A Threat to Privacy (The BSP Memorandum M-2021-059)

A Threat to Privacy (The BSP Memorandum M-2021-059)

 

On November 2, 2021, the Philippines Central Bank (Banko Sentral ng Pilipinas) issued Memorandum M-2021-059 with the subject Information Sharing for Fraud Investigations mandating BSP Supervised Financial Institutions (BSFIs) and their clients to cooperate and share relevant information to third parties, such as other financial institutions, payment gateway providers, third party service providers and law enforcement agencies, among others in the conduct of fraud investigations. Information which may be shared/disclosed to the said parties, include, but are not limited to:

Name 


Home/Delivery Address 


Email Address 


Mobile or other contact details 


Bank/financial account information 


Bank/financial transaction details 


 

According to the memo, the BSP sought clarification and advice from the Philippine National Privacy Commission (NPC) with respect to information sharing for fraud investigations and the above mandate is justified based on an NPC Advisory -Opinion No. 2021- 026, to wit: 

·      Sec. 13 (f) of the DPA which allows processing of personal information for the protection of lawful rights and interests of natural or legal persons shall apply to sharing of relevant information for fraud investigations; and 


 

·      The above processing does not require an existing court proceeding, and thus, will not necessarily require a court order. 


Finally, the BSP assures everyone that: “In sharing the above information, BSFIs should ensure that the basic data privacy principles of transparency, legitimate purpose and proportionality are adhered to. Moreover, an existing court order or proceeding is not a pre-requisite for information sharing to happen.”

This BSP M-2021-059 runs counter to the fundamental human rights of everyone to data privacy, and to the exact letter of Philippine laws - the Data Privacy Act of 2021 and the Bank Secrecy Act. The grave implication of this memorandum also exposes financial entities, including banks, who had dealings and clients of other countries to hefty fines or penalties – the General Data Protection Regulation (GDPR) of the European Union, require a more stringent allowances for sharing of private and special data and would call for large amount of penalty for violation of data privacy rights.

The Philippine Data Privacy Act of 2021 (Republic Act 10173)

A person’s data privacy is a fundamental human right which must be respected and free from governmental or institutional interference with a very few and exacting exception. 

In handing a person’s data, the DPA of 2012 mandates the following:

·      The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality (Sec. 11);

 

·      Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection (Sec. 11 [a]);

 

·      Processed fairly and lawfully (Sec 11 [b]);

 

·      Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted (Sec. 11 [c]);

 

·      Adequate and not excessive in relation to the purposes for which they are collected and processed (Sec. 11 [d]);

 

·      Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law (Sec 11[e]); and

 

·      Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed (Sec. 11[f]).

 

It is assumed that the financial institution handling the person’s data processed them in accordance with the above requirements of the law.

 

Under the subject BSP memo, the financial institution is now mandated to share their clients’ data under the exception provided in Sec. 13 (f) of the DPA of 2012. This section provides:

 

(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

 

The BSP memo and the referenced NPC Advisory Opinion No. 2021- 026 interprets the above quoted Section 13 (f) as follows:

a.              Sec. 13 (f) of the DPA which allows processing of personal information for the protection of lawful rights and interests of natural or legal persons shall apply to sharing of relevant information for fraud investigations; and 


b.             The above processing does not require an existing court proceeding, and thus, will not necessarily require a court order. 


It seems, with all due respect, that the BSP Memo and the NPC advisory opinion, contradicts 13 (f) of the law since (1) the processing of personal information for the protection of lawful rights and interest of other person or entities applies only in court proceedings, which means that there is an existing case and the concerned court ordered the processing of a specific data of a specific person or persons who are parties to said court proceeding. It does not allow a wholesale sharing of all personal data of all the clients of all financial institutions in the Philippines. 

It should also be noted that the BSP Memo and NPC opinion mandates all financial institution to breach the date privacy rights of its clients for purposes of fraud investigations. In other words, this breach of data privacy is mandated for a simple fishing expedition, which is a abhorrent intervention and interference to a person’s human rights – a right guaranteed by the UN Convention on Human Rights as well as the Philippine Constitution on the Bills of Rights.

