TECHNOLOGY AND THE LAW – R.A. 10173

4 Jul

TECHNOLOGY AND THE LAW

 A question related to Republic Act 10173 was raised: “Is the act of a person, A, disclosing the mobile number of B, to a third person, without B’s consent, considered a violation of RA 10173?” As a student of law, I may be able to give sensible insights pertaining to the stated question.

At first glance, this seems to be a trivial question; it is something nobody should mind as most people might have been guilty of this; guilty in the sense that probably many people are doing it; guilty but not in the sense that they are aware that there is a clear violation of the law. And now, having heard of this question, some may feel troubled or anxious because what appeared to be an innocent act — the simple granting of a request, or the simple giving of one’s mobile number — may have been unlawful after further consideration. I myself sometimes feel a little bit reluctant when somebody asked me for another’s mobile number. But this feeling of reluctance or uneasiness does not stem from the knowledge that I will be violating a law, but more on whether the giving of one’s mobile number without the owner’s consent is ethical. As we know, not because an act is legal, it is therefore moral; and not because an act is immoral does it mean it is illegal. Before this question may pose some panic to some, this may be a good opportunity to study the law and make some comments about it. This may be just a simple question, but this is an issue which needs to be viewed at or addressed from legal perspective. So before answering the issue before us head on, we need to determine the pertinent law to be scrutinized and applied, which is none other than Republic Act 10173.

Just to give a brief summary of how this act, Republic Act 10173, came into law, Senate Bill SBN-2965 was prepared and submitted jointly by some senate committees on September 14, 2011 with Senators Antonio “Sonny” F. Trillanes, Miriam Defensor Santiago and Edgardo J. Angara as  authors. They recommended its approval in substitution of SBNos. 355, 1908 and 2236, taking into consideration HBN-4115. On September 21, 2011, Senator Edgardo Angara delivered the Sponsorship Speech. On March 20, 2012, it was approved on the third reading with thirteen senators approving it while no one abstained or voting against the same. On March 22, 2012, it was sent to the House of Representative for its concurrence. On May 23, the Senate requested the House of Representatives for a conference on the disagreeing provisions of SBN-2965 and HBN-4115. On June 5, 2012, the Conference Committee Report was submitted to the Senate, recommending that SBN-2965 in consolidation with HBN-4115, be approved as reconciled. The next day or on June 6, 2012, the Conference Committee Report was approved by the Senate and then by the House of Representative. On July 19, 2012, the enrolled copies of the consolidated version of SBN-2965 and HBN-4115 was sent to the Office of the President of the Philippines for the signature and approval of the president.  And on August 15, 2012, President Benigno S. Aquino III signed it into law; thus becoming Republic Act 10173 – “An Act Protecting Individual Personal Information in Information and Communications System in the Government and the Private Sector, creating for this Purpose a National Privacy Commission, and for other Purposes,” or which is otherwise known as the “Data Privacy Act of 2012,″ which took effect fifteen (15) days after its publication in at least two (2) national newspapers of general circulation, as the law itself provided. (Taken from Senate website)

Now going back on the question, as rephrased, of whether or not the giving of the mobile number of B by A to a third person, without B’s consent, is considered a violation of RA 10173? It is my considered view that the answer must be in the negative. The giving of one’s mobile number to a third person without the owner’s consent is not a violation of RA 10173. And to explain my stand, we need to dissect the law as exhaustively as I can possibly make.

It may have been better if I could have done some research about the legislative intent or the legislative purpose or the legislative history of the law for us to know the intention of the legislature or the object of the law when the legislature enacted said law. Although inquiring into the legislative intent is but an aid to construction which should be resorted to only if the law is ambiguous, knowing the legislative intent somehow will give us an idea on what the law is about. After all, before the law is made into a written document, it started as an idea, probably a conceived solution to existing problems or would-be-existing issues which the legislature deemed necessary to address.

But as a rule in statutory construction, it is said that when the law is clear, it is incumbent upon the judge to apply the law, when the law is unambiguous and unequivocal, application and not interpretation thereof is imperative. So in interpreting or construing the law, I have to be reminded of the rules in statutory construction. The plain meaning rule or verbal legis states that when the statute is clear, plain and free from ambiguity, it must be given its literal meaning and applied without interpretation. So before even going after the very detailed legislative history, or before determining the legislative intent or the legislative purpose, I need to interpret just as what the law say.  As one Latin legal maxims states, “Optima statute interpretatrix est ipsum statutum.” The best interpreter of the statute is the statute itself. I will proceed now discussing my understanding of the law and why I said that the question confounding us today must be answered in the negative.

First and foremost, by the title alone, we can get some idea about the object of the law. It is said that the title of the statute serves as an aid in the construction of the statute. But title can be resorted to where there is doubt as to the meaning of the law or as to the intention of the legislature enacting it, and not otherwise. Stated differently, when the text of the statute is clear and free from doubt, it is improper to resort to its title to make it obscure. The title maybe resorted to in order to remove, but not to create, doubt or uncertainty. So seems not a good source of argument to start with.  (Note: Doctrines are taken from decisions of the Supreme Court as cited in the book of Ruben Agpalo on Statutory Construction).

