. 10173, also known as the “data privacy act of 2012”
Section 19
28
Republic Act 10173 – Data Privacy Act of 2012 Chapter VIII Sections 25-33
Section 25. Unauthorized Processing of Personal Information and Sensitive Personal
Information.
Section 26. Accessing Personal Information and Sensitive Personal Information Due to
Negligence.
Section 27. Improper Disposal of Personal Information and Sensitive Personal Information.
Section 28. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes.
Majority of mobile phone users prefers pre-paid Sim Cards over post-paid. According to data of
GSMA2930, 73% of mobile subscriptions globally are pre-paid, with 94% in Africa, 87% in Central America,
79% in Asia, 68% in Southern America, 50% in Europe, and 21% in North America of pre-paid
subscription as opposed to post-paid. The difference with pre-paid to post-paid is that there is no pay
monthly contract with the operator that comes along usually with credit check and personal details for
billing purposes. Hence in pre-paid Sim card, such personal details are not needed.
29
Privacy International (2020). Sim Card Registration - https://privacyinternational.org/learn/sim-card-registration
30
Erdoo Yongo, and Ylannis Theodorou (2020). Access to Mobile Services and Proof of Identity 2020: The
Undisputed Linkages. Groupe Speciale Mobile Association (GSMA) -
https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2020/03/
Access_to_mobile_services_2020_Singles.pdf
According to Groupe Speciale Mobile Association (GSMA), more than 150 countries have required proof
of identity when registering a pre-paid SIM. There are different approaches for to said mandatory SIM
‘Capture and Store: Operators capture personal information upon the purchase of a pre-paid
SIM card and keep the records, sharing information with government agencies on demand. 81%
‘Capture and Share: Operators capture personal information and proactively share it with
government agencies or the regulator. 6% of countries with mandatory SIM registration laws
‘Capture and Validate: Operators capture personal information and validate it against a central
government database. 12% of countries with mandatory SIM registration laws use this
approach.’
Of the remaining countries without Sim Card Registration Laws, a number have considered enacting Sim
Card Registration Laws but eventually decided against it. Whilst official government’s detailed policy
assessments were not yet published, reports have pointed out to absence of evidence in providing
significant benefits to crime investigation as the key reason for rejecting the policy. The countries
involved includes the United Kingdom, Czech Republic, Romania, and New Zealand. 32
According to GSMA, only 59% of countries have a privacy and/or data protection framework in
coordination with their Sim Card laws. Without data protection framework, information from Sim Card
31
Privacy International (2020). Sim Card Registration - https://privacyinternational.org/learn/sim-card-registration
32
The Mandatory Registration of Prepaid SIM Card Users (White Paper) (2013). Groupe Speciale Mobile
Association (GSMA) - https://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-
Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf
users can be easily accessed with other private and public databases, with the possible effect of
governments making comprehensive profiles of individuals as well as enabling private entities and
organisations to a potential access to vast amount of data. In some jurisdictions, biometric registration is
incorporated with Sim Card Registrations such as fingerprints and facial recognition. 33
Through the resulting creation of an extensive database of user information from mandatory Sim
Registration, there is a risk added on individuals of being tracked or targeted and their data misused.
SIM registration takes away the user’s ability to communicate anonymously and certainly poses threat
to one’s right to privacy especially to vulnerable groups. Profiling individuals can result in several
consequences such as potentially matching an individual’s phone number with their voting preferences
or health data, thereby allowing governments to easily identify and target political opponents, for
example, or people living with HIV/AIDs. Pairing data with political activity might result in physical risks
for the people involved especially in countries with political tensions. Whilst communications
surveillance systems really do help a government improve national security, the same systems can
equally, and is likely in countries with political tensions, to enable the surveillance of human rights
By facilitating the creation of an extensive database of user information, mandatory SIM registration
places individuals at risk of being tracked or targeted, and having their private information misused. SIM
registration undermines the ability of users to communicate anonymously and one’s right to privacy.
This poses a threat to vulnerable groups, and facilitates surveillance by making tracking and monitoring
of users easier for law enforcement authorities. Mandatory SIM registration can enable profiling with
several consequences. An individual's phone number could potentially be matched with their voting
preferences or health data, enabling governments to identify and target political opponents, for
33
Privacy International (2020). Sim Card Registration - https://privacyinternational.org/learn/sim-card-registration
34
Privacy International (2020). Sim Card Registration - https://privacyinternational.org/learn/sim-card-registration
example, or people living with HIV/AIDs. In countries with political and ethnic tensions, pairing data with
political activity might result in physical risks for the people involved. Whilst communications
surveillance systems may help a government improve national security, they are also equally likely to
enable the surveillance of human rights defenders, political, immigrants, and other groups. 35
Another possible effect of SIM registration according to Privacy International is the potential for
discrimination and even exclusion from basic services. Sim registration may disproportionately
disadvantage the most marginalised groups and can have a discriminatory effect by excluding users from
accessing mobile networks as mobile phones are the most common form of accessing important
avenues such as banking and finance. An implication also is that there will be difficulty to register SIM
cards for those who do not or has difficulty acquiring identification documents. Another issue that may
arise is the given extra burdens that SIM registration places on telecommunications companies that may
35
Privacy International (2020). Sim Card Registration - https://privacyinternational.org/learn/sim-card-registration
36
Privacy International (2020). Sim Card Registration - https://privacyinternational.org/learn/sim-card-registration
Chapter III
Research Methodology
Research Design
To effectuate the objectives of this study, the researcher used the qualitative approach.
According to the University of Oxford, Qualitative Research is research that aims to ‘gather information
that might aim to understand the reasons why a behaviour occurs. Qualitative research uses method of
observation, among others.’ Qualitative methods, but are focused more on the meaning of different
aspects of people’s lives, and on their accounts of how they understand their own and others’ behaviour
and beliefs.37 Qualitative methodologies which will primarily be used in this study are observations, logs,
The researcher believes that Qualitative approach would provide the necessary in-depth
analysis and examine the legality and implications of the law in question.
37
https://www.ukri.org/about-us/esrc/what-is-social-science/qualitative-research/#:~:text=Qualitative
%20methods%20are%20scientific%2C%20but,and%20others'%20behaviour%20and%20beliefs.
38
Ibid
Data Gathering
This study is based on a Doctrinal Legal Research Method as a mode of collecting data. The
researcher would compose analysis of legal rights as well as rules found in found in Philippine laws and
generally accepted principles of International Law. The methodology aims to gather, organise, and
describe the Philippine Sim Registration Act along with its foreign counterparts and provide commentary
on its implementation with the relevant rights that may conflict with regards to its legality and
effectiveness. The researcher will conduct a critical qualitative analysis of legal materials to support a
hypothesis.
The researcher will aim to identify criticisms of the Sim Card registration laws with its possible
violations of the Right to Privacy as well as possible actions on how said right may be protected by
governments even if said laws are existing. The researcher would then make a conclusion as to whether
or not the law is violative of the Right to Privacy, on how to safeguard the Right to Privacy whether or
not such laws are effective, and to make a comparable analysis amongst Sim Card registration laws and
Research Instrument
The researcher would aim to use interviews, publications, journals, articles, relevant laws, interviews,
and public records as research instruments to facilitate this study, and draw a conclusion based on the
Data Gathered
The Universal Declaration on Human Rights which was adopted by the United Nations General Assembly
on 10 December 1948. The said declaration guarantees individual human rights of everyone everywhere
in the globe. The right to privacy was not specifically worded in said declaration. However, its Article 12
is interpreted as the right to privacy. Article 12 Universal Declaration on Human Rights states
‘Article 12
No one shall be subjected to arbitrary interference with his privacy, family, home or
correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the
39
United Nations General Assembly (1948). Universal Declaration of Human Rights -
https://www.un.org/en/about-us/universal-declaration-of-human-rights
The United Nations Human Rights Council has affirmed in its twentieth session ‘Affirms that the same
rights that people have offline must also be protected online, in particular freedom of expression, which
is applicable regardless of frontiers and through any media of one’s choice, in accordance with articles
19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political
Rights’.40 Said resolution might be the first United Nations Resolution affirming human rights in the
digital realm, declaring that human rights must be protected and promoted in the digital realm with the
Said resolution may ran in contrary in some jurisdictions where mass surveillance of private
communications of both online and mobile platforms are legislated. This raises the issue of the right to
The Philippine Supreme Court has already discussed collection of traffic data in the case of Gesini v.
Secretary of Justice42. The case arose out of challenge to the constitutionality of several provisions of the
Cybercrime Prevention Act of 2012, Act No. 10175. A specific provision which is challenged and is of
direct interest to this study is Section 12 of the Cybercrime Law which is about Collection of Real Time
Data.
Sec. 12. Real-Time Collection of Traffic Data. — Law enforcement authorities, with due cause,
shall be authorized to collect or record by technical or electronic means traffic data in real-time
40
United Nations Human Rights Council (2012). United Nations Human Rights Council Resolution ‘The promotion,
protection and enjoyment of human rights on the Internet’. A/HRC/20/L.13 -
https://documents-dds-ny.un.org/doc/UNDOC/LTD/G12/147/10/PDF/G1214710.pdf?OpenElement
41
Office of the High Commissioner for Human Rights (2013). The right to privacy in the digital age. Office of the
High Commissioner for Human Rights, Human Rights Council, United Nations -
https://www.ohchr.org/en/stories/2013/10/right-privacy-digital-age
42
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Traffic data refer only to the communication’s origin, destination, route, time, date, size,
All other data to be collected or seized or disclosed will require a court warrant.
Service providers are required to cooperate and assist law enforcement authorities in the
The court warrant required under this section shall only be issued or granted upon written
application and the examination under oath or affirmation of the applicant and the witnesses he
may produce and the showing: (1) that there are reasonable grounds to believe that any of the
committed; (2) that there are reasonable grounds to believe that evidence that will be obtained
is essential to the conviction of any person for, or to the solution of, or to the prevention of, any
such crimes; and (3) that there are no other means readily available for obtaining such evidence.
Said provision is feared to be violative of the Right to Privacy as it may be used as a way to curtail civil
liberties and may provide opportunities to official abuse by the state or its agents.
Petitioners assail the grant to law enforcement agencies of the power to collect or record traffic
data in real time as tending to curtail civil liberties or provide opportunities for official abuse.
They claim that data showing where digital messages come from, what kind they are, and where
they are destined need not be incriminating to their senders or recipients before they are to be
protected. Petitioners invoke the right of every individual to privacy and to be protected from
government snooping into the messages or information that they send to one another. 43
The court in tackling the issue first confirmed whether there is a compelling state interest arising from a
proper government purpose on which said provision may be grounded from. The court found that there
43
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
is indeed a compelling interest for the state to enact Cybercrime law to put order in cyberspace. Such,
for the state to do it, he government should be able to monitor traffic data.
The first question is whether or not Section 12 has a proper governmental purpose since a law
may require the disclosure of matters normally considered private but then only upon showing
that such requirement has a rational relation to the purpose of the law, that there is a
compelling State interest behind the law, and that the provision itself is narrowly drawn. In
assessing regulations affecting privacy rights, courts should balance the legitimate concerns of
Undoubtedly, the State has a compelling interest in enacting the cybercrime law for there is a
need to put order to the tremendous activities in cyberspace for public good. To do this, it is
within the realm of reason that the government should be able to monitor traffic data to
Chapter IV of the cybercrime law, of which the collection or recording of traffic data is a part,
aims to provide law enforcement authorities with the power they need for spotting, preventing,
Chief Justice Sereno points out, the Budapest Convention on Cybercrimes requires signatory
countries to adopt legislative measures to empower state authorities to collect or record "traffic
data, in real time, associated with specified communications." And this is precisely what Section
12 does. It empowers law enforcement agencies in this country to collect or record such data. 46
The court then tackled the issue of the process of collection of data can certainly lead to violations of
44
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
45
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
46
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
But is not evidence of yesterday’s traffic data, like the scene of the crime after it has been
committed, adequate for fighting cybercrimes and, therefore, real-time data is superfluous for
that purpose? Evidently, it is not. Those who commit the crimes of accessing a computer system
without right, transmitting viruses, lasciviously exhibiting sexual organs or sexual activity for
favor or consideration; and producing child pornography could easily evade detection and
prosecution by simply moving the physical location of their computers or laptops from day to
day. In this digital age, the wicked can commit cybercrimes from virtually anywhere: from
internet cafés, from kindred places that provide free internet services, and from unregistered
mobile internet connectors. Criminals using cellphones under pre-paid arrangements and with
unregistered SIM cards do not have listed addresses and can neither be located nor identified.
