Situational Grey Areas of R.A. 10173 the Data Privacy Act
What are Grey Areas?
Grey Areas are those which the laws do not provide for a firm resolution to a problem. It allows for interpretation by counsels to which judges may hear on the matter and decide accordingly. When two or more scenarios of conflicting view arise, and each view may be defended or towed in hand by the same law or jurisprudence, this leaves a grey area on the matter. The grey area is equivalent of an ambiguity as to the enforcement or interpretation.
Personal information is defined as “any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information.”
R.A. 10173 or the data privacy act was made for the protection of individual personal information and communications system in the government and the private sector alike. The state sees to protect the fundamental right of privacy and communication while ensuring that innovation and growth are not curtailed. The National Privacy Commission was created under the act, in order for the commission to oversee the following of the guidelines set forth and to allow that privacy amongst individuals and the governmental system remain. They also administer and implement the provisions of the act, and monitor and ensure the compliance of the country with international standards set for data privacy protection.
In 1980, the Philippines became a member of the WIPO, also known as World Intellectual Property Organization. It became a signatory to a number of important multilateral international agreements and treaties for the promotion and protection of intellectual property rights.
R.A. 10173 or the Data Privacy Act provide for the scope of application. Section 4 of the Data Privacy Act state:
“SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with”;1
Section 3 gives the definition of terms used in the act, to wit:
“SEC. 3 (j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data”.2
RA 10173 in its sense protects right of privacy guarantee upon by the constitution for each individual or entities or a governmental system. A problem however arises for the application of which. Does the act apply to a private individual in his personal capacity? The law is silent on the matter. It is imperative for us to learn the boundaries up to which such sharing or exchange of personal data is in violation of the data privacy act of 2012.
Say that a class beadle collects personal information of his classmates for a particular subject. And it so happens that some of them are also his classmates in a different class, to which he shares with the appointed beadle the personal information of those he know. Does he violate the data privacy act of 2012?
The law is silent on the matter as to its applicability on such manner. It is obvious that the act curtails the distribution of personal data for commercial purposes without the knowledge and consent of those involved, and it prevents the invasion of privacy of individuals or entities. This is an ambiguity to the law for which a clear and firm stand on the matter has not yet been established.
In this regard do we consider a class beadle as a Personal Information Controller? Section 3 (h) of R.A. 10173 provide:
“(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.”3
Does the beadle fall part of the first exemption as he is instructed by the professor to control the collection of personal data of his classmates? Is the professor an employee of the school to which personal data of students are collected; to with the school becoming a Data Information Collector?
One may contend that the beadle is exempt from the scope of the law. It may appear that where a professor appoints a class beadle, he delegates some duties of a Data Information Collector delegated upon the professor by the school who employs him.
On the other hand, one may contend that the beadle in his own right is a Data Information Collector as he himself does things described of one. The Beadle controls the collection, holding, processing or use of personal information of the class as he is the person assigned for the dissemination of information forwarded to him by the professor.
Another beadle situation would be when after the semester for which the use of the collected data information of the class has completed, and the beadle fails to delete the contact details of his classmates for which he has no more use of it and the permission as to the use of those have already lapsed. Is that beadle liable for the violation of R.A. 10173 the Data Privacy act of 2012?
No duration of the use or collection of data has been clearly established under R.A. 10173. The simplest way to determine the duration of the use of the personal information obtained by a Data Information Collector is by determining whether purposes for obtaining such information has already been accomplished and its necessity has seized. Section 16 provide:
“SEC. 16. Rights of the Data Subject. – The data subject is entitled to:
XXX (7) The period for which the information will be stored; XXX
XXX (e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information; XXX”4
this shows that the law do not provide for a strict duration as to its applicability. Applicability often times differ on a case to case basis. Different actions arise from different situations presented upon each circumstance. The law leaves it up to the parties involved, to use their prerogative in discerning whether the need of use for the information taken has seized, or for which it was taken for has already been accomplished. For whatever reason, the data subject has the right to be informed of the status and condition of the use or processing of his data information.
For the reason that R.A. 10173 or the Data Privacy Act of 2012 was made to safeguard the rights of individuals, entities, corporation or juridical persons, it is also imperative to show the limits of its application so as not to impair other rights. As there are not much jurisprudence to be relied upon in trying to understand the law, we are left unsure of some situations to which sides may be argued, and no firm answer may be given.
Suppose some alumni were to gather for a home coming or a reunion, data information for those to attend were given to the organizer, and trough a common friend transfer of information happened. Do these transfer of information violate the Data Privacy Act?
Where transfer of such data information for the purpose of getting back with old friends and reaching out to them is the intent and purpose of such exchange or transfer, do they not still violate the Data Privacy Act? When read on its face, it may appear that such is the case.
The law does not distinguish as to the intent of exchange, transfer, or acquisition of data information, but when done without the knowledge or consent of the individuals involved, such Data Information Collector, in the face of the law, is violating the Data Privacy Act. The law may not be made to be that way, but where the lawmakers who drafted such do not qualify or allow for exemptions, the law will be read on its face. It may sound unfair to go penalize a person for wanting to get back in communication with an old friend or acquaintance; and it may or may not be the case, but the matter as to how these should be interpreted should first be settled. The drafters of the law left it vague as to how it is really to be construed. One may argue that, the act committed do not violate the context of the law when it does not include commercialization. But that is still one area to which the law is silent on. Never was there any indication in the law that such data information transfer, to be violated upon by a Data Information Collector, must be used for commercial purposes or business.