Now looking into the “Declaration of Policy” which is found in Section 2 of said law, it is stated that “it is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” It further stated that “the State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.”

While the State aims to protect the right to privacy of individuals by keeping their personal information secured and protected, the State also recognizes that free flow of information is vital to growth and development of the nation. Meaning, while the State aims to secure personal information, it also recognizes that free flow of information is needed. The law states free flow of information, which I believe refer to any information, whether personal or not; since when the law does not distinguish, we should not distinguish. This only means that personal information can be transferred; whether there are conditions or qualifications to this, these we’ll have to find out.

Again, based on the “Declaration of Policy,” the State is only concern with particular personal information – personal information which is in Information System in the government and private sectors. The law does not intend to protect personal information to be found anywhere. The law only wants to deal with personal information in the information systems which are in the government and private sectors. The law defines information systems, which according to Article 3(f), refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document. Not only does the law stated that it concerns only with personal information in the information and communication systems, it further qualified that this information and communication systems are in the government or private sector. We all have an idea by what government means; but as to what constitute private sector,  we can simply refer to it as any entity, whether natural or juridical person, which is not a government entity. Consulting web-based dictionaries, private sector is defined as that part of the economy, sometimes referred to as the citizen sector, which is run by private individuals or groups, usually as a means of enterprise for profit, and is not controlled by the state. Seems the term private sector does not encompass all entities not controlled by state, but it is limited to refer to only those for-profit businesses.

So relating these definitions to the question we are dealing with, probably I should have qualified my answer; maybe it really depends; depending on where and how this personal information is being kept. But then again, we have not yet enumerated or stated what constitutes violation of this law although we all have some sort of an idea that the transfer or letting other know of the personal information of another may constitute a violation because that’s what the question seems to suggest. So referring to the law, Chapter VIII of the Act, containing Sections 25-37, sets down the penalties for specific acts which constitute violation of the Act. The law punishes the following: 1) unauthorized processing of personal information and sensitive personal information, which is found in Section 25; 2) accessing personal information and sensitive personal information due to negligence, which is found in Section 26; 3) improper disposal of personal information and sensitive personal information, which is found in Section 27;  4) processing of personal information and sensitive personal information for unauthorized purposes, which is found in Section 28; 5) unauthorized access or intentional breach, which is found in Section 29; 6) concealment of security breaches involving sensitive personal information, which is found in Section 30; 7) malicious disclosure, which is found in Section 31; 8) unauthorized disclosure, which is found in Section 32; and 9) unauthorized disclosure, which is found in Section 32.

From the foregoing list, although we have not yet define what processing mean, but to give an idea, Section 3(j) defines processing as “referring to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data”; it can easily be discerned that what we need to take note of are Sections 31 and 32. Section 31 states “Malicious Disclosure. – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).” Section 32, on the other hand, states “Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).” So we are quite sure that our issue as related to the question may be answered by these two aforementioned provisions of the Act. But then again, we are confronted with terms which need to be defined. We need to know who these personal information controller and personal information processor are.

Personal information controller as defined in Section 3(h) refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. Personal information processor, on the other hand, as defined in Section 3(i),  refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. It should be noted the Section 3(h) also provided that there are persons which are excluded from the definition; the definition excludes 1) a person or organization who performs such functions as instructed by another person or organization; and 2) an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

Now to review what we have understood so far, I conclude that what the law aim is that personal information should be kept secured and protected; that the law only concerned with personal information in the information and communication system in the government and the private sector; that there are certain acts which constitute violation of the law; that two of them, malicious disclosure and unauthorized disclosure, I believe are related to our main question; that of the two acts, the unauthorized disclosure seems to be the act nearest to the act subject of our inquiry; that only personal information controller and personal information processor are prohibited by the law to do certain acts and are the only ones directed to observe the law; and that not all persons seems to be included in the definition of personal information controller and so there will definitely certain people which cannot be prosecuted under this law. This only means that the answer to the question or to our main issue can still be qualified.

But taking a step back, reviewing my conclusion that only personal information controller and personal information processor are the only persons obligated to keep personal information of an individual secured and protected, it can be gleaned from the other provisions of the Act as they are both included in the definition of terms, and as mentioned earlier are found in paragraphs h) and i) of Section 3, respectively. Looking into other provisions of the law, under Section 4 which covers the scope of said Act, it was stated that the said Act “applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines,” subject to some instances in which this Act will not apply. Again in the last paragraph of Section 11, it was stated that “personal information controller must ensure implementation of personal information processing principles set out herein.” And yet again, in Section 20, which pertains to security of personal information, the personal information controller is again mentioned. So it may not be imprudent to conclude that only personal information controller and/or personal information processor are required by law to observe what the law mandated.

