“Man is least himself when he talks in his own person. Give him a mask, and he will tell you the truth. - Oscar Wilde

Friday, July 20, 2012

An Assessment of Philippine Senate Bill No. 2965

The Data Privacy Act of 2011 (Senate Bill No. 2965), was approved by the Philippines Senate on its third reading on March 20, 2012. As of July 10, 2012, enrolled copies of SBN 2965 has been sent to the House of Representatives for the signature of the Speaker and Secretary General.
Senator Edgardo J. Angara, the sponsor of the bill, stressed that the main intention of the same “was to generate confidence in IT-BPO, e-governance and e-commerce in the country."
Thus, it it stated in Section 2 of Chapter 1 of SBN 2965 that “(i)t is the policy of the State to protect the fundamental human right of privacy of communication. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
The proposed law is comprehensive. The terms as used in the bill are clearly defined. Section 4 provides for intra and extra-territorial scope of application, as well as specific limitations. Further, it provides for the creation of a National Privacy Commission (NPC), the functions of which are enumerated. Moreover, the proposed law provides for when the processing of personal information shall be allowed, what may be processed, how the same shall be done, who shall be accountable, and the penalties for the violation of any provision.
The rights of the person whose personal information is processed or a data subject are plainly established. SBN 2965 also devotes separate chapters on security of personal information in the private sector and the security of personal information in government, with an emphasis on the responsibility of the heads of agencies.
Other salient features of the proposed law are as follows: (a) private entities and the government are mandated to protect the integrity of personal information; (b) the use for journalistic, artistic, research and law enforcement purposes  is not covered; (c) the Department of Justice (DOJ), and not the NPC, has the authority to prosecute and impose penalties; (d) the non-liability of a sub-contractor; (e) the right of a data subject to be informed when personal information pertaining to him or her shall be, are being or have been processed is indisputably established; (f) non-applicablity to processing of personal information for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject; and (g) liability of responsible reporter, writer, president, publisher, manager and editor-in-chief for breach of confidentiality resulting in the publication or reporting of personal information by the media, among others.
The proposed law would be beneficial to different groups, i.e. (a) employees/personnel (or internal customers), whose records are kept by the company for the purposes of employment; (b) external customers, especially of BPOs whose business include the processing of customer information, who are generally of a foreign character, e.g. credit card companies, banking institutions, telecommunications provider, medical firms, and the likes; (c) stakeholders in the IT-BPO industry because of the projected growth in investment; (d) the government who will benefit from the projected revenue increase and the advantages of e-governance; (e) the labor sector because of the increased workforce demand, and others.
However, SBN 2965 has its flaws, albeit only minor ones. The provision on the non-applicability of the proposed law to the use of personal information for journalistic, artistic, literary or research purposes is absolute and may be abused. The NPC has no direct power of enforcement, and in the event that there are violations, it may only recommend the prosecution and imposition of penalties to the DOJ.
In the case of the members of the Commissison, experience in Information Technology is not a mandatory requirement for the selection of a Privacy Commissioner, nor is the experience in the practice of law. Moreover, the number of the members of the Secretariat is not fixed.
In any case, pending the promulgation of the implementing rules and regulations of the Data Privacy Act of 2011, it is premature to assume that the abovementioend flaws, or any other existing defect, will not be addressed.
Another cause for concern is the penal nature of the offenses in violation of the Data Privacy Act of 2011, considering that most of the personal information is stored in electronic format, and that Section 2 of Rule I of the Rules on Electronic Evidence (A.M. No. 01-7-01-SC) provides that the Rules “shall apply to all civil actions and proceedings, as well as quasi-judicial and administrative cases” and consequently not to criminal actions. No less than the Supreme Court has expounded on this in the case of Ang vs. Court of Appeals and Sagud (G.R. No. 182835, April 20, 2010).
Lastly, it still cannot be ascertained whether the proposed law will encourage IT-BPO industry expansion or curtail growth because of the stringent requirements. Or if the government has the resources or is capable of setting up the resources in order to comply with the standards set by the bill. All those remains to be seen once SBN 2965is enacted into law.