“Hi. This is from (insert call center company name here). This is (name). You have been referred to us by Ms. (name of friend). Are you currently employed?”
I, personally, have received a lot of these kinds of calls, special thanks to my friends who have been applying in call centers, listing me down as one of their “referred persons”. Almost everyday, as a postpaid user, I would receive text messages offering housing and car loans. Also, there are times when someone would text me just to inform that they got my number from one of my friends. The common element in these situations is that my number was passed on from one person to another without my consent. I’m pretty sure that I am not the only one who has ever encountered something like this.
Experiencing this, do we have a remedy provided for by law?
DATA PRIVACY ACT
In our recent history, the country’s first data privacy law, R.A 10173 or more commonly known as “Data Privacy Act of 2012”, was enacted by the legislative in its aim to provide security and protection of personal information and data of both the private and public sectors. I will now provide the salient features of this law.
The Act recognizes the policy of the state to protect the fundamental human right of privacy and communication in promoting innovation and growth. Also it recognizes the need to secure the data of each individual especially in this time when information and communications systems are of utmost need for national development.[i]
Also, it mandates the creation of a National Privacy Commission to be able to implement and monitor the application of the law.[ii]. Also, it listed the conditions to allow data processing information which includes acquiring the consent of the data subject or when data processing is necessary for fulfillment of a contract with the data subject, compliance of a legal obligation, protection of the data subject’s vital interest, public order and safety or for the purposes of the legitimate interests pursued by the personal information controller or by a third party provided it is not overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.[iii]
The Act applies to processing of both personal information and sensitive personal information. The data subject, the one whose information has been processed, are afforded several rights including the right to demand information such as the source of info, a copy of such information, and how it is being used. The data subject may request for the removal of such data unless otherwise required for legal purposes.[iv]
One of the most important features is that the Act emphasizes the duty of Personal information controllers must ensure and devise processes to protect personal information and to comply with the law. Notification must be sent to the National Privacy Commission and the affected data subjects in case something inevitable happened to the personal data.[v]
Lastly, the law provided penalties for unauthorized processing, negligence, improper disposal, unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches and malicious and unauthorized disclosure of private data and information.
Given the background of the subject law, the aim of this article is to assess the coverage of this act and to determine whether or not it can afford us a remedy in cases and situations mentioned earlier. Without prior consent from the data subject, will a person be liable if he passed on and shared the data subject’s phone number to a third party?
- I. The scope of the Data Privacy Act does not include individuals not involved in personal information processing.
The scope of R.A. 10173 covers two objects:
- Processing of all types of information
- Any natural and juridical person involved in personal information processing
First, let us discuss the aspect of personal information. Personal information is defined in the Act as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify the individual.”
Clearly, from this definition, we can conclude that a cellphone number can indeed be categorized as personal information. A cellphone number can easily be associated to a particular person and his identity may be directly ascertained, at least, by a specific part of the community the individual belongs to. More importantly, when put together with other information such as addresses, physical description, etc., the set of information would directly and certainly identify a particular person.
Although we have already established that a cellphone number is within the scope of R.A. 10173, the situation at hand seems to have not satisfied the second object under the scope of the Act. The law covers “any natural and juridical person involved in personal information processing” (Emphasis supplied)
An ordinary individual is not a personal information controller. He is not involved in controlling the collection, holding, processing or use of personal information. An ordinary individual is not involved in collection, organization, storage, updating or modification, retrieval, consultation , use blocking, erasure or destruction of data. The term is more apt to pertain to corporations, specifically Information and Communications System.
- II. IT IS NOT THE INTENTION OF THE LAW TO INCLUDE PRIVATE COMMUNICATION OF INDIVIDUALS
It is a rule in Statutory Construction that one should look at the minds of the legislator to arrive at the real meaning of the statute.[vi] Thus, it is necessary to evaluate the aim, scope and object of the whole act. One should consider:
- What was the situation before the law was passed?
- What is the reason for the remedy provided for by the law?