There are many ways the cyber criminals can quickly erase their tracks. Those who peddle child
pornography could use relays of computers to mislead law enforcement authorities regarding
their places of operations. Evidently, it is only real-time traffic data collection or recording and a
subsequent recourse to court-issued search and seizure warrant that can succeed in ferreting
them out.47
Petitioners of course point out that the provisions of Section 12 are too broad and do not
provide ample safeguards against crossing legal boundaries and invading the people’s right to
privacy. The concern is understandable. Indeed, the Court recognizes in Morfe v. Mutuc that
governmental powers may not intrude, and that there exists an independent constitutional right
of privacy. Such right to be left alone has been regarded as the beginning of all freedoms. 48
47
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
48
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
The court then next discussed the Right to Privacy along with specifics of data transmission in the
cyberspace.
But that right is not unqualified. In Whalen v. Roe, the United States Supreme Court classified
privacy into two categories: decisional privacy and informational privacy. Decisional privacy
involves the right to independence in making certain important decisions, while informational
privacy refers to the interest in avoiding disclosure of personal matters. It is the latter right—the
Informational privacy has two aspects: the right not to have private information disclosed, and
the right to live freely without surveillance and intrusion. In determining whether or not a
matter is entitled to the right to privacy, this Court has laid down a two-fold test. The first is a
subjective test, where one claiming the right must have an actual or legitimate expectation of
privacy over a certain matter. The second is an objective test, where his or her expectation of
Since the validity of the cybercrime law is being challenged, not in relation to its application to a
particular person or group, petitioners’ challenge to Section 12 applies to all information and
communications technology (ICT) users, meaning the large segment of the population who use
all sorts of electronic devices to communicate with one another. Consequently, the expectation
of privacy is to be measured from the general public’s point of view. Without reasonable
49
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
50
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
51
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
As the Solicitor General points out, an ordinary ICT user who courses his communication through
a service provider, must of necessity disclose to the latter, a third person, the traffic data
needed for connecting him to the recipient ICT user. For example, an ICT user who writes a text
message intended for another ICT user must furnish his service provider with his cellphone
number and the cellphone number of his recipient, accompanying the message sent. It is this
information that creates the traffic data. Transmitting communications is akin to putting a letter
in an envelope properly addressed, sealing it closed, and sending it through the postal service.
Those who post letters have no expectations that no one will read the information appearing
Computer data—messages of all kinds—travel across the internet in packets and in a way that
may be likened to parcels of letters or things that are sent through the posts. When data is sent
from any one source, the content is broken up into packets and around each of these packets is
a wrapper or header. This header contains the traffic data: information that tells computers
where the packet originated, what kind of data is in the packet (SMS, voice call, video, internet
chat messages, email, online browsing data, etc.), where the packet is going, and how the
packet fits together with other packets. The difference is that traffic data sent through the
internet at times across the ocean do not disclose the actual names and addresses (residential
or office) of the sender and the recipient, only their coded internet protocol (IP) addresses. The
packets travel from one computer system to another where their contents are pieced back
together.53
The court then tackled next the process of collection of traffic data as to how the state may collect data
52
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
53
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Section 12 does not permit law enforcement authorities to look into the contents of the
messages and uncover the identities of the sender and the recipient.54
For example, when one calls to speak to another through his cellphone, the service provider’s
communication’s system will put his voice message into packets and send them to the other
person’s cellphone where they are refitted together and heard. The latter’s spoken reply is sent
to the caller in the same way. To be connected by the service provider, the sender reveals his
cellphone number to the service provider when he puts his call through. He also reveals the
cellphone number to the person he calls. The other ways of communicating electronically follow
In Smith v. Maryland, cited by the Solicitor General, the United States Supreme Court reasoned
that telephone users in the ‘70s must realize that they necessarily convey phone numbers to the
telephone company in order to complete a call. That Court ruled that even if there is an
expectation that phone numbers one dials should remain private, such expectation is not one
In much the same way, ICT users must know that they cannot communicate or exchange data
with one another over cyberspace except through some service providers to whom they must
submit certain traffic data that are needed for a successful cyberspace communication. The
conveyance of this data takes them out of the private sphere, making the expectation to privacy
54
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
55
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
56
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
57
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Upon discussing the aspects of the Right to Privacy in connection to collection of traffic data as seen
above, the court has come into conclusion that Section 12 of the Cybercrime law is unconstitutional.
Said section may be used to profile citizens, can be used for abuse of authority, failure to provide
safeguards sufficient to protect constitutional guarantees and its vague purpose offered in the provision
for collection which are effects of violations to the Right of Privacy in the cyberspace realm.
The Court, however, agrees with Justices Carpio and Brion that when seemingly random bits of
traffic data are gathered in bulk, pooled together, and analyzed, they reveal patterns of activities
which can then be used to create profiles of the persons under surveillance. With enough traffic
data, analysts may be able to determine a person’s close associations, religious views, political
affiliations, even sexual preferences. Such information is likely beyond what the public may
expect to be disclosed, and clearly falls within matters protected by the right to privacy. But has
the procedure that Section 12 of the law provides been drawn narrowly enough to protect
individual rights?58
Section 12 empowers law enforcement authorities, "with due cause," to collect or record by
technical or electronic means traffic data in real-time. Petitioners point out that the phrase "due
cause" has no precedent in law or jurisprudence and that whether there is due cause or not is
left to the discretion of the police. Replying to this, the Solicitor General asserts that Congress is
not required to define the meaning of every word it uses in drafting the law. 59
Indeed, courts are able to save vague provisions of law through statutory construction. But the
cybercrime law, dealing with a novel situation, fails to hint at the meaning it intends for the
phrase "due cause." The Solicitor General suggests that "due cause" should mean "just reason or
motive" and "adherence to a lawful procedure." But the Court cannot draw this meaning since
58
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
59
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Section 12 does not even bother to relate the collection of data to the probable commission of a
particular crime. It just says, "with due cause," thus justifying a general gathering of data. It is
akin to the use of a general search warrant that the Constitution prohibits.60
Due cause is also not descriptive of the purpose for which data collection will be used. Will the
law enforcement agencies use the traffic data to identify the perpetrator of a cyber attack? Or
will it be used to build up a case against an identified suspect? Can the data be used to prevent
The authority that Section 12 gives law enforcement agencies is too sweeping and lacks
restraint. While it says that traffic data collection should not disclose identities or content data,
such restraint is but an illusion. Admittedly, nothing can prevent law enforcement agencies
holding these data in their hands from looking into the identity of their sender or receiver and
what the data contains. This will unnecessarily expose the citizenry to leaked information or,
Section 12, of course, limits the collection of traffic data to those "associated with specified
communications." But this supposed limitation is no limitation at all since, evidently, it is the law
enforcement agencies that would specify the target communications. The power is virtually
whatever specified communication they want. This evidently threatens the right of individuals to
privacy.63
The Solicitor General points out that Section 12 needs to authorize collection of traffic data "in
real time" because it is not possible to get a court warrant that would authorize the search of
60
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
61
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
62
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
63
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
what is akin to a "moving vehicle." But warrantless search is associated with a police officer’s
determination of probable cause that a crime has been committed, that there is no opportunity
for getting a warrant, and that unless the search is immediately carried out, the thing to be
searched stands to be removed. These preconditions are not provided in Section 12. 64
The Solicitor General is honest enough to admit that Section 12 provides minimal protection to
internet users and that the procedure envisioned by the law could be better served by providing
for more robust safeguards. His bare assurance that law enforcement authorities will not abuse
the provisions of Section 12 is of course not enough. The grant of the power to track cyberspace
communications in real time and determine their sources and destinations must be narrowly
Petitioners also ask that the Court strike down Section 12 for being violative of the void-for-
vagueness doctrine and the overbreadth doctrine. These doctrines however, have been
consistently held by this Court to apply only to free speech cases. But Section 12 on its own
neither regulates nor punishes any type of speech. Therefore, such analysis is unnecessary.
This Court is mindful that advances in technology allow the government and kindred institutions
to monitor individuals and place them under surveillance in ways that have previously been
impractical or even impossible. "All the forces of a technological age x x x operate to narrow the
area of privacy and facilitate intrusions into it. In modern terms, the capacity to maintain and
support this enclave of private life marks the difference between a democratic and a totalitarian
society." The Court must ensure that laws seeking to take advantage of these technologies be
written with specificity and definiteness as to ensure respect for the rights that the Constitution
guarantees.66
64
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
65
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
66
Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
The court thus concluded that
a. x;
b. Section 12 that authorizes the collection or recording of traffic data in real-time; and
c. x
Sereno, in a separate opinion67, opined that real-time collection of traffic data is not invalid per se.
However, there must be “robust safeguards” and an explanation for the need and nature of the traffic
instances. Also, traffic data per se may be examined by law enforcers, since there is no privacy
expectation in them. However, the authority given to law enforcers must be circumscribed
the ponencia in finding the first paragraph of Section 12 unconstitutional because of its failure
to provide for strong safeguards against intrusive real-time collection of traffic data. I clarify,
however, that this declaration should not be interpreted to mean that Congress is now
prevented from going back to the drawing board in order to fix the first paragraph of Section 12.
Real-time collection of traffic data is not invalid per se. There may be instances in which a
warrantless real-time collection of traffic data may be allowed when robust safeguards against
possible threats to privacy are provided. Nevertheless, I am of the opinion that there is a need
67
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
to explain why real-time collection of traffic data may be vital at times, as well as to explain the
Sereno further discussed the conflict between the exercise of police power by collection of data which in
We can gather from the Explanatory Note that there are two seemingly conflicting ideas before
us that require careful balancing – the fundamental rights of individuals, on the one hand, and
the interests of justice (which may also involve the fundamental rights of another person) on the
other. There is no doubt that privacy is vital to the existence of a democratic society and
government such as ours. It is also critical to the operation of our economy. Citizens,
governments, and businesses should be able to deliberate and make decisions in private, away
from the inhibiting spotlight. Certainly, this privacy should be maintained in the electronic
context as social, governmental and economic transactions are made in this setting. At the same
time however, law enforcers must be equipped with up-to-date tools necessary to protect
society and the economy from criminals who have also taken advantage of electronic
technology. These enforcers must be supplied with investigative instruments to solve crimes and
What is beyond debate, however, is that real-time collection of traffic data may be absolutely
necessary in criminal investigations such that, without it, authorities may not be able to probe
certain crimes at all. In fact, it has been found that crucial electronic evidence may never be
stored at all, as it may exist only in transient communications. The UN Office on Drugs and Crime
requires real-time collection of data because of the urgency, sensitivity, or complexity of a law
enforcement investigation.70
68
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
69
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
70
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Sereno further emphasised the constitutional guarantee against unreasonable searches and seizures
which is inviolable.
Hence, it is imprudent to precipitately make (1) an absolute declaration that all kinds of traffic
data from all types of sources are protected by the constitutional right to privacy; and (2) a
blanket pronouncement that the real-time collection thereof may only be conducted upon a
prior lawful order of the court to constitute a valid search and seizure. Rather, the Court should
The inviolable right against unreasonable search and seizure is enshrined in Article III of the
Section 2. The right of the people to be secure in their persons, houses, papers, and effects
against unreasonable searches and seizures of whatever nature and for any purpose shall be
inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to
be determined personally by the judge after examination under oath or affirmation of the
complainant and the witnesses he may produce, and particularly describing the place to be
It is clear from the above that the constitutional guarantee does not prohibit all searches and
seizures, but only unreasonable ones. As a general rule, a search and seizure is reasonable when
probable cause has been established. Probable cause is the most restrictive of all thresholds. It
has been broadly defined as those facts and circumstances that would lead a reasonably
71
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
72
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
73
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
discreet and prudent man to believe that an offense has been committed, and that the objects
sought in connection with the offense are in the place sought to be searched. It has been
reasonable and prudent men, not legal technicians, act." Furthermore, probable cause is to be
determined by a judge prior to allowing a search and seizure. The judge’s determination shall be
contained in a warrant, which shall particularly describe the place to be searched and the things
to be seized. Thus, when no warrant is issued, it is assumed that there is no probable cause to
Sereno then further discussed search in relation to the right to privacy especially to legitimate
expectation of privacy with regards to data disclosed to public through cyberspace domain.