 

It is worth noting also that the BSP is more than aware of the Philippine Bank Secrecy Act (Republic Act 1405) which provides for the confidentiality of bank deposits, thus:

Section 2. 1 All deposits of whatever nature with banks or banking institutions in the Philippines including investments in bonds issued by the Government of the Philippines, its political subdivisions and its instrumentalities, are hereby considered as of an absolutely confidential nature and may not be examined, inquired or looked into by any person, government official, bureau or office, except upon written permission of the depositor, or in cases of impeachment, or upon order of a competent court in cases of bribery or dereliction of duty of public officials, or in cases where the money deposited or invested is the subject matter of the litigation.

 

The Philippine Constitution, the Data Privacy Act of 2012 and the Bank Secrecy Act address precisely what the BSP memo and NPC advisory seem to contravene. Mere BSP memo and an NPC advisory opinion holds no power to revoke, amend, or revise a basic human right, a constitutional guaranty, a law on data privacy and a law on bank secrecy. 

So knowing that its memo-mandate is contrary to laws, the BSP shifts the responsibility (risks, exposures and millions of penalty) to the financial institutions by advising that:

In sharing the above information, BSFIs should ensure that the basic data privacy principles of transparency, legitimate purpose and proportionality are adhered to. Moreover, an existing court order or proceeding is not a pre-requisite for information sharing to happen. 

 

In other words, the BSP mandates banks and other financing institutions to make all of their clients consent to the disclosure and processing of their information by making them sign a legal document to this effect. Is the BSP ordering financial institutions to violate the constitution and the laws? Surely, the BSP is not doing this. Banks, their officers and lawyers know better.

Should banks and other financial institutions follow this BSP memo, are banks willing to lose clients, especially foreign clients, to follow a memo? Is the Philippine willing to lose billions of investments to satisfy a memo? If a client happens to be a resident of a country of the European Union, are banks willing to pay at least 20 Million Euros of fines just to follow a memo?

 

The Data Privacy Act and other laws protecting a person’s data is designed so that entities, whether natural or juridical, handling the data protect them at all cost with a few exception. The Data Privacy Act is addressed to the data processor as much as the data person. As such, data processors are mandated to put in place physical, technical and organizational safeguards to protect the person’s data. Thus, to address fraudulent incidents in the financial sector, all Cybersecurity measures must be ramped up rather than conveniently asking the people to surrender their right to data privacy. 

 

The state, or its institution, desires to exert more control or interference in the affairs of private citizens. This unlawful interference is what the constitution and the laws try to prevent. The human right to data privacy should not be surrendered for the convenience of a mere fraud investigation. Alternative means to discover or investigate fraud must first be exhausted, and even after being exhausted, a mere memo or “please” would not suffice. 

 

 

Comments

Post a Comment

Popular posts from this blog

ACTIONABLE DOCUMENT – The Reply requirement under the 2019 Amendments to the Rules of Civil Procedure.

Under the 2019 Amendments to the Rules of Civil Procedure, the filing of a Reply to an Answer is allowed only when the Answer attaches an actionable document (or the contents of the document were alleged verbatim in the Answer), to wit:   Section 10.   Reply.  — All new matters alleged in the answer are deemed controverted. If the plaintiff wishes to interpose any claims arising out of the new matters so alleged, such claims shall be set forth in an amended or supplemental complaint. However, the plaintiff may file a reply only if the defending party attaches an actionable document to his or her answer.   A reply is a pleading, the office or function of which is to deny, or allege facts in denial or avoidance of new matters alleged in, or relating to, said actionable document.   In the event of an actionable document attached to the reply, the defendant may file a rejoinder if the same is based solely on an actionable document. ( Rule 6 )   If the...
Read more

Reconstitution of Title: Proof by Clear and Convincing Evidence. Remedy in Case of Denial.

“Reconstitution of a lost or destroyed certificate of title may be done judicially, in accordance with the special procedure laid down in R.A. No. 26 or administratively, in accordance with the provisions of R.A. No. 6732.” [ Marcelino dela Paz vs. Republic of the Philippines  (G.R. No. 195726, dated November 20, 2017)].   Administrative reconstitution of title under RA No. 6732 may only be availed of in case of substantial loss or destruction of land titles due to fire, flood or other force majeure as determined by the Administrator of the Land Registration Authority: Provided, That the number of certificates of titles lost or damaged should be at least ten percent (10%) of the total number in the possession of the Office of the Register of Deeds: Provided, further, That in no case shall the number of certificates of titles lost or damaged be less than five hundred (500).   In all other cases, a petition in court may be filed to reconstitute loss or destroyed title ...
Read more