The law was signed into law in 2012, a year marked with advances in information technology. Technology has reached its heights in the form of social media and telecommunications. It is a situation where privacy in personal information and data seems impossible as people input and publicize their personal lives in cyberspace, readily available for everyone to see. Private information disclosed in trust by private individuals to companies can be made available to or accessed by interested parties.[vii]
The proponent of the law, former senator Edgardo Angara, states that the law mandates both public and private agencies and companies to protect the integrity and confidentiality of all the personal information “collected throughout their operations”. He added that the law will ensure the security of the Web and prevent leaks of confidential information of their clients. [viii]
Clearly, in this statement, the proponent of the law pertains to companies as data collectors and does not intend to include personal exchange of information among private individuals. The phrase “collected throughout their operations” cannot be applied to ordinary individuals because operations is “performance of a practical work or of something involving the practical application of principles or processes”[ix] and involves the task of “transforming inputs into desired goods, services or results, and create and deliver value to the customers”[x]
Also, the Republic Act 10173 serves as an answer to the fears laid down in the case of Ople vs, Torres[xi], wherein the suggestion for a nationwide computerized Identification Reference System was struck down by the Supreme Court due to the lack of protection in our country for personal information. This case involves the issue of national security and pertains to the basic rights of the people.
Lastly, the statute also states that in case of any doubt in the interpretation of the provisions of the act, it should be liberally interpreted considering the rights and interest of the individual about whom personal information was processed. If we are to interpret the provisions to include normal sharing of phone numbers to a third party individual, there would be arbitrariness in implementing the law as it does not intend to include private conversations among private individuals.
III. The right to communicate should not be curtailed
Even prior the passage of the Data Privacy Act, the Philippine Constitution and the Jurisprudence has recognized the vital importance of upholding the right to privacy and at the same time, upholding the right to communication.
The 1987 Philippine Constitution, Article III: The Bill of Rights, Section 3 (1), states:
Sec. 3 (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise, as prescribed by law.
Sharing of another person’s cellphone number is not a wrongful act. Actual malice is not present by the mere sharing of one’s number as it is a normal act done by everyone and circumstances cannot always assure that the consent may be given prior the acquisition of the cellphone number. Even if the acquisition thereof serves as an accessory to a delict or a crime, still, it cannot be established that the mere sharing of another person’s number is punishable by law. In line with Rule 131 of the Rules of Evidence, the presumption of innocence and good faith must first be overcome to prove that a person acted with actual criminal malice.
In fact, even our laws and jurisprudence recognizes the right and freedom to communicate recognizing the principle of Privileged Communications. It is a defense against the element of malice and commonly applied to both libel and oral defamation. A cause of action must pertain to a delict or wrong committed by a person violating the right of another. In this case, I can see no wrong in disbursing another person’s number to a third party. To do otherwise will curtail the freedom of man to engage in productive and communication with their society.
The right to privacy is a basic human right most valued among other things that an individual may possess. Various protection for this right has evolved throughout the years. Laws were passed in aim to protect such right. However, we have to be mindful on how these laws should be effected and implemented.
As citizens of this country, we have the duty to safeguard our rights. We have to be vigilant so that these laws may serve their purpose and prevent leaders in arbitrarily applying it.
From time to time, we may experience instances wherein we feel like our privacy has been invaded. Personal information leaked may leave us vulnerable to fraud and dubious acts. With this, laws were passed so that the providers and companies to whom we have entrusted our personal information will be regulated, thus decreasing the chance of human rights violations, particularly focusing on our right to privacy. Let us not leave unto our legislators the task to protect our rights, let us also do our part to provide the checks and balance in running the affairs of this country.
[i]. An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other Purposes (R.A. 10173)
[vi] Laurel, Jose Jesus. Statutory Construction: Cases and Materials, Rex Printing Company Inc., 1999.
[vii] Palabrica, Raul. Data Privacy Act of 2012, Philippine Daily Inquirer. August 31, 2012. http://business.inquirer.net/79534/data-privacy-act-of-2012. Accessed on July 4, 2013.
[viii] EdAngara.com. August 8, 2012. http://www.edangara.com/content/microsoft-regional-conference-angara-says-phl-needs-act-data-privacy-now. Accessed last July 4, 2013.
[ix] Operation [Def. 2]. (n.d.). In Merriam Webster Online, Accessed July 5, 2013, from http://www.merriam-webster.com/dictionary/operation.
[x] Operation [Def.] (n.d). Business dictionary.com. Accessed last July 4, 2012. http://www.businessdictionary.com/definition/operations.html#ixzz2YBDPHm9X
[xi] G.R. No. 127685, July 23, 1998
G.R. No. 127685 July 23, 1998