For the constitutional guarantee to apply, however, there must first be a search in the
constitutional sense.101 It is only when there is a search that a determination of probable cause is
required. In Valmonte v. De Villa, the Court said that the constitutional rule cannot be applied
when mere routine checks consisting of "a brief question or two" are involved. The Court said
that if neither the vehicle nor its occupants are subjected to a search – the inspection of the
vehicle being limited to a visual search – there is no violation of an individual’s right against
unreasonable searches and seizures. Hence, for as long as there is no physical intrusion upon a
In recent years, the Court has had occasion to rule that a search occurs when the government
United States. Katz signalled a paradigm shift, as the inquiry into the application of the
constitutional guarantee was now expanded beyond "the presence or absence of a physical
74
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
75
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
intrusion into any given enclosure" and deemed to "[protect] people, not places." Under this
expanded paradigm, the "reasonable expectation of privacy" can be established if the person
claiming it can show that (1) by his conduct, he exhibited an expectation of privacy and (2) his
expectation is one that society recognizes as reasonable. In People v. Johnson, which cited Katz,
the seizure and admissibility of the dangerous drugs found during a routine airport inspection
were upheld by the Court, which explained that "[p]ersons may lose the protection of the search
and seizure clause by exposure of their persons or property to the public in a manner reflecting
reasonable."76
Traffic data per se do not enjoy privacy protection; hence, no determination of probable cause is
The very public structure of the Internet and the nature of traffic data per se undermine any
claims of reasonable expectation of privacy in traffic data per se, since the latter are necessarily
Individuals have no legitimate expectation of privacy in the data they disclose to the public and
should take the risks for that disclosure. This is the holding of the U.S. Supreme Court in Smith v.
Maryland. The 1979 case, which has stood the test of time and has been consistently applied by
American courts in various communications cases – including recent ones in the electronic
setting – arose from a police investigation of robbery. The woman who was robbed gave the
police a description of the robber and of a car she had observed near the scene of the crime.
After the robbery, she began receiving threatening phone calls from a man identifying himself as
76
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
77
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
78
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
the robber. The car was later found to be registered in the name of the petitioner, Smith. The
next day, the telephone company, upon police request, installed a pen register at its central
offices to record the numbers dialled from the telephone at the home of Smith. The register
showed that he had indeed been calling the victim’s house. However, since the installation of
the pen register was done without a warrant, he moved to suppress the evidence culled from
the device. In affirming the warrantless collection and recording of phone numbers dialled by
This claim must be rejected. First, we doubt that people in general entertain any actual
expectation of privacy in the numbers they dial. All telephone users realize that they must
"convey" phone numbers to the telephone company, since it is through telephone company
switching equipment that their calls are completed. All subscribers realize, moreover, that the
phone company has facilities for making permanent records of the numbers they dial, for they
see a list of their long-distance (toll) calls on their monthly bills. x x x.80
xxxx
Second, even if petitioner did harbor some subjective expectation that the phone numbers he
dialed would remain private, this expectation is not "one that society is prepared to recognize as
‘reasonable.’" Katz v. United States, 389 U. S., at 361. This Court consistently has held that a
person has no legitimate expectation of privacy in information he voluntarily turns over to third
I am of the opinion that this Court may find the ruling in United States v. Forrester, persuasive.
In that case, the U.S. 9th Circuit Court of Appeals applied the doctrine in Smith to electronic
79
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
80
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
81
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
communications, and ruled that Internet users have no expectation of privacy in the to/from
addresses of their messages or in the IP addresses of the websites they visit. According to the
decision, users should know that these bits of information are provided to and used by Internet
service providers for the specific purpose of directing the routing of information. It then
government surveillance of physical mail," and that the warrantless search of envelope or
routing information has been deemed valid as early as the 19th century.82
Sereno then concluded that there can be no legitimate expectation of privacy with regards to data
Based on the cogent logic explained above, I share the view that Internet users have no
reasonable expectation of privacy in traffic data per se or in those pieces of information that
users necessarily provide to the ISP, a third party, in order for their communication to be
transmitted. This position is further bolstered by the fact that such communication passes
through as many ISPs as needed in order to reach its intended destination. Thus, the collection
and recording of these data do not constitute a search in the constitutional sense. As such, the
Indeed, Professor Orin Kerr, a prominent authority on electronic privacy, observes that in the
U.S., statutory rather than constitutional protections provide the essential rules governing
Internet surveillance law. He explains that the very nature of the Internet requires the disclosure
of non-content information, not only to the ISP contracted by the user, but also to other
computers in order for the communication to reach the intended recipient. Professor Kerr
explains thus:84
82
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
83
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
84
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Recall that the Fourth Amendment effectively carves out private spaces where law enforcement
can’t ordinarily go without a warrant and separates them from public spaces where it can. One
important corollary of this structure is that when a person sends out property or information
from her private space into a public space, the exposure to the public space generally eliminates
the Fourth Amendment protection. If you put your trash bags out on the public street, or leave
your private documents in a public park, the police can inspect them without any Fourth
Amendment restrictions.85
The Supreme Court’s cases interpreting this so-called "disclosure principle" have indicated that
the principle is surprisingly broad. For example, the exposure need not be to the public. Merely
sharing the information or property with another person allows the government to go to that
Why does this matter to Internet surveillance? It matters because the basic design of the
Internet harnesses the disclosure, sharing, and exposure of information to many machines
connected to the network. The Internet seems almost custom-designed to frustrate claims of
broad Fourth Amendment protection: the Fourth Amendment does not protect information that
has been disclosed to third-parties, and the Internet works by disclosing information to third-
parties. Consider what happens when an Internet user sends an e-mail. By pressing "send" on
the user’s e-mail program, the user sends the message to her ISP, disclosing it to the ISP, with
instructions to deliver it to the destination. The ISP computer looks at the e-mail, copies it, and
then sends a copy across the Internet where it is seen by many other computers before it
reaches the recipient’s ISP. The copy sits on the ISP’s server until the recipient requests the e-
85
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
86
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
mail; at that point, the ISP runs off a copy and sends it to the recipient. While the e-mail may
seem like a postal mail, it is sent more like a post card, exposed during the course of delivery. 87
Clearly, considering that the Internet highway is so public, and that non-content traffic data,
unlike content data, are necessarily exposed as they pass through the Internet before reaching
the recipient, there cannot be any reasonable expectation of privacy in non-content traffic data
per se.88
Be that as it may, it is important to note that only non-content data are collected.
Traffic data to be collected are explicitly limited to non-content and non-identifying public
The U.S. Supreme Court and Court of Appeals in the above cases emphasized the distinction
between content and non-content data, with only content data enjoying privacy protection. In
Smith the Court approved of the use of pen registers, pointing out that "a pen register differs
significantly from [a] listening device … for pen registers do not acquire the contents of
communications." Hence, the information derived from the pen register, being non-content, is
not covered by the constitutional protection. In Forrester, it was held that while the content of
both e-mail and traditional mail are constitutionally protected, the non-content or envelope
information is not. On the other hand, in the 2007 case Warshak v. United States, the Sixth
Circuit Court of Appeals held that the contents of emails are protected. It employed the
content/non-content distinction in saying that the "combined precedents of Katz and Smith"
87
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
88
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
89
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
90
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Traffic data are of course explicitly restricted to non-content and non-identifying data as defined
in Section 12 of the Cybercrime Prevention Act itself. As such, it is plain that traffic data per se
The distinction between content and non-content data, such as traffic data, is important
because it keeps the balance between protecting privacy and maintaining public order through
effective law enforcement. That is why our Congress made sure to specify that the traffic data to
be collected are limited to non-content data. For good measure, it additionally mandated that
Kerr explains how the distinction between content and non-content information in electronic
communication mirrors perfectly and logically the established inside and outside distinction in
physical space, as far as delineating the investigative limitations of law enforcers is concerned.
Inside space is constitutionally protected, and intrusion upon it requires a court warrant; in
contrast, surveillance of outside space does not require a warrant because it is not a
networks. Communications networks are tools that allow their users to send and receive
communications from other users and services that are also connected to the network. This role
requires a distinction between addressing information and contents. The addressing (or
"envelope") information is the data that the network uses to deliver the communications to or
from the user; the content information is the payload that the user sends or receives. 94
91
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
92
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
93
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
94
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
xxxx
We can see the same distinctions at work with the telephone network. The telephone network
permits users to send and receive live phone calls. The addressing information is the number
dialed ("to"), the originating number ("from"), the time of the call, and its duration. Unlike the
case of letters, this calling information is not visible in the same way that the envelope of a letter
is.95
At the same time, it is similar to the information derived from the envelope of a letter. In
contrast, the contents are the call itself, the sound sent from the caller’s microphone to the
receiver’s speaker and from the receiver’s microphone back to the caller’s speaker. 96
context as well. The easiest cases are human-to-human communications like e-mail and instant
messages. The addressing information is the "to" and "from" e-mail address, the instant
message to and from account names, and the other administrative information the computers
generate in the course of delivery. As in the case of letters and phone calls, the addressing
information is the information that the network uses to deliver the message. In contrast, the
xxxx
distinction. To apply the Fourth Amendment to the Internet in a technologically neutral way,
access to the contents of communications should be treated like access to evidence located
95
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
96
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
97
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
inside. Accessing the contents of communications should ordinarily be a search. In contrast,
access to non-content information should be treated like access to evidence found outside.
This translation is accurate because the distinction between content and non-content
information serves the same function online that the inside/outside distinction serves in the
a person is and where a person is going. Consider what the police can learn by watching a
suspect in public. Investigating officers can watch the suspect leave home and go to different
places. They can watch him go to lunch, go to work, and go to the park; they can watch him
drive home; and they can watch him park the car and go inside. In effect, this is to/from
On the other hand, content information is analogous to inside information. The contents of
communications reveal the substance of our thinking when we assume no one else is around. It
is the space for reflection and self-expression when we take steps to limit the audience to a
specific person or even just to ourselves. The contents of Internet communications are designed
to be hidden from those other than the recipients, much like property stored inside a home is
Sereno then concluded by concurring with the rest of the Justices of the Philippine Supreme Court in
ruling that Section 12 of cybercrime law is unconstitutional due to lack of safeguards of limiting
collection of data to only non-content in nature, and only for limited purpose of investigating specific
instances of criminality.
98
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
99
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
100
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Section 12, however, suffers from lack of procedural safeguards to ensure that the traffic data to
be obtained are limited to non-content and non-identifying data, and that they are obtained
only for the limited purpose of investigating specific instances of criminality. 101
Thus far, it has been shown that real-time collection of traffic data may be indispensable in
providing a crucial first lead in the investigation of criminality. Also, it has been explained that
there is clearly no legitimate expectation of privacy in traffic data per se because of the nature
of the Internet – it requires disclosure of traffic data which, unlike content data, will then travel
exposed as it passes through a very public communications highway. It has also been shown that
the definition of traffic data under the law is sufficiently circumscribed to cover only non-
content and non-identifying data and to explicitly exclude content data. This distinction is
important in protecting privacy guarantees while supporting law enforcement needs. 102
However, Section 12 suffers from a serious deficiency. The narrow definition of traffic data per
criteria for the exercise of the authority to obtain them. The government asserts that Section 12
provides for some protection against abuse. While this may be true, the safeguards provided are
Firstly, the provision does not indicate what the purpose of the collection would be, since it only
provides for "due cause" as a trigger for undertaking the activity. While the government has
explained the limited purpose of the collection of traffic data, which purportedly can only go as
far as providing an initial lead to an ongoing criminal investigation primarily in the form of an IP
address, this limited purpose is not explicit in the assailed provision. Moreover, there is no
assurance that the collected traffic data would not be used for preventive purposes as well.
101
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
102
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
103
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Notably, the Solicitor-General defines "due cause" as "good faith law enforcement reason" or
"when there’s a complaint from a citizen that cybercrime has been committed." According to
the Solicitor General this situation is "enough to trigger" a collection of traffic data. However,
during the oral arguments, the Solicitor General prevaricated on whether Section 12 could also
be used for preventive monitoring. He said that there might be that possibility, although the
purpose would "largely" be for the investigation of an existing criminal act. This vagueness is
disconcerting, since a preventive monitoring would necessarily entail casting a wider net than an
unequivocally specified purpose is fatal because it would give the government the roving
Secondly, Section 12 does not indicate who will determine "due cause." This failure to assign the
determination of due cause to a specific and independent entity opens the floodgates to
possible abuse of the authority to collect traffic data in real-time, since the measure will be
undertaken virtually unchecked. Also, while Section 12 contemplates the collection only of data
"associated with specified communications," it does not indicate who will make the specification
Finally, the collection of traffic data under Section 12 is not time-bound. This lack of limitation
on the period of collection undoubtedly raises concerns about the possibility of unlimited
collection of traffic data in bulk for purposes beyond the simple investigation of specific
instances of criminality.106
104
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
105
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
106
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Sereno then further provided requirements to collection of traffic data in the United Kingdom, and the
United States.
