A Kill Switch to Data Privacy Protection?

A Kill Switch to Data Privacy Protection?

 

When Filipinos make laws, we put our own “Filipino flavor” to the law. Does it make it more palatable to the Filipinos or to Philippine setting? Or does it create a bad taste in the mouth?

 

The Philippine Data Privacy Act of 2012 (Republic Act No. 10173) aims to protect the fundamental human right of everyone to data privacy. The Philippines and its people give the highest degree of value to human rights and we share this value to all, regardless of nationality, religion, ethnicity or ideology. The Philippine Declaration of Human and Peoples Rights before the Human Rights Osaka (HURIGHTS) provides:

 

“We, peoples of the Philippines, give highest value to the dignity and fullness of life of the human person and share a common aspiration for human rights—even as we speak different languages and dialects, profess different spiritual beliefs and uphold different ideologies. 

 

            XXX

 

         We assert that human and peoples’ rights are our fundamental, inherent and inalienable rights to life, dignity and development. We recognize that these rights are universal, interdependent and indivisible and are essential to fulfill and satisfy our civil, political, economic, social, cultural, spiritual and environmental needs. They are what make us human. 

 

            XXX

 

6. We have a right to the security and privacy of our persons and our homes. The State shall respect and uphold our right to the privacy of communication, information, private transactions and affairs. The State shall ensure our freedom of movement and liberty of abode. 

 

In affording and upholding the protection to data privacy, the Data Privacy Act provides for the criteria for the lawful processing of personal information, thus:

 

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists: 

 

(a) The data subject has given his or her consent; 

 

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract; 

 

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject; 

 

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health; 

 

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or 

 

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution. 

 

The above criteria are explanatory and can be found in the privacy laws and regulations of other countries. However, before one applies the above criteria for processing personal data, one has to recognize that there are special kinds of personal data, or those under a special category.

 

Special Category Personal Data

 

The General Data Protection Regulation (GDPR) of the European Union defines a special category of data as a “term describing a sub-category of personal data that requires heightened data protection measures due to its sensitive and personal nature. In some jurisdictions, this type of personal data may be described as sensitive personal data. Controllers or data owners typically must satisfy certain requirements before processing special categories of data, such as obtaining data subject consent.

 

The GDPR enumerates examples of Special Data or Sensitive Personal Data:

 

·      Racial or ethnic origin.

·      Political opinions.

·      Religious and philosophical beliefs.

·      Trade union membership.

·      Genetic data.

·      Biometric data for the purpose of uniquely identifying a natural person.

·      Data concerning health.

·      Sex life and sexual orientation. (Article 9(1), GDPR.)

 

To process a special or sensitive personal data, at least one condition listed in GDPR Article 9(2) must be met, to wit:

1.     Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

2.     Paragraph 1 shall not apply if one of the following applies:

1.     the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

2.     processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

3.     processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

4.     processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

5.     processing relates to personal data which are manifestly made public by the data subject;

6.     processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

7.     processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

8.     processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

9.     processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

10.  processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.     Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

 

4.     Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

The Philippines (Filipino Flavored) Sensitive and Privilege Personal Information

 

In the Philippine Data Protection Act, we have the so-called sensitive personal information which is defined as:

 

(l) Sensitive personal information refers to personal information:


 

1.     About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; 

 

2.     About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; 

 

3.     Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and 

 

4.     Specifically established by an executive order or an act of Congress to be kept classified. 

 

We also have privilege personal information, which are those found in the Rules of Court and other pertinent laws.

 

The GDPR category of special personal data is simple enough – it pertains to information which are deeply personal such as a person’s race, opinions or beliefs (political, religious and philosophical), trade membership, health/physical data (genetic, biometric) and sex life and orientation. What makes these data special is the fact that they concern only the person. Processing of these category of data may involve profiling for no lawful purpose and discriminatory. Thus, the processing of special category data is prohibited.

 

The only allowance given to process special category data is very limited as must be followed to the letter as provided in Article 9 (2) of the GDPR.

 

In the Philippines, special category data is called sensitive personal information which expanded the GDPR special category to include social security number, a person’s criminal case or conviction, licenses or its denial, tax returns, and others as the Philippine Congress may deem sensitive in future legislation. 

 

It appears that in adding Filipino flavor to special category or sensitive personal information, the Philippine Data Privacy Act lumped in one category sensitive and deeply personal information and information which are part of public records such as a person’s criminal conviction, tax information, etc. 

 

How is a person’s sexual preference or religious beliefs categorized in the same vein as his tax returns and criminal case? The State certainly has the right and obligation to go after tax evaders and protect society against criminals but having one’s religious beliefs in the same consideration and under the police power of the State is downright discriminatory? Where is the “upholding to the highest level” declaration that the Philippines announced to its Asia-Pacific partner nations? Can the Philippines go after tax evaders with the same seal as someone who has a different sexual orientation? – and for what purpose?

 

Is the same protection under the GDPR accorded to special category personal information present in processing sensitive and privilege personal information in the Philippine Data Protection Act? Section 13 of the Data Privacy Act provides that processing of sensitive personal is prohibited, EXCEPT in the following cases:

 

“SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases: 

 

(a)  The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;

 

(b)  The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information

 

(c)   The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; 

 

(d)  The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing; 

 

(e)  The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or 

 

(f)    The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority

 

Emphasis is provided for subparagraphs b and (especially) above for obvious and glaring reasons.

