DATA PRIVACY ACT: WHAT IT ENTAILS

By: Gregorio M. Batiller, Jr.

In a digital economy, there is a tangible shift from owning physical assets, into services that thrive on personal data. The world’s biggest and most influential corporations do not own their best products, instead they have vast amounts of personal data which they have creatively harnessed for their profit. Uber owns no cars. AirBnb owns none the spaces it leases. Amazon owns no physical stores. Rather, what all these corporations have in common is that they have turned their data into profit.

Clicks and likes seem innocuous and negligible, but in an ever-growing data-dependent world, companies are more likely to exploit any data gathered on you for their own gain. Take for example, searches on google, type in a few choice words such as “Restaurant”, “Italian”, and
“Home-cooking”. A few moments later, you will notice that the advertising has been catered to your most recent searches.

While these are all based on algorithms, creative minds such as those behind Uber, Air Bnb, Amazon, and Google, have created a digital economy with the information available online. Inadvertently companies like Google and Amazon have made billions by accumulating voluntarily shared information. With credit cards, gym memberships, and social media platforms, the market demands that these corporations continue to find more ingenious products and services to cater your needs, even before you know you need them. Clearly, data is this generation’s most essential commodity.

However, the abundance of data, has also created a market for hackers, identity theft, phishing, and other real threats of cybersecurity, ranging from ransomware to real concerns of delegitimizing elections. In response, the legal trend has been to shift accountability to any entity which uses and processes personal information for gain, for profit, rather than curbing and prohibiting sharing of personal information.

Notably, European law has been at the forefront of data privacy laws. In an attempt to harmonize the member states laws on data privacy, they embarked on General Data Protection (GDPR). Sometime in 2012, the Philippine Legislature passed R.A. 10173 entitled “The Data Privacy Act of 2011” in recognition of the need to protect personal information. Citing the inherent right to privacy and communication, “The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.”(Emphasis supplied) (Sec. 2, R.A. 10173)

Thus, the law regulates processing of information. It defined processing as “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.” (Emphasis supplied)(Sec. 3(j). With such a broad and exhaustive list of acts which are defined as processing, we must assume that once you deal with data, you are covered by the provisions of the Data Privacy Laws, along with the concomitant responsibilities to secure and protect any data under your control.

Generally any processing of information must be done only with the consent of the data subject . “Consent is as any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. xxx” (Emphasis supplied) (Sec 3(b) The NPC citing the EU General Data Protection (GDPR) further clarifies that, “[s]ilence, pre-ticked boxes or inactivity should not therefore constitute consent.”

Applying the right to privacy in today’s data-dependent world, demands the recognition of a person’s right to be informed about the Information Gathered, the Purposes, Method of Processing, Period of Storage, and Details of the Receipts and the Processors of the Information, to enable them to understand the extent of their consent. (Sec. 16)

The law also recognizes the so-called lifecycle of data from collection to destruction. Thus, it also mandates that when the data is no longer being used for the specified purposes, organizations are tasked with proper disposal. Of particular emphasis is that the law desires not to prohibit the processing of any sensitive personal information and personal information, rather it shifts accountability to entities to “secure” and “protect” data, by mandating the implementation of “reasonable and appropriate physical, technical and organizational measures” to ensure data privacy such as appointing a Data Privacy Officer, crafting privacy policies, privacy manuals, privacy codes, and conducting a privacy impact assessment. (Sec. 20) Clearly, it is not sufficient compliance to merely obtain consent, organization must ensure protection over any data throughout the lifecycle of the data, from collection to storage and finally to destruction.

The Data Privacy Act of 2012 embarks on a new area of regulation and protection in response to the growing dependence on information and communication systems. Organizations now have greater responsibility and duties to all the data subjects, in handling their information. Data subjects, however, must be more circumspect as to how, where, for what purposes, and to whom they share their information with. In an ever-growing digital world, we should also ask with the wealth of personal information in the internet abyss, does Google understand us more than we understand ourselves?