In fashioning procedural safeguards against invasion of privacy, the rule of thumb should be: the
more intrusive the activity, the stricter the procedural safeguards. Other countries have put in
place some restrictions on the real-time collection of traffic data in their jurisdictions. In the
United States, the following are the requirements for the exercise of this authority: 107
(2) court order issued by a judicial officer based upon the certification of a government
attorney; and
(3) limitation of the period of collection to sixty days (with the possibility of extension).
In the United Kingdom, the following requirements must be complied with: 108
(1) necessity of the information to be collected for the investigation of crime, protection
Sereno, from the observations of comparison between Section 12 and the requirements followed in the
First, the relevance or necessity of the collection of traffic data to an ongoing criminal
investigation must be established. This requirement to specify the purpose of the collection (to
107
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
108
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
aid ongoing criminal investigation) will have the effect of limiting the usage of the collected
traffic data to exclude dossier building, profiling and other purposes not explicitly sanctioned by
the law. It will clarify that the intention for the collection of traffic data is not to create a
historical data base for a comprehensive analysis of the personal life of an individual whose
traffic data is collected, but only for investigation of specific instances of criminality. More
important, it is not enough that there be an ongoing criminal investigation; the real-time
should be explicitly stated that the examination of traffic data will not be for the purpose of
preventive monitoring which, as observed earlier, would necessarily entail a greater scope than
that involved in a targeted collection of traffic data for the investigation of a specific criminal
act.109
Second, there must be an independent authority – judicial or otherwise – who shall review
compliance with the relevance and necessity threshold. The designation of this authority will
provide additional assurance that the activity will be employed only in specific instances of
criminal investigation and will be necessary or relevant. The designation of an authorizing entity
will also inhibit the unjustified use of real-time collection of traffic data. The position of this
person should be sufficiently high to ensure greater accountability. For instance, it was
suggested during the oral arguments that the authorizing person be a lawyer of the national
109
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
110
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
Third, there must be a limitation on the period of collection. The restriction on the time period
will further prevent the indiscriminate and bulk collection of traffic data beyond what is
As to the type of technology to be used for collection, it seems that this cannot be specified
beforehand. Certainly, only a general restriction can be made – that the technology should be
capable of collecting only non-content and non-identifying traffic data. It should not be able to
directly point to the location of the users of the Internet, the websites visited, the search words
used, or any other data that reveal the thoughts of the user.112
In the end, whatever mechanism is to be set in place must satisfy the Constitution’s
requirements for the safeguard of the people’s right to privacy and against undue incursions on
their liberties.113
For the final words regarding the matter, Sereno declared that:
Laws and jurisprudence should be able to keep current with the exponential growth in
information technology. The challenge is acute, because the rapid progress of technology has
opened up new avenues of criminality. Understandably, governments try to keep pace and
pursue criminal elements that use new technological avenues. It is precisely during these times
of zeal that the Court must be ever ready to perform its duty to uphold fundamental rights when
The Court has carefully trod through the issues that have been heard in these Petitions,
especially since they involve the exercise of our power of judicial review over acts of the
legislature. I believe that we have tried to exercise utmost judicial restraint and approached the
111
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
112
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
113
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
114
Separate Opinion Jose Joseph Disini et al. v Secretary of Justice et al. G.R. No. 203335
case as narrowly as we could so as to avoid setting sweeping and overreaching precedents. We
have thus prudently resolved the present Petitions with the view in mind that a future re-
examination of the law is still possible, especially when the constitutional challenges set forth
become truly ripe for adjudication. This is also so that we do not unduly tie the hands of the
government when it regulates socially harmful conduct in the light of sudden changes in
technology, especially since the regulation is meant to protect the very same fundamental rights
However, we have also not hesitated to strike down as unconstitutional those regulatory
provisions that clearly transgress the Constitution and upset the balance between the State’s
inherent police power and the citizen’s fundamental rights. After all, the lofty purpose of police
Whether or not the state can guarantee the safety of data privacy with the sim card registration act
In its exercise of Police Power, the Philippine Congress passed Republic Act No. 11934, otherwise known
as ‘An act requiring the registration of subscriber identity module’, and ‘Sim Registration Act’. Its
Implementing Rules and Regulations, Memorandum Circular no. 001-12-2022, was issued by the
Republic Act No. 11934 and Memorandum Circular no. 001-12-2022, the Implementing Rules and
Regulations, contains the following provisions that are vital in tackling and discussing the Right to
parameters:
full name, date of birth, sex, and address. The registration form shall be accomplished
electronically through a platform or website to be provided by the PTEs. The same shall
include a declaration by the end-user that the identification documents presented are
true and correct, and that said person is the one who accomplished the registration
form;
forms of documents with photo that will verify the identity of the end-user such as, but
(1) Passport;
(c) The registration process shall require the input of the assigned mobile number of the
(d) The registration of a SIM by a minor shall be under the name of the minor's parent or
guardian: Provided, That the minor's parent or guardian shall give their consent and
(e) In the case of end-users who are foreign nationals, they shall register their full name,
nationality, passport number, and address in the Philippines and present the following:
(1) For foreign nationals visiting as tourists under Section 9(a) of Commonwealth
(i) Passport;
(ii) Proof of address in the Philippines; and
(iii) Return ticket to own country of the tourist or any other ticket
(i) Passport;
Employment (DOLE);
The SIMs that are registered under Subsection e(1) shall only be valid temporarily for
thirty (30) days, and shall automatically be deactivated upon expiration of the validity of
the SIM.
The relevant government agencies and concerned PTEs shall facilitate all SIM
access: Provided, That said registration facilities in remote areas shall be established
A buyer who fails to comply with the requirements for registration shall result in their
12-2022 provides the same list of requirements, identification, and presentation of valid government-
issued identification (ID) card or other similar form of document with photo, and inputting of the
assigned mobile number of the SIM with its serial number upon registration of SIM.
The Republic Act No. 11934 ensures the confidentiality of information gathered through its
Section 9. Confidentiality Clause. - Any information and data obtained in the registration process
described under this Act shall be treated as absolutely confidential and shall not be disclosed to any
person.
Notwithstanding this provision, disclosure of the full name and address shall be made:
(a) In compliance with any law obligating the PTE to disclose such information in
accordance with the provisions of Republic Act No. 10173 or the Data Privacy Act of
2012;
(b) In compliance with a court order or legal process upon finding of probable cause;
(d) With the written consent of the subscriber: Provided, That, the waiver of absolute
The confidentiality clause in the SIM registration shall take effect at the point of
activation.
118
Republic Act No. 11934 Section 9, Section 10
Section 10. Disclosure of Information. - Notwithstanding the provisions on confidentiality, the
PTEs shall be required to provide information obtained in the registration process only upon the
complaint that a specific mobile number was or is being used in the commission of a crime or that it was
utilized as a means to commit a malicious, fraudulent or unlawful act, and that the complaint is unable
Provided, however, That the PTE shall be held administratively, civilly, or criminally liable on
For this purpose, the relevant data and information shall be kept by the PTEs for ten (10) years
from the time the end-user deactivates his or her mobile number.
The Republic Act No. 11934 provides it’s penal provision for violations of the law in Section 11 which
provides that119
Section 11. Penalties. - The following penalties shall be imposed for violation of any provision of
this Act:
(a) For failure or refusal to register a SIM. - The following fines shall be imposed upon the PTEs
who shall fail or refuse to register a SIM, without valid reason, despite compliance by the end-
user with the requirements for SIM registration under this Act:
(1) First offense: a fine of not less than One hundred thousand pesos (P100,000.00) but
(2) Second offense: a fine of not less than Three hundred thousand pesos (P300,000.00)
but not more than Five hundred thousand pesos (P500,000.00); and
119
Republic Act No. 11934 Section 11
(3) Third and subsequent offense: a fine of not less than Five hundred thousand pesos
(P500,000.00) but not more than One million pesos (P1,000,000.00) for every offense
thereof;
(b) For breach of confidentiality. - The penalty of a fine of not less than Five hundred thousand
pesos (P500,000.00) but not more than Four million pesos (P4,000,000.00) shall be imposed
upon PTEs, its agents or its employees who shall directly or indirectly reveal or disclose any
information or data of an end-user obtained during the registration requirement under this Act,
(c) For breach of confidentiality due to negligence. - The penalty of a fine of not less than Five
hundred thousand pesos (P500,000.00) but not more than Four million pesos (P4,000,000.00)
shall be imposed upon PTEs, its agents or its employees who, due to negligence, shall reveal or
disclose any information or data of an end-user obtained during the registration requirement of
this Act;
(d) For providing false or fictitious information or for using fictitious identities or fraudulent
identification documents to register a SIM. - The penalty of imprisonment ranging from six (6)
months to two (2) years, or a fine of not less than One hundred thousand pesos (P100,000.00)
but not more than Three hundred thousand pesos (P300,000.00), or both, shall be imposed
upon anyone who provides false or fictitious information or who uses a fictitious identity or
(e) For spoofing a registered SIM. - The penalty of imprisonment of no less than six (6) years, or
a fine of Two hundred thousand pesos (P200,000.00), or both, shall be imposed upon anyone
who causes to transmit misleading or inaccurate information about the source of the phone call
or text message, with the intent to defraud, cause harm, or wrongfully obtain anything of value,
unless such transmission is exempted in connection with: (1) authorized activities of law
enforcement agencies; or (2) a court order specifically authorizing the use of caller ID
manipulation;
(f) For sale of a stolen SIM. - The penalty of imprisonment ranging from six (6) months to two (2)
years, or a fine of not less than One hundred thousand pesos (P100,000.00) but not more than
Three hundred thousand pesos (P300,000.00), or both, shall be imposed upon the PTEs, its
agents, resellers, or any entity that will engage in the sale of stolen SIM as provided under this
Act.
If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed
upon the responsible officers, as the case may be, who participated in, or by their gross
(g) For sale or transfer of a registered SIM without complying with the required registration. -
The penalty of imprisonment ranging from six (6) months to six (6) years, or a fine of One
both, shall be imposed upon anyone who sells or transfers a registered SIM without complying
Any person who abets or aids in the commission of any of the offenses enumerated in this Act
A prosecution under this Act shall be without prejudice to any liability or violation of any
required under this Act. The database shall strictly serve as a SIM Register to be used by PTEs to process,
activate or deactivate a SIM or subscription and shall not be used for any other purpose, unless
otherwise provided under this Act. The successful submission and acceptance of the required
The registration required under this Act shall be implemented at no cost to the end-users.
In the recordkeeping of information, PTEs shall ensure that the end-users' data are secured and
protected at all time. The PTEs shall comply with the minimum information security standards
prescribed by the DICT consistent with internationally accepted cybersecurity standards and relevant
The DICT shall establish and perform an annual audit on PTEs' compliance with information
security standards.
In case of any change in the information of the end-user, or the loss of the SIM, death of the
end-user, or any request for deactivation, the end-user shall immediately inform the PTE through its
facility established for such purpose: Provided, That in the case of death of an end-user, such fact shall
In case of any change in the information of the end-user, the concerned PTE shall clearly note
In case of loss of the SIM, death of the end-user, or request for deactivation, the concerned PTE
shall deactivate said SIM within twenty-four (24) hours from the report of the end-user, immediate
retained by the PTE pursuant to the pertinent provisions of this Act, which is ten (10) years.
In case of a cyber-attack on the SIM Register, the incident shall be reported to the DICT within
PTEs shall provide user-friendly reporting mechanisms for their respective end-users upon the
latter's receipt of any potentially fraudulent text or call, and shall, upon due investigation, deactivate,
either temporarily or permanently, the SIM used for the fraudulent text or call.
Section 7. Subsequent Sale of a Registered SIM. - A registered SIM shall not be sold or
transferred without complying with the registration requirements under Section 6 of this Act.
Section 8. Sale of a Stolen SIM. - Any PTE, its agents, resellers, or entity that shall engage in the
(3) Sex;
(2) Nationality;
(4) Passport;
(6) For Persons of Concern or POCs, the Type of Travel or Admission Document
Presented; and
Also under the Memorandum Circular no. 001-12-2022, for providing verification, users are to show 121
(a) For individual end-user, ANY of the following identification cards or documents with photo
shall be presented:
(i) Passport;
(b) For judicial entity end-user, ALL of the following shall be presented:
(ii) In the case of corporations, duly adopted resolution designating the authorized
representative, and in the case of other judicial entities, a special power of attorney.