 

When we speak of fundamental human rights it speaks of inalienable and inherent rights of a person for simply being a person or human being. It does not need a special law or kingly mandate to be made available to anyone, thus inalienable. In other words, it is not given to you and me, and as such, it cannot be taken from you and me. When a government makes a declaration on fundamental human rights, it is not granting human rights but merely declaring that it also observes the universal and fundamental human right of everyone.

 

Fundamental human rights may be processed in the norms of data privacy but only with the person’s consent. The general and strict rule is that processing is prohibited.

 

The right to your own political and religious beliefs, to your preferred sex life, to health – these are all inherent to you as a person. These rights are not given by anyone, much less by a government of the people. 

 

Why is it then that the Philippine Data Privacy Act categorized personal information, declared as part of fundamental human rights, with tax and criminal data of a person? Consequently, why did the law allow the processing of these special personal data in the same vein as when the government processes and use the public data of a person? Is this not a glaring violation of the fundamental human rights of an individual?

 

Section 13(b) in the Philippine Data Privacy Act provides that processing of data involving fundamental human rights may be made as long as it is provided by existing law (as long as the law guarantees its protection), and as long as the law does not require the person’s consent. How can the Data Privacy Act do away with a person’s consent by the simple expedient of a law with regard to his or her fundamental right to data privacy? Can a person surrender his fundamental rights by the convenience of the law? Again, a law cannot take what it has not given in the first place.

 

The only safeguard of Section 13 (b) is when the law guarantees protection of a person’s special or sensitive personal information – but what does protection mean? Is an anti-virus or anti-malware in the processing system enough? Is the good reputation of a government worker processing the information enough? Is the government’s reputation good enough?

 

Section 13 (f) quoted above even goes beyond the relaxed allowance in processing sensitive personal information by providing the penultimate phrase that sensitive (special) personal information may be processed when the information is provided to government or public authority.

 

Human rights are inalienable which means that it cannot be taken away from you. It cannot be surrendered to the government. In fact, the government has no business knowing about your special (sensitive) personal information. Anything less than the protection that must be accorded to fundamental human rights – to uphold its inalienability – is the definition of human rights violation. 

 

How does the Philippine government intends to implement Sections 13 (b) and (f) of the Data Privacy Act discussed above? The implementing rules and regulations of Sections 13 (b) and (f) provides the following implementing guideline:

 

b. The processing of the sensitive personal information or privileged information is provided for by existing laws and regulations: Provided, that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data;

 

f. The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate.

 

The above rules and implementing regulation reiterates what’s in the law. In other words, the government intends to implement the law based on how it is worded.

 

We Filipinos like our adobo and we have different ways of cooking adobo in all the 7700 islands of the country. But no matter how one cooks adobo, it is still abodo, a Filipino adobo. Sections 13 (b) and (f) of the Data Privacy Law violates the law’s declared policy to protect and uphold the fundamental rights of everyone to data privacy. No matter how the law and its rules cook the wordings of its provisions, it is still a human rights violation. 

Comments

Post a Comment

Popular posts from this blog

ACTIONABLE DOCUMENT – The Reply requirement under the 2019 Amendments to the Rules of Civil Procedure.

Under the 2019 Amendments to the Rules of Civil Procedure, the filing of a Reply to an Answer is allowed only when the Answer attaches an actionable document (or the contents of the document were alleged verbatim in the Answer), to wit:   Section 10.   Reply.  — All new matters alleged in the answer are deemed controverted. If the plaintiff wishes to interpose any claims arising out of the new matters so alleged, such claims shall be set forth in an amended or supplemental complaint. However, the plaintiff may file a reply only if the defending party attaches an actionable document to his or her answer.   A reply is a pleading, the office or function of which is to deny, or allege facts in denial or avoidance of new matters alleged in, or relating to, said actionable document.   In the event of an actionable document attached to the reply, the defendant may file a rejoinder if the same is based solely on an actionable document. ( Rule 6 )   If the...
Read more

Reconstitution of Title: Proof by Clear and Convincing Evidence. Remedy in Case of Denial.

“Reconstitution of a lost or destroyed certificate of title may be done judicially, in accordance with the special procedure laid down in R.A. No. 26 or administratively, in accordance with the provisions of R.A. No. 6732.” [ Marcelino dela Paz vs. Republic of the Philippines  (G.R. No. 195726, dated November 20, 2017)].   Administrative reconstitution of title under RA No. 6732 may only be availed of in case of substantial loss or destruction of land titles due to fire, flood or other force majeure as determined by the Administrator of the Land Registration Authority: Provided, That the number of certificates of titles lost or damaged should be at least ten percent (10%) of the total number in the possession of the Office of the Register of Deeds: Provided, further, That in no case shall the number of certificates of titles lost or damaged be less than five hundred (500).   In all other cases, a petition in court may be filed to reconstitute loss or destroyed title ...
Read more

A Threat to Privacy (The BSP Memorandum M-2021-059)

A Threat to Privacy (The BSP Memorandum M-2021-059)   On November 2, 2021, the Philippines Central Bank (Banko Sentral ng Pilipinas) issued Memorandum M-2021-059 with the subject  Information Sharing for Fraud Investigations  mandating BSP Supervised Financial Institutions (BSFIs) and their clients to  “ cooperate and share relevant information to third parties, such as other financial institutions, payment gateway providers, third party service providers and law enforcement agencies, among others in the conduct of fraud investigations.   Information which may be shared/disclosed to the said parties, include, but are not limited to: Name 
 Home/Delivery Address 
 Email Address 
 Mobile or other contact details 
 Bank/financial account information 
 Bank/financial transaction details 
   According to the memo, the BSP sought clarification and advice from the Philippine National Privacy Commission (NPC) with respect to information sharing for fraud investigat...
Read more