Even in the context of commercialization or business, does it always follow when a Data Information Collector share personal information of another without the consent of or knowledge of the latter, he violates R.A. 10173? Picture a Data Information Collector who have in his possession, records of personal data of members of an organization who are of different professions. Where the Data Information Collector might share to a third person personal information of one of the members of the organization for the purpose of referral, is there violation of the Data Privacy Act? Say a lawyer’s information was given to a person in search of counsel to represent him, name, age, address, contact number, school from which he came from. Does this in essence violate R.A. 10173? The sharing will eventually lead to a commercialized benefit on the part of the lawyer to which information was given to a third person without his knowledge, but it was of his advantage, does this still violate the Data Privacy Act of 2012?
Will the referral of one person of personal information of some doctors he personally know be in violation of R.A. 10173 the Data Privacy Act of 2012? Even in the purview of commercialism, the intention of a person processing data information need not be ascertained. Such act, by the literal interpretation of the law, is in violation of the Data Privacy Act. But is this what the drafters of the law wanted to happen? Is this not a nonsense curtailment of the rights which the constitution has granted its citizens and residents?
R.A. 10173 was enacted to protect rights of individual, entities, juridical persons, and the governmental system. The law should be read in favor of preserving such rights and not the curtailment of it. But the vagueness of the context of the law make it difficult to ascertain to which the scope of the law shall apply and to which unsettled or unknown situations it may be applied to. Not having qualified to what extent the law may be applied, or not having clear and concise directive guidelines on how to determine the extent of applicability of the law in ascertaining the controllers intention of purpose as to the processing of data information, the vagueness of the law cannot be firmly grasped.
Such complexity in trying to understand a law in which its major points are vague. The law did not further discuss on its applicability. It did not further explain how the intent of parties involved may differ from one to another. These vagueness of the law, allow lawyers to try and interpret word of the law depending on which party they represent. These vagueness may allow for judges to decide upon new jurisprudence which will form part of the laws of the land. But these, are all subject to interpretations of men, not on established doctrines, laws, or jurisprudence.
Is the removal of names of victims of rape and their family members or closest of kin a violation of the Data Privacy Act? Where public documents are supposed to be kept intact, are all those cases decided upon prior to allowing the removal of the names of rape victims in violation of R.A. 10173?
Where an autobiographer without consent, made an autobiography of a famous person, to which personal information was provided for in such, does he violate the Data Privacy Act? Where public figures are involved, to what extend does personal data information extend to?
At this age, we all know that fans of famous personalities follow the person they look up to and try to acquire every detail possible. In a situation wherein fans gathered all the information acquired of the celebrity and pooled all such information and distributed them to other fans as an autobiography, do these fans violate the Data privacy Act?
In the same manner that every situation call for a case to case analysis, none can really be ascertained of the right of wrong remedy or answers. Where there are no firm and established guidelines as to the execution of the law, some parts of it may always be left in the dark. In as much as we would like to apply the law to protect the privacy rights of every citizen and promote growth and innovation among each other, we could not stray away from the wordings provided for in the law.
Where the law does not qualify as to the scope of application as to ascertain the intent of the data collector toward the processing or exchange or sharing of such data information, we cannot deviate from the wordings provided for in R.A. 10173. It is not provided for on how to tackle the grey areas to be encountered in the future. Nothing in its words say that such law must be read along with the purview of commercialism. Where the law do not provide such, we cannot make assumptions or make our interpretations on how the law must be applied.
In the years where technology and commercialism goes hand in hand, the use and processing of data information supposedly private are easily accessible to more and more people. For the right price or the right trade, data information had been a commodity. R.A. 10173 or the Data Privacy Act was enacted to prevent unwanted distribution, use or processing of personal data information without the consent of the parties affected.
R.A 10173 is a declaration of policy. The law seeks the free flow of information to promote innovation and growth. It is essential that personal information in the government and private sector’s information and communications systems remain secured and protected amidst the free flow of data information.
In the context of the law, one who shares or processes data information of another without the latter’s consent even in his private capacity is in violation of R.A. 10173. The law never qualified for the scope to which it would apply. Whether it be used for commercial purposes or in a private capacity, the law does not distinguish. To share, use, or process data information in a private sense should in essence not violate the act. The law was enacted to protect the rights of individuals, governmental system and juridical persons alike, not to tighten the grip of innovation and growth of the people. Nor was it enacted to curtail the rights of the people for which our constitution has provides for the people to enjoy.
The law have its flaws. Some aspects as to its scope and application do have grey areas. Consequently, to fully grasp the intention and application of such cannot be attained until the court provides jurisprudence towards grey areas. This can only happen when controversy arise and be acted by parties. The Data Privacy Act of 2012 was enacted to protect rights. But does it now somehow tighten some fundamental rights granted upon us by our constitution? Your guess is as good as mine.