(c) For minor end-user, the registration of the SIM shall be under the name of the minor's parent
(i) ANY of the identification (ID) cards identified in Section 7(a) of this IRR; and
(d) For foreign national end-user visiting as tourists under Section 9(a) of Commonwealth Act
(i) Passport (i.e. copy of the bio-page and pages where the current 9(a) of
(ii) Proof of address in the Philippines (i.e. booking in a hotel or other type of
(iii) Return ticket to own county of the tourist or any other ticket showing the date and
(e) For foreign national end-user with other types of visas, ALL of the following shall be
presented:
(i) Passport (i.e., copy of the bio-page and pages where the type of visa is stamped or
show);
(ii) Proof of address in the Philippines (i.e., booking in a hotel or other type of
Employment (DOLE);
(2) Alien Certificate of Registration Identification Card (ACRI Card) issued by the
Bureau of Immigration (BI) or other types of official ID issued by any other visa-
issuing agency;
(4) For Persons of Concern or POCs, the type of travel or admission document
Still under the Memorandum Circular no. 001-12-2022, End Users are obligated to122
a) Undertake registration of their own SIMs within one hundred eight (180) days from the
effectivity if the Act, without prejudice to the possible extension by the DICT up to a maximum period of
(1) Any change in the information supplied in their applications for SIM registration;
(i) Name;
(ii) Address
122
Memorandum Circular no. 001-12-2022 Section 9
(v) Such other relevant and reasonable information as may be required by the
(c) In case of death of the end-users, the immediate family or relatives shall immediately report
(d) Submit to their respective PTEs any request for SIM activation/deactivation.
(e) Undertake not to sell or transfer registered SIMs without complying with registration
The Memorandum Circular no. 001-12-2022 also provides that PTEs are obligated to 123
(a) Establish their own secure online SIM registration platform. The online registration platform
shall be user-friendly and easy to use for the benefit of the registering subscribers/end-users. PTEs shall
also provide additional means to assist persons with disabilities, senior citizens, pregnant women,
and/or persons with special needs in registering their respective SIMs. PTEs shall be enjoined to also
include procedures to verify the data and information submitted and presented by the registering
subscribers/end-users.
(b) Maintain a register of the SIMs of their respective end-users and include the data of existing
(c) Send notice of successful submission and acceptance of registration form to the end-users on
(d) Deactivate the SIM within twenty-four (24) hours from receipt of information on the death of
123
Memorandum Circular no. 001-12-2022 Section 10
(e) Effect any change in the information in their respective SIM registers requested by their
respective end-users within two (2) hours from receipt of such requests.
(f) Immediately effect barring of any SIM reported as lost or stolen thereby rendering it unusable
for any incoming or outgoing text, call and use of mobile data service. Such SIM will be permanently
deactivated upon issuance of a new SIM to the verified end-user or within twenty-four (24) hours as
(g) Deactivate, temporarily or permanently, the SIM used for fraudulent text or call, upon due
investigation.
(h) Deactivate all prepaid SIMs for sale to the public upon the effectivity of the Act. Otherwise,
the concerned PTE shall be liable for the penalties prescribed under the Act.
(i) Retain for ten (10) years from date of deactivation the relevant data and information of any
deactivated SIM.
(j) Treat as absolutely confidential and not to disclose to any person any information and data
(k) Provide user-friendly reporting mechanism for their respective end-users to report any
potentially fraudulent text or call, change of information, lost or stolen SIM, or death of a registered
end-user.
(l) Ensure that the end-users’ data are secured, encrypted and protected at all times and comply
with the minimum information security standards prescribed by the DICT consistent with
(m) Report to the DICT, within twenty-four (24) hours of detection any incident of cyber-attack
on the SIM register. In the event that the cyber-attack should also result in personal data breach, PTEs
shall comply with the personal data breach notifications and other reportorial requirements pursuant to
the provisions of the Data Privacy Act of 2012 (DPA) and applicable issuances of the National Privacy
Commission (NPC).
(n) Allow DICT to perform an annual audit on the PTEs’ compliance with information security
standards.
(o) Submit to the NTC, DICT, and both Houses of Congress on or before the 30th day of April of
each year, an annual report on the implementation of the provisions of the Act and this IRR for the
(p) Facilitate, together with the relevant government agencies, the SIM registration process in
(q) Comply, at all times, with the requirements of the DPA of 2012 and issuances of the NPC
(i) Conduct of mandatory privacy impact assessment on the respective SIM Registers
prior to the entry of any personal data in the Registers, or within a reasonable time thereafter.
technical security measures to protect personal data of data subjects throughout the data
(iii) Enable mechanisms for the exercise of the rights of end-users as data subjects under
(iv) Ensure that any processing of personal data submitted by the end-users in the
registration of their SIM shall have a legitimate purpose which is not contrary to law, morals,
public order, and public policy, and meets the criteria for lawful processing of personal data
Confidentiality of data is tackled in Rule V of Memorandum Circular no. 001-12-2022 which provides 124
Section 11. Confidentiality Clause. Any information and data obtained in the registration process
described under the Act shall be treated as absolutely confidential and shall not be disclosed to any
person.
Notwithstanding this provision, the PTE shall disclose the full name and address of an
(a) In compliance with any law obligation the PTE to disclose such information in
accordance with the provision of Republic Act No. 10173 or the Data Privacy Act
of 2012;
(b) In compliance with a court order or legal process upon finding of probable
cause;
(c) In compliance with Section 10 of the Act and Section 12 of this IRR; or
(d) With the written consent of the subscriber: Such waiver of absolute
The confidentiality clause in the SIM registration shall take effect at the point if
activation and shall continue even after deactivation if the SIM and for as long as the end-users’
data is till retained by the PTEs receives the required data or information from the registering
subscriber/end-users).
124
Memorandum Circular no. 001-12-2022 Rule V Section 11-12
Section 12. Disclosure of Information. Notwithstanding the provisions on confidentiality, the
PTEs shall be required to provide information obtained in the registration process only upon the
complaint that a specific mobile number, was or is being used in the commission of a crime or that it
was utilized as a means to commit a malicious, fraudulent or unlawful act, and that the complaint is
The penal provisions under Rule VI of Memorandum Circular no. 001-12-2022 provides 125
Section 13. For providing the false or fictitious information or for using fictitious identities or
fraudulent identification documents to register a SIM. The penalty of imprisonment ranging from six (6)
months to two (2) years, or a fine of not less than one hundred thousand pesos (₱ 100, 000.00) but
more than three hundred thousand pesos (₱ 300, 000.00), or both, shall be imposed upon anyone who
provides false or fictitious information or who uses a fictitious identity or fraudulent identification
Section 14. For Sale or transfer of a registered SIM without complying with the required
registration. The penalty of imprisonment ranging from six (6) months to six (6) years, or a fine of one
hundred thousand pesos (₱ 100, 000.00 to three hundred thousand pesos (₱ 300, 000.00), or both, shall
be imposed upon anyone who sells or transfers a registered SIM without complying with the required
Section 15. For Spoofing as registered SIM. The penalty of imprisonment of no less than six (6)
years or a fine of two hundred thousand pesos (₱ 200, 00.00), or both, shall be imposed upon anyone
125
Memorandum Circular no. 001-12-2022 Rule VI Section 13-21
who causes to transmit misleading or inaccurate information about the source of the phone call or text
message, with the intent to defraud, cause harm, or wrongfully obtain anything of value, unless such
transmission is exempted in connection with: (1) authorized activities of law enforcement agencies; or
Section 16. For failure or refusal to register a SIM. The following fines shall be imposed upon the
PTEs who shall fail or refuse to register a SIM, without a valid reason despite compliance by the end-user
(a) First offense: a fine of not less than one hundred thousand pesos (₱ 100, 000.00) but
(b) Second Offense: a fine of not less than three hundred thousand pesos (₱ 300,
000.00) but not more than five hundred thousand pesos (₱ 500, 000.00); and
(c) Third and subsequent offenses: a fine of not less than five hundred thousand pesos
(₱ 500, 000.00) but not more than one million pesos (₱ 1, 000, 000.00) for every offense
thereof.
Section 17. For sale of a stolen SIM. Any PTE, its agent, resellers, or entity that shall engage in
the sale of stolen SIMs shall be criminally liable under the Act. The penalty of imprisonment ranging
from six (6) months to two (2) years, or a fine not less than one hundred thousand pesos (₱ 300,
000.00), or both, shall be imposed upon the PTEs, its agents, resellers, or any entity that will engage in
If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed
upon the responsible officers, as the case may be, who participated in, or by their gross negligence,
thousand pesos (₱ 500, 000.00) but not more than four million pesos (₱ 4, 000, 000.00) shall be imposed
upon PTEs, its agents or its employees who shall directly or indirectly reveal or disclose any information
or data of an end-user obtained during the registration requirement under the Act, unless otherwise
Section 19. For breach of confidentiality due to negligence. The penalty of a fine of not less than
five hundred thousand pesos (₱ 500, 000.00) but not more than four million pesos (₱ 4,000,000.00) shall
be imposed upon PTEs, its agents or its employees who, due to negligence, shall reveal or disclose any
information or data of an end-user obtained during the registration requirement under the Act.
Section 20. Liability as Co-Principal and Liability without Prejudice to any violation of the Revised
Penal Code, as amended, or special laws. Any person who abets or aids in the commission of any of the
offenses enumerated in the Act shall be held liable as a com-principal. A prosecution under the Act shall
be without prejudice to any liability or violation of any provision of the Revised Penal Code, as amended,
or special laws.
Section 21. Filing of Complaint. Any complaint involving any of the above criminal offenses shall
be filed by the proper party before the relevant agency, prosecution office or court having competent
jurisdiction thereof.
Revisiting the success rates of states with sim card registration laws
Of the remaining countries without Sim Card Registration Laws, a number have considered enacting Sim
Card Registration Laws but eventually decided against it. Whilst official government’s detailed policy
assessments were not yet published, reports have pointed out to absence of evidence in providing
significant benefits to crime investigation as the key reason for rejecting the policy. The countries
involved includes the United Kingdom, Czech Republic, Romania, and New Zealand. 126
Researcher have chosen for this study as models of comparison in revisiting the success rates of states
with sim card registration laws the United Mexican States or Mexico, and the Commonwealth of
Australia or Australia. Mexico was chosen because of the unstable political environment of said state
especially with crime rates, and yet chose to abolish their sim card registration law whilst Australia was
chosen due also to its circumstance albeit in reverse, that it was a state with a history of stable political
A curious case is that of the Mexico. Mandatory Sim Registration was introduced in Mexico in 2009 but
was repealed only after three years after a policy assessment that pointed out the Mandatory Sim
Registration had not helped with the prevention, investigation, and prosecution of crimes. 127 In fact, the
kidnapping rate even rose in 2010, after the enactment and enforcement of Sim Registration according
to a study by Citizens' Council for Public Security and Penal Justice (Consejo Ciudadano para la Seguridad
Publica y la Justicia Penal - CCSP-JP), which used data from the Mexican Attorney General's Office and
the National Public Security System.128 Amongst the reasons cited by the Mexican Senate includes
40 percent increase in the number of extortion calls between 2009 and 2010
The policy that was based on a misconception that criminals would use Sim cards
126
The Mandatory Registration of Prepaid SIM Card Users (White Paper) (2013). Groupe Speciale Mobile
Association (GSMA) - https://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-
Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf
127
The Mandatory Registration of Prepaid SIM Card Users (White Paper) (2013). Groupe Speciale Mobile
Association (GSMA) - https://www.gsma.com/publicpolicy/wp-content/uploads/2013/11/GSMA_White-
Paper_Mandatory-Registration-of-Prepaid-SIM-Users_32pgWEBv3.pdf
128
Elyssa Pachico (2011). Study: 2010 Record Year for Kidnappings in Mexico -
https://insightcrime.org/news/analysis/study-2010-a-record-year-for-kidnappings-in-mexico/
That mobile operators simply cannot always verify the accuracy of the information
Lack of incentives for registered users to update changing details leading to outdated
records
The likelihood that the policy incentivised criminal activity (mobile device theft,
fraudulent registrations, and sourcing of unregistered Sim cards overseas for use in
target market)
The risk on the registered user’s personal information to be accessed and used
improperly.
A new National Biometric of Mobile Users which was supported by President Andres Manuel Lopez
Obrador was passed by the Mexican Congress almost a decade after the repeal of the first law. The new
law aimed to combat crimes by making the registry readily available to authorities to track cell phones
‘Como fue desarrollado anteriormente, para que una interferencia en el derecho a la privacidad
y la protección de datos personales pueda ser considerada compatible con el marco constitucional,
resulta indispensable que dicha interferencia cumpla el requisito de legalidad, lo cual implica analizar si
la interferencia se encuentra autorizada por una ley, en el sentido formal y material, creada en
cumplimiento del marco jurídico y estableciendo con claridad suficiente la sustancia, contenido y
129
Luis Fernando García Muñoz (2021). Acción de inconstitucionalidad 82/2021 y su Acumulada 86/2021 Asunto: se
presenta escrito en calidad de amicus curiae (Unconstitutional action 82/2021 and its accumulated 86/2021
subject: as presented and written by amicus curiae) - pleno de la suprema corte de justicia de la nación presente,
Estados Unidos Mexicanos (Plenary Supreme Court of Justice of the Nation, United Mexican States)
Present) - https://r3d.mx/wp-content/uploads/Amicus-PANAUT-08022022.pdf p.16
Which can be roughly translated to English as ‘for an interference with the right to privacy and the
essential that said interference must meet the requirement of legality, which implies analysing whether
the interference is authorised by a law, in the formal and material sense, in compliance with the legal
framework and establishing with sufficient clarity the substance, content and scope of the right to
‘La libertad de las personas de formarse una opinión y expresar sus ideas, así como buscar y
fuentes de consulta. Es por ello que organismos y tribunales internacionales de derechos humanos han
íntimamente ligados y que de esa estrecha relación se desprende el derecho de expresión anónima.’ 130
In this argument, Muñoz was presented that the freedom of people to form an opinion and express their
ideas, and to seek and receive information, requires spaces of privacy and anonymity, free from
intimidation and reprisals caused by demands for identification or disclosure of beliefs, convictions,
sources of consultation. It is for that reason that International Human Rights Organisations and Courts
have reiterated that the right to privacy and the Right to Freedom of Expression are closely linked and
that the Right to Anonymous Expression derives from this close relationship.
130
Ibid p.39
‘La presunción establecida señala que la persona registrada como titular de la línea es dueña de
la línea de telefonía móvil. Esta presunción revierte de la carga de la prueba de manera injustificada
The New Sim Card Registration of Mexico established presumption indicates that the person registered
as the owner of the line is the owner of the mobile telephone line. This presumption shifts the burden of
‘En conclusión, el artículo 180 Bis debe ser declarado inconstitucional por violentar el principio
20 constitucional. Esto pues revierte la carga de la prueba de manera excesiva sobre las y los
ciudadanos, exenta a la parte acusadora de investigar y presentar pruebas de cargo y señala de manera
errónea la fracción I del apartado b del artículo 20 de la CPEUM como único principio de interpretación
de dicha norma.’132
In conclusion, Muñoz prayed that the New Sim Card Registration of Mexico be declared unconstitutional
for violating the principle of presumption of innocence in its form of evidentiary rule contained in
Section V of Article 20 of the Mexican Constitution. That the law reverses the burden of proof
excessively on the citizens, exempts the accusing party from investigating and presenting proof of
charge and erroneously indicates Section I of Section B of Article 20 of the CPEUM as the only principle
The Mexican Supreme Court however stroke down the new law which requires fingerprints and eye
biometrics as unconstitutional by a vote of nine to two. The last two justices voted for in favour of
partial invalidation only. The law was declared unconstitutional on the grounds that the personal data of
cell phone users would have been available to law enforcement authorities without the need to obtain a
131
Ibid p.46
132
Ibid p.47
warrant from judicial authorities, and that the law did not specify the specific conditions and parameters
under which law enforcement authorities could access the data in the registry, nor did it specify any
time limits for authorities to access such information. The court specified that the invalidated law would
provide broad access to personal information by law enforcement authorities which certainly
contradicts privacy, data protection, and criminal procedure rules under Mexican law provides that
access to personal information of individuals who are suspects in criminal proceedings can be obtained
by relevant authorities only subject to adequate limits. Thus, the Mexican Supreme Court concluded
that the law enforcement authorities have already powers appropriate to obtain access to data on
personal device of suspects to a crime given that applicable requirements are met. 133
The effectivity of Mandatory Sim Registration in the Commonwealth of Australia, a state with a long
tradition of stable democracy, was inquired in Parliamentary Inquiries by the Australian Parliament. The
Introduction
7.1 The inquiry revealed that certain administrative and regulatory arrangements hamper
Australia's efforts to tackle serious and organised crime. One example is the inadequacy of the
collection of prepaid mobile phone user information. The issue of staffing arrangements for law
enforcement agencies was also investigated, as was the need for a comprehensive research
effort to improve future policing strategies and the targeting of policy and resources to address
Telecommunications
arrangements for registering user information for prepaid mobile phone SIM cards. These are
regulation.
7.3 The committee received significant evidence from several law enforcement agencies
about the potential and actual use of SIM cards by organised crime groups to avoid detection,
whereby criminal identities are purchasing SIM cards in stolen or false names. The Queensland
Prepaid SIM cards are regularly purchased and used by target identities (including in bulk) in
false names or in the names of real persons without the knowledge of the person in question. A
number of proprietors of mobile telephone outlets, and some smaller service providers, have
sponsored Law Enforcement Advisory Committee (LEAC) have experienced difficulties keeping
pace with criminal activity in this area. This has tangible and ongoing effects on the ability of
Division, Western Australia Police, told the committee that where criminals are aware that the
police are tracking them they will change their cards 'two, three, four times a day', and possibly
'every second conversation'. There will either be no name attached to the purchase, or the
Commission, reported a similar experience, exacerbated for her agency by the fact that, in the
absence of state telephone interception powers, the commission relies heavily on charge record
analysis:
...you can clearly see phones that have been connected using false names...We see ridiculous
names like Will Smith and Bob Marley—clearly names that have been plucked out of the air.
7.6 The Western Australia Police (WAPOL) estimated that 50 per cent of telephone numbers
they investigate have false subscriber details, with the majority of these false accounts being
drug related.
7.7 Detective Superintendent Mark Porter, State Intelligence Division, Victoria Police, put
the use of SIM cards in a commercial criminal context, telling the committee that the 'churning'
of SIM cards emerged around a decade ago. While briefly restricted to 'top end' criminals, this is
now a widespread practice among the criminal fraternity. Detective Superintendent Porter
Accordingly, criminals tend to treat the cost of obtaining secure communications as a 'business'
cost:
So, if...[a criminal goes] in and buy[s] 100 SIM cards, that is a business cost, because...[their]
7.8 Further, Ms Foulger told the committee that some organised crime figures have links to
the providers of mobile phones, and are able to obtain phones using the legitimate details
provided by unsuspecting third parties. For law enforcement, tracking down the actual user of a
service becomes very difficult.[7] In some cases, organised crime groups are endeavouring to
establish control over the commercial supply of SIM cards by establishing, purchasing or
otherwise controlling their own telecommunications companies. Detective Superintendent
Another reason why you need to legislate is...they buy their own telephone suppliers so that
they can get those cards without having to answer the questions. The situation is that we need
to have legislation to make sure that the actual supplier is required to comply.
7.9 The accurate collecting of SIM user information is critical to law enforcement agencies'
ability to investigate serious and organised crime. Detective Superintendent Porter observed
that current arrangements are allowing criminals to obtain effectively anonymous means of
communication:
When you can go into the supermarket and buy quite a number of...[prepaid mobile services]
and you can just make a phone call and claim to be anybody, then you have anonymous
identification that you can use for five minutes, five days or whatever.
The fact that telecommunication service providers do not require or impose the 100 point
identification check on the purchase of SIM cards makes identifying the actual user virtually
impossible.
evidence received regarding SIM cards and prepaid mobile service registration. Their submission
outlines that the Telecommunications (Service Provider—Identity Checks for Pre-Paid Mobile
Telecommunications Services) Determination 2000 applies to the sale of prepaid mobile phones,
and that there are established processes for collecting and verifying customer information.
7.12 Under the determination, purchasers of SIM cards are required to produce identity
documents either when purchasing a prepaid mobile phone (option A) or when activating a
prepaid mobile service (option B). The submission, acknowledging the shortcomings of the
Industry’s preference would be to use option B above, but transition to this process has been
consistently thwarted by the lack of access to original sources for verification of customer
differences between the information collected from the purchaser and the user (e.g. if the
mobile is a gift) incomplete and unverified data in the IPND, as this data is collected from the
7.13 The AMTA submission also explains proposed improvements to the collection of SIM
purchaser information:
AMTA members are developing a standard form for pre-paid mobile phone services in order to
seek more accurate and consistent data capture at point of sale. To complement the
development of the new pre-paid mobile phone service form, AMTA is developing an overall
continuous improvement process that consists of comprehensive guidelines for retailers and an
7.14 AMTA suggests that the identity checks could be undertaken at the point of activation
(option B above), and suggests that the government’s proposed National Document Verification
Service (NDVS) could be used to support such an approach.[14] The NDVS is a part of the
National Identity Security Strategy developed by the Council of Australian Governments; a
...will be a secure, electronic, on-line system accessible by all key Australian Government, State
and Territory agencies, and potentially by the private sector. Agencies authorised to use the DVS
will be able to check in real time whether a document presented to them as a proof-of-identity
by an individual applying for high value benefits and services was issued by the relevant agency,
and that the details on the document are true and accurate.
7.15 While the committee notes AMTA's willingness to assist with the support of the NDVS,
there is no indication of when the database will become operational. In AMTA's view, the 100-
telecommunications market has resulted in there being less control over call records. This makes
7.16 This was also noted by Ms Catherine Smith, Assistant Secretary, Telecommunications
and Surveillance Law Branch, Attorney-General's Department, who told the committee:
Because it is a deregulated telecommunications market, the obligation has been placed upon
and continued:
The difficulty is that there is no regulation of who can sell those SIM cards. Even though an
obligation may be placed on the main telecommunications providers who provide them, they
are sold at the local garage, at Woolworths and so on, so the obligation might fall upon a
checkout person, who is very busy, to take down certain details and that sort of thing...In the
Law Enforcement Advisory Committee, which is chaired by ACMA, we have been working very
hard for a number of years to come up with a better system. We expect that—I think in July this
year—AMTA will be putting out a new draft way to deal with these prepaid SIMS. So something
is being done.
7.18 The committee considers that prompt and serious attention must be given to ensuring
that reliable records of mobile phone users are created and kept. Apart from data and
enforcement agencies rely heavily on this data from telecommunications companies. While the
telecommunications providers and consumers, the lack of access to reliable SIM user
information is seriously undermining the ability of police to detect, investigate and prosecute
committee's support for stricter proof-of-identity requirements is given with recognition that,
ultimately, the success of any system will be judged by how well commercial and consumer
interests are preserved within a system that achieves comprehensive and accurate SIM card
user registration.
7.19 The committee acknowledges that any changes to the current model for obtaining
registration of SIM card users have the potential to affect the administrative and commercial
cards could add to the length and cost of transactions and potentially affect sales.
7.20 Equally, additional inconvenience and expense could adversely affect individual
consumers, and the committee notes the significant practical considerations that would arise
with a requirement to provide 100 points of identity documentation for purchase or activation
of SIM cards. Young people in particular might find tougher requirements difficult to satisfy, if
not an outright barrier to ownership, and the effect on consumers of any proposed changes
Recommendation 9
7.21 The committee recommends that the government seek to expedite the
2000, so as to require 100 points of identity documentation upon activation of prepaid mobile
phone services.
7.22 The committee heard that rapid technological change in the telecommunications
industry is a continuing threat to the ability of law enforcement agencies (LEAs) to capture
telecommunications information. In particular, Voice over Internet Protocol (VoIP) does not
require billing records. Mr Christopher Keen, Director, Intelligence, Queensland Crime and
Misconduct Commission, described the nature of the problem and how it impacts upon the
just pay your $50 up front and, therefore, they no longer need billing records...[I]t is having an
impact on us being able to salvage networks, links and then, from there, perhaps taking some
other action.
7.23 Ms Smith advised the committee that, because the relevant Acts in this area—the
Telecommunications (Interception and Access) Act 1979 and the Telecommunications Act 1997
—are 'technology neutral', carriers have the same reporting obligations around VoIP as they do
for fixed line services.[19] Nevertheless, Ms Smith acknowledged that there are 'challenges' to
be addressed arising from the need to deal with and rely on the many players making up the
7.24 The committee is concerned that technological developments will make it more difficult
for LEAs to identify and pursue criminal identities, and will monitor the department's initiatives
7.25 The committee heard evidence that police efforts to combat organised crime are still
crime is typically complex, labour intensive and long term, and it can be interrupted by the
policing with the creation of specialist crime and corruption bodies such as the ACC. As the
Within Australia a number of Royal Commissions have been established to investigate and
report on organised crime. Emerging from these commissions has been the recognition that
traditional policing methods were inadequate and new arrangements for combating organised
7.27 The CCCWA endorsed Australia's current model for dealing with organised crime, which
resources for the long-term protracted investigations that are the trademark of effective
organised crime investigations, rather than having these resources dispersed, responding to
7.28 The inquiry identified a present tendency for law enforcement agencies to experience
high staff turnover and lose valuable professional experience and corporate knowledge. This
problem is particularly acute given the increase in technology enabled or facilitated crime, and
the rapidity with which criminals are exploiting new technology. Professor Rod Broadhurst,
hard to keep. We have had entire forensic computing sections of police forces get up and resign
and go and work in private enterprise. We have people who are trained poached by the big IT
security firms.
7.29 Commissioner Ken Moroney, NSW Police Force, described one of the factors behind
Certainly in some of our highly specialised information technology areas we are losing police
officers, ironically, to the Commonwealth, which perhaps is in a position to offer better salaries,
better salary packages and a diversity of work away from strict law enforcement. One of our
senior IT police officers has recently been employed by the Department of Defence. A range of
issues were taken into account in that career path—different opportunities and salary were
certainly key issues. Those are salaries that, in one sense, I cannot compete with. We are losing
7.30 Mr Mark Burgess, Chief Executive Officer, Police Federation of Australia (PFA), indicated
that police skills are a useful, marketable and valuable commodity in the current employment
market.
integrated and coordinated national approach to policing organised crime, there is a need for a
more systematic approach to staff secondment and transfers. This would ensure that state
meet the existing commitments of state and territory police forces.[26] While the PFA did not
endorse a central recruiting pool as the way to manage staffing nationally, it did support the
funding of a 'national police workforce planning study' to ultimately form the basis of a national
police workforce strategy. The PFA believes that such a coordinated approach could secure
effective national management and planning of police staffing levels, while maintaining the
positive aspects of inter-jurisdictional mobility within the service, and respecting the self-
7.33 Commissioner Mick Keelty, Australian Federal Police (AFP), pointed to both individual
factors and general international trends as causing staffing pressures on Australian police forces:
In terms of...overall policing numbers...retaining staff is an issue at the national level. There are
various reasons why police organisations do not retain staff. I have spoken to Commissioner
Paul White in the Northern Territory and we have talked about the difficulties of policing in the
Northern Territory—the remoteness of it and the lack of familial connections. I have talked to
my counterpart in Queensland, Bob Atkinson. Bob unashamedly will tell you that a lot of police
want to come and work in Queensland. Some of it is the social demographics of Australia. In
Western Australia, despite the perception that the AFP has stolen their staff, a lot of the police
7.34 Commissioner Keelty observed that, although staff movements occur in all directions
between state and territory forces and the private sector, the AFP does not experience the staff
retention problems of the state and territory police forces. This is due to the diversity of work
that the AFP undertakes, which offers greater professional choices to staff. While the AFP does
not actively recruit members of state and territory police forces, there is a natural gravitation
7.35 Mr Tony Harrison, Assistant Commissioner, Crime Service, South Australia Police, while
acknowledging the value of inter-agency mobility for skills development and cross-pollination of
ideas, observed that the preponderance of such movements is from state or territory to
7.36 The committee believes that, without adequate recognition, planning and effort, police
Recommendation 10
7.37 The committee recommends that the Ministerial Council for Police and Emergency
retention of sworn police officers across all jurisdictions; and that consideration be given to
7.38 The PFA also raised concerns about the numbers of sworn police officers in the AFP, as
only sworn officers can undertake the full range of policing activities. Mr Burgess considered
that this could affect an agency's capacity to fulfil its responsibilities and that, despite recent
increases in the AFP's staffing budget and overall numbers, the proportion of sworn AFP officers
has declined. In light of the increases in AFP responsibilities, such as anti-terrorism activities and
investigations, there is an expectation that fully sworn officers will attend to matters of serious
increase in unsworn staff recruited to the AFP is properly viewed as a reflection of the type of
skills required by the organisation. In particular, the AFP has increased the size of its intelligence
7.40 Commissioner Keelty raised the related issue of police pursuing partnerships with
community and private sector groups. This approach is in use or being considered by countries
overseas, such as the US and UK. The use of 'enthusiastic' and properly skilled people to free-up
sworn officers to undertake critical tasks could help with the management of staffing and skills
pressures.
Evaluation
7.41 Attempts to address the impact of serious and organised crime effectively are held back
by reliance on an unstructured and almost reactive approach to considering policy design and
funding choices for law and order regimes. Improved systems of measuring outcomes will allow
Australia to bridge the chasm between the political concerns that so often shape policy
development and the practical imperatives of a system of laws that is effective against organised
crime.
7.42 Professor Adam Sutton, appearing in a private capacity, identified the Productivity
...I would argue very strongly for the Productivity Commission. Most areas of government now,
quite rightly, are tied to those kinds of [Productivity Commission] performance objectives. I do
not think we are doing that in the law enforcement area...partly because of this idea of
7.43 The Productivity Commission is an independent Commonwealth agency that acts as:
...the Government’s principal review and advisory body on microeconomic policy and regulation.
It conducts public inquiries and research into a broad range of economic and social issues
The Commission’s work covers all sectors of the economy. It extends to the public and private
sectors and focuses on areas of Commonwealth as well as State and Territory responsibility.[36]
7.44 The committee considers that there is a need for evaluative research to quantify the
effectiveness of current policy and legislative and administrative arrangements for serious and
7.45 The committee has also commented in previous inquiries on the difficulties of
establishing performance objectives for law enforcement that adequately reflect its work and
outcomes. Accordingly, the committee would support a Productivity Commission inquiry into
Recommendation 11
7.46 The committee recommends that the Productivity Commission inquire into the cost
effectiveness and benchmarking of law enforcement bodies and current national arrangements
and assessing the character and activities of organised crime. Mr Alastair Milroy, Chief Executive
The ACC values the important dialogue that has arisen through this inquiry. It is through this
varied and informed debate involving law enforcement agencies, academia, politicians, the legal
community and concerned citizens that Australia can better arm itself to combat the continuing
7.48 Mr Milroy called for a greater involvement and contribution by academia to the body of
research informing Australia's policy and operational choices in fighting organised crime:
...academia has done some work that looks at the characteristics of organised crime. But even
our partners in the UK have acknowledged that a lot of that work needs to be done by others to
give us better advice on what can be done from a government point of view in tackling
organised crime.
7.49 Mr Milroy pointed to certain areas of potential research where better understanding is
needed:
...a lot more work could be done to fill in some of the gaps...[such as] the value of organised
crime markets, which is about the revenue derived by organised crime in pursuit of illegal
activity...To deal with organised crime, to assist in forming policy and to have better operational
responses, you have to look at the problem itself and understand organised crime markets.
7.50 Experiences under the current national policing arrangements for organised crime have
shown that the best strategic and tactical options can only be selected when police can
accurately identify the groups and actors causing the greatest levels of threat and harm in the
community, and the markets and activities in which they are involved. Given the acknowledged
flexibility and opportunism of organised crime groups, research is also required to support
analysis of successful policing strategies. This would allow police to better anticipate new
...with organised crime, once you are successful in targeting specific groups, they learn from it
and change their methodology. It is an ongoing cycle of us trying to learn from their various
operations, looking at the intelligence, identifying the methodology that they are using and
7.51 Mr Frank Costigan QC, who appeared before the committee in a private capacity,
emphasised that a research effort would need to be ongoing in order to inform and develop
appropriate police responses to the opportunism and continuing evolution of organised crime:
There is no clear-cut answer to these things; it is a continuing fight. As new methods of attack
are found, there will be new methods of getting around the system.
7.52 Professor Margaret Mitchell, Director, Sellenger Centre for Research in Law, Justice and
Policing, School of Law and Justice, Edith Cowan University, supported the analyses of Mr Milroy
and Mr Costigan. So too, Dr Toni Makkai, Director, Australian Institute of Criminology, observed
that 'one of the difficulties or challenges for...[the Australian Institute of Criminology] is getting
our research to influence policy and practice'. This has serious implications for the development
take notice of the research and the evidence base, we will not be able to improve the efficiency
and effectiveness in terms of our responses to serious and organised crime in Australia.
7.53 Professor Mitchell identified this failure to incorporate research into policy and policing
strategies as international in nature, and called for a 'careful and comprehensive overview,
Despite real concern over the increasing threat from organised crime, there is very little rigorous
7.54 Professor Sutton noted the need for improved evaluation of organised crime, and for
research to be informed by police operational information. This would allow research to inform
I do not see that there is any reason that, if you could link police intelligence with research, you
could not actually measure that and use that in a feedback loop in order to guide your
operation.
7.55 The committee endorses the argument that, without sound research on the precise
nature and effects of organised crime, policymakers and practitioners will be hampered in
7.56 The committee received evidence showing some important, if nascent, collaborative
efforts between police and information and/or research agencies, such as the Australian
the ACC and the Attorney-General's Department, whereby the AIC both informs and comments
on intelligence matters from a research perspective. Notably, the AIC provides input, by way of
7.58 Putting this in context, Dr Makkai explained that much of the AIC's work is commissioned
or contracted, with it having to carefully allocate its $5.3 million budget to other projects. The
recent and current projects of the AIC show its work to be highly relevant to the matters central
to the committee's inquiry. These include high-tech crime, implementation of the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006, online child pornography, drug analysis
7.59 Currently, links between research and police agencies are largely informal. However, the
AIC is assiduous in the number and variety of methods it employs to promote closer links:
We have been trying to...[collaborate] through the informal exchange of information and
knowledge...We have been locating our analysts in policy and in the operational environments
so that they get better informed and they can then inform the people they are working with
We have run a series of closed roundtables so that law enforcement in particular can come
together and talk about things in a confidential way, not in the public arena. We also run open
public conferences on issues. We do the standard thing of publishing our material. We also have
moved towards trying to do shorter facts sheets...which are much shorter, we hope, easier to
read and more targeted on a specific issue and, therefore, they will be more likely to be picked
international bodies:
[The AIC sits] on a number of national boards and councils, such as the Australian National
Council on Drugs and National Crime Stoppers. We participate internationally through the
program network institutes of the UN and we attend the UN Crime Commission meetings as part
7.61 Despite these efforts to establish more extensive and valuable collaboration, Dr Makkai
stated that there is still the need for improved links between LEAs and the research sector:
...[The AIC does] not have routine access to either Commonwealth or state and territory criminal
justice databases. To a certain extent, our capacity to produce new and innovative research is
7.62 Mr Bob Bottom, appearing in a private capacity, identified the lack of a formally
structured research program designed specifically to marry relevant research with policy and
Bottom pointed to the UK, where the Serious and Organised Crime Agency (SOCA) has
developed an annual public document outlining the nature of organised crime in that country.
[52] SOCA has also established a research program designed to provide objective support for the
7.63 Mr Bottom argued that Australia needs a similar program 'to provide research evidence
to support the development of policy and practice relating to the [reduction] of organised
crime’.[54] This need is heightened by the existence of the ACC, which, operating with a truly
national structure and focus, requires a substantial foundation of information, knowledge and
analysis from which to plan and coordinate its activities, and by which to assess and measure
7.64 Throughout the hearings, the committee explored the notion of underpinning law
person comes up with it, there is going to be the need for a fair amount of academic rigour, so
7.65 The committee supports the provision of comprehensive research to support law
enforcement in the area of organised crime, and believes that the AIC is well placed as a
Recommendation 12
7.66 The committee recommends that the Commonwealth Government increase funding to
Recommendation 13
7.67 The committee recommends that a formal relationship be established between law
enhance the provision of data, information and research; and that particular emphasis be placed
on the removal of any legislative impediments to the provision of data to the Australian Institute
complement and inform the priorities, strategies and outcomes of law enforcement efforts can
provide a base from which to coordinate education activities around crime and organised crime,
7.69 The committee heard evidence that there is still a gulf between social attitudes toward
some drugs, nominally 'recreational', and the serious harms that can flow from even casual
instances of illicit drug use. As part of a future crime prevention strategy, Mr Keen identified the
need for a coordinated research effort to provide targeted and well-designed educational
programs:
...what we need...[is] a short, sharp, shiny description of what to look for and what the impacts
are—and try to get some of those out [in education campaigns]...[T]here is an enormous part of
the market that we are not even touching as far as education goes.
7.70 Some witnesses saw education as an important tool in the area of high-tech crime.
Mr Rob McCusker, a research analyst in transnational crime for the Australian Institute of
Criminology, observed:
The difficulty...in all approaches to tackling technology involving crime is that we still have a
massive gullible public who make the job extremely difficult. Until we can tackle that issue
through education campaigns and so forth, law enforcement efforts in this area will be
constantly scuppered.
7.71 The committee notes that the Commonwealth Government has invested substantially in
drug education.[59] However, in light of the detrimental effects of serious and organised crime
in other sectors of society, it is the committee's view that investment in public education in
Recommendation 14
7.72 The committee recommends that public education programs about emerging criminal
activities, such as credit card fraud, banking fraud, identity theft and internet-based criminal
7.73 Calls for 'a more coordinated approach to research on organised crime in Australia' were
consistently made throughout the inquiry. In particular, some witnesses called for this to be
established around the annual preparation and public release of a declassified version of the
ACC's Picture of criminality in Australia (PoCA) report. The PoCA is 'a confidential high-level
strategic intelligence report on the relative harms of each crime type, emerging issues in the
criminal environment and strategic threats from various issues in the surrounding region', and is
the ACC's central strategic document. Mr Bottom expressed bemusement and some
committee's report on the ACC's 2004-05 annual report. That recommendation was:
...that the Australian Crime Commission consider the release of public versions of key research,
7.74 Mr Bottom told the committee that release of a declassified version of PoCA is desirable
because it would act as a focus and anchor for public information and debate about crime going
into the future. Mr Bottom observed that the PoCA's substance goes to the very heart of the
appropriately Australian perspective was maintained when considering and designing responses
to crime and the anticipated requirements of LEAs. There was, he said, an over-reliance on
overseas data and European perspectives, both in Australia generally and, in particular, in much
...I refer to the submission from the Australian Institute of Criminology...[N]ot one of its 16
references credited...is from Australia; indeed, not even from the AIC itself, which in recent
years, to its credit, has produced two of the best academic or research based assessments of
organised crime within Australia. The tendency, therefore, of academics to ignore such local
research and point you to Europe is, to put it mildly, an unfortunate example of academic
naivety.
7.76 Apart from the obvious benefits of basing Australian strategies on Australian
experiences and data, Mr Bottom pointed to the fact that Australia has been a leader in the
establishment of ACC type bodies, and has, for example, provided the model for the
establishment of the Serious and Organised Crime Agency in the UK. To look to overseas models
therefore appeared to him retrograde and unlikely to provide many meaningful comparisons or
insights.
7.77 The committee notes that the previous recommendation for a declassified or public
version of the PoCA is still awaiting a response by the government; this was also noted in the
committee's June 2007 report on the ACC annual report for 2005-06. As stated there, the
The ACC...wishes to respond to criticism concerning the release of the public version of the
ACC’s picture of criminality in Australia. We are in the final stages of developing a paper, which
is termed Organised crime in Australia, following extensive consultation with our partners and
this will be delivered to the ACC board this month for their consideration for release to the
public.
The Committee notes that the ACC has prepared a public version of it picture of criminality in
Recommendation 15
7.80 The committee notes that the Australian Crime Commission has prepared a public
version of the Picture of criminality in Australia and recommends that the ACC Board make this
7.81 A related issue to emerge from the committee's consideration of the question of
establishing a complementary research effort for Australian police agencies was that of the
reporting of online fraud in Australia. A number of witnesses saw the current approach to
crimes, a lack of reliable data and 'data infrastructure' means that research in this area is not
well developed, especially in comparison to traditional types of crime, such as property and
violent crime:
Certainly from a research perspective we would like to know the data...[High-tech crime] is, for
example, one of those crimes that we know is grossly underreported to police and, as a
consequence, we do not have any idea of the size of the problem. As researchers, we would
Protection Branch, Attorney-General’s Department, advised the committee that, although the
Attorney-General's Department could not provide 'specific information' on the level and
incidence of e-fraud against financial institutions, 'general threats to anybody on the internet,
7.84 Mr William Boulton, Examiner, Australian Crime Commission, explained that, despite
online fraud being a fairly recent development, it is generally true that it is a 'very big growth
area', and that the extent of this class of fraud is 'probably much greater than people realise'.
7.85 Although banks and financial institutions have traditionally absorbed fraud-related
losses, online vulnerabilities are generally ascribable to 'the interaction between the user and
their computer and the bank'. The committee is concerned that, if financial institutions decide in
future to adopt a fault-based or stricter approach to apportioning liability for online losses, the
7.86 The committee heard some evidence that banks are already passing online fraud related
losses onto consumers. Such claims raise important issues around accountability and the
question of who is bearing, and who should bear, the burden of risk in cases of online fraud. This
is particularly so if it is true that, as the submission from Mr Stephen Palleras QC, Director of
Public Prosecutions for South Australia, asserts, most cases of online fraud are described as
'identity theft' or 'identity fraud' when in fact they are offences effected through entirely
fictitious identities. The lack of compulsory reporting of online crime means that banks could be
passing on, or could in the future pass on, online crime costs to consumers based on a flawed
7.87 The committee was unable to secure the direct participation of the Australian High Tech
Crime Centre (AHTCC), a body whose responsibility and expertise is directly related to such
issues. Nevertheless, the committee was able to refer to the public comments of Mr Kevin
7.88 On 24 June 2007, Mr Zuccato participated in ABC radio's Background Briefing story on
the apparent vulnerability of the internet to high-tech crime and fraud. A major theme of the
story was the claim that the true level of internet crime is under-reported because banks fear
the negative consequences of consumers knowing bank security has been compromised. The
internet, it was reported, has delivered massive profits to banks through new business models;
they therefore prefer to absorb losses from fraud rather than publicise their own failings and
potentially damage their reputation. Mr McCusker also suggested that financial institutions are
7.89 Professor Broadhurst agreed that reporting of fraud is a 'sensitive area' and that banks
are reluctant to report and thereby advertise instances of fraud perpetrated against them for
fear it will damage their reputation. However, he believed there is a danger that an approach
premised on a false sense of security could ultimately see the problem worsen:
...if we let the mantra become, ‘We need to look like everything is fine...we are running the risk
7.90 However, Mr Zuccato told Background Briefing that, despite 'hundreds of millions of
dollars being defrauded', systematic disclosure of incidents of fraud is not useful for the average
consumer, because it does not enable or help people to understand that there are risks
You and I don't really need to know the extent of the crimes, the hundreds of millions of dollars
being defrauded, because it doesn't help...Speaking of how much is being lost doesn't really take
7.91 Further, Mr Zuccato considered that privacy issues prevent the publicising of data on the
...it would be remiss of us to publicise victims' names. So we wouldn't do that. What we try and
do is basically understand what's happening, work with people to try and understand the level
of the problem and then send the right messages to people so that they can take the
appropriate action.
7.92 However, this position was not supported by Professor Broadhurst, who argued that the
vulnerability of the internet to fraud requires a balance to be struck between allowing the
productivity and commercial benefits of the internet and ensuring that the system is sufficiently
important market. It is growing so fast. It is going to provide huge energy for productivity et
cetera. But, of course, it is a superhighway that does not have many patrol cars on it, and a lot of
the vehicles—the PCs and so on—that we use to drive on it do not have the appropriate safety
The corollary of [a reluctance to report online fraud]...of course, is that law enforcement cannot
effectively fight this type of fraud and this kind of online activity unless they are made aware.
7.94 The committee heard that, despite the apparent lack of compulsory reporting of online
fraud, there are moves afoot to furnish relevant police agencies with data on the incidence of
The government has taken a very holistic view...in that it is trying to work with both the banks,
as the owners of large systems which are on the internet, and with the users, as in you and me
7.95 Dr Dianne Heriot, Acting First Assistant Secretary, Criminal Justice Division, Attorney-
General’s Department, observed that the current approach to reporting online fraud offences is
7.96 Dr Makkai described the AIC's plans, following a specific-purpose grant drawn from the
proceeds of crime, for a survey that will rectify some of the present gaps in knowledge:
In order to improve our understanding of high-tech crime, the institute recently received funds
from the proceeds of crime to examine the extent and impact of computer security incidents
across all Australian industry sectors. This will be the first random survey of this scale and depth
in Australia. We have completed our pilot and are now proceeding to conduct the main survey,
which will be of approximately 20,000 businesses, but it will be another year before that is
7.97 The committee notes that the ACC is collecting information on banking fraud, following
the establishment of protocols or working arrangements that address the commercial concerns
of banks. The ACC is able to compel the provision of such information, overcoming the lack of
explicit reporting requirements on banks and financial institutions. Mr Boulton told the
committee:
...in the last few months the examiners have issued a number of notices to banks, insurance
companies and the like, seeking under compulsion...instances of fraud perpetrated against
those bodies. We are getting a lot of information coming back. The banks and insurance
companies like this method because, even though it is compulsory, it is also confidential. We see
that as a very big growth area...The extent of it is probably much greater than people realise.
7.98 Mr Jeff Pope, General Manager, Commodities, Methodologies and Activities, ACC,
outlined the recent process of collecting data on online fraud, and its high value to the ACC's
...we have formed some very productive relationships with financial institution and...issued
numerous notices in cooperation with these institutions. As a result...we have access...to over
200,000 [anonymous] data sets that are previously unreported incidents of fraud committed
against those organisations. When added to our current intelligence holdings and systems this
significantly enhances our ability to gain an understanding of individuals’ criminal activities,
their activities and, essentially, footprints of organised crime in areas that were previously either
undetected or that we only had anecdotal evidence of. We are finding it to be a very powerful
and successful way in which we can value-add to our intelligence holdings, but more importantly
7.99 The committee believes that the area of online banking fraud is expanding and will
continue to at a significant rate. This growth will in part be due to the increasing numbers of
consumers taking up and using this form of banking and the greater opportunities for criminal
While the committee appreciates that it is arguably not in the banks' best interests to publicly
report online fraud, it is ultimately consumers who are required to pay for the rectification of
this problem. Therefore banking consumers should be made fully aware of the potential
associated risks.
Recommendation 16
7.100 The committee recommends that the Commonwealth Government seek to ensure
the comprehensive and public reporting of online fraud, particularly within the banking and
finance industry.
Conclusion
7.101 The inquiry has identified a range of administrative and regulatory practices that
undermine current efforts to address serious and organised crime. Weaknesses were found in
the area of telecommunications, particularly in the inaccurate registration of mobile phone SIM
card users and the ability of VoIP to obscure the identity of its users.
7.102 The committee is concerned about the apparent instability of staffing in Australia's
police forces and the loss of skilled sworn personnel to the private sector. There appears to be
an opportunity for all jurisdictions to take a more coordinated and collaborative approach to the
7.103 This chapter also highlighted the need for a sound research and evaluation base in
addressing organised crime. The committee is concerned that online fraud is greatly under-
crime that are well accepted in other areas of the law and policing. If LEAs do not have a clear
picture of the extent of online banking fraud then their task of policing such activities is
rendered more difficult. Equally, if banking consumers are not advised as to the full extent of
risk around online services they are unable to make adequately informed assessments and
choices about which services and technologies to use. The committee notes that informed
consumer choice is often a powerful driver for companies to improve or make more secure their
7.104 Ultimately, the committee is concerned to ensure that LEAs, regardless of jurisdiction,
are well supported and equipped to tackle serious and organised crime. By addressing the
administrative weaknesses identified, the committee hopes that LEAs will be assisted and made
7.105 The following chapter examines the adequacy of current databases and suggests
Amongst the conclusion was that whilst Mandatory Sim Registration helps to a degree in combatting
crimes, there are factors that are just as equally important. These includes instability of staffing police
forces and skilled sworn personnel, the need for a sound research and evaluation base in addressing
organised crime, and addressing the problem of under reporting online fraud. The inquiry also pointed
out inaccurate information when registering Sim and the use of Voice over Identity Protocol to obscure
identity of users undermines the effectivity of Sim Registration in combatting crimes. 134 To summarise,
Mandatory Sim Registration helps in combatting crimes in Australia but it is not the decisive turning
point, and it needs further improvements in the law itself as well as other factors as improvement of the
134
Australian Parliamentary Inquiry (2007). Inquiry into the future impact of serious and organised crime on
Australian society, Chapter 7 - The adequacy of administrative and regulatory arrangements -
https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Former_Committees/acc/
completed_inquiries/2004-07/organised_crime/report/c07