Now we dig into what malicious and unauthorized disclosures are all about. As said earlier, I am inclined to consider that we only need to focus on unauthorized disclosure because of the apparent congruence between the wordings used in the question raised and the wording used by the statute. The original question does not mention any malicious intent or the act being done with malice or in bad faith. So in resolving the issue, we should confine it with the premise that the giving was without consent, plain and simple. The applicable provision is therefore Section 32.  And based on the initial review of my conclusions made earlier, at this point, my answer may still be qualified. It may be qualified because “A” maybe a personal information controller or a personal information processor and that the mobile number was collected and stored in an information or communication system in the government or private sector. In that situation, “A” may be liable under the law. But if “A” happens to be a mere individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs, he may not be liable under the law. And since the question is worded by starting it with the word “Is,” then it is possible to qualify the answer. But have the question been formulated making it starts with the word “May,” the answer may be a resounding “Yes,” because if there’s any possibility of committing it, then, it is a “yes.” As we are nearing the very conclusion of my discussion, while some concepts or terminology used were clarified, seems we forgot to define what personal information is most important subject of the law. By defining personal information, we will only have one minor question left to finally resolve the main issue. That question is — “whether or not a mobile number is a personal information?”

Personal information as defined in Section 3(g) “refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.” While the law does not give any list or example of personal information, it listed, however, under Section 3(l), examples of sensitive personal information. Under said section and its said paragraph, it listed individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations as personal information. It also listed those which are about individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings. It further listed  those which are issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns.

As can be observed from those enumerations, we can say that personal information is anything which is inherent, innate, anything which an individual possesses since birth; or although acquired later in life, is such that it can hardly be taken away, or be parted with from said individual; such information which can be considered permanent, or even if not permanent, may be classified as historical, making such information as part of that person; such information which is able to identify that person being peculiar to him. Again, we can refer to Section 3(g) for definition.

So is the mobile number of a person can be considered personal information? To my mind, it is not, and therefore there is no violation of RA 10173 when someone make known the mobile number of another to a third person.

Just to give you some nice-to-know information, mobile number is technically referred to as MSISDN or Mobile Station International Subscriber Directory Number. It is the telephone number that is assigned to a mobile user. Although the statement says “assigned to a mobile user,” it does not in any way make it personal. From the acronym itself, there’s nothing personal about it. Well, I guess, it really does not make any valid and strong argument just by referring to its simple definition or by referring to its technical name, for one thing, we know lots of misnomer. But to drive a point, we can use the enumeration of sensitive personal information. Again, the list refers to sensitive and not to personal information in the general sense; but still, we can find commonalities among each item enumerated in the list and we can somehow conclude that the word “sensitive” is but an additional qualifier to an already clear classification of a certain set of things. Let’s take on first the individual’s race and ethnic origin. These are example of attributes, characteristics or qualities which are in-born, that any person cannot deny, and that any person can never change by whatever effort or force he may used. Same with color, although with the advances in technology today enabling a person to alter his natural appearances, still, this is not something one can totally eradicate. As to age, it changes, but it can be arrived at by reckoning from one’s date of birth. One may look young; looks might be deceiving, but a fact is a fact. Regarding religious, philosophical or political affiliations, they may not have existed since birth, but these things are acquired by a person throughout his lifetime, through the passage of time, through experiences or studies; and once embraced, may be hard to change or take away from that person. Even if changed, it may take a very significant event in one’s life or an unexpected twist of fate to make it happen. Regarding one’s health, education, sexual life, criminal records, disease, ailment or sickness; sickness or ailment may come and go, some may not even leave a trace; offenses may be served and after service one may lead a new life; academic performance may not be glorifying but one may find redemption in the end. But even though these things may have changed in the course of once activities, they are already part of the record of the person, whether written or not. Like civil status, a person may be single, and then once married, then annulled, divorced, legally or separated, and now he’s single again. So this status of him may even change in a very short span of time. But all those things are part of his record even if not actually recorded, they tell something about him, his relationships, his views and probably his way of life. And as to government-issued documents or effects like the SSS number, etc., they are personal because as citizen, one is supposed to have applied for one which he will possess until his death; no one can use the same after his death. They are necessary to be able to transact lawfully with the government or deemed necessary to be able to enjoy the benefits of a civilized society.

So why are they being protected and why does the State endeavour to keep them secured? Knowing this information may result to discrimination. Although we strive hard to fight for our freedom and to promote equality, the fact still remains that people perceive or look at other people not the same way as they look at themselves or the way they see their own people, kins, or their tribesmen. As to race and ethnic origin, people tends to isolate other people who they don’t consider as their own.  As for religious, philosophical or political affiliation, we know how history is shaped by the opposing ideologies. Wars were started not because of actual physical conflicts but because of difference between each other’s belief.  And in even in a seemingly peaceful environment, one maybe denied employment or admission in a club just because of his religious, philosophical or political affiliation. On one’s health or criminal record, it not that hard to imagine that people will turn away or will avoid people who previously contracted a disease, regardless whether it  is contagious or not, or whether completely treated or not; or people who had been convicted, whether such conviction be right or but an error of judgment. As to government-issued documents or effects, they can be used to perpetrate fraud as they served as to identify a person while transacting. So to summarize, this information needs to be secured as it may be the subject of ridicule or disdain, or discrimination disregarding the qualifications, capabilities or the attributes of an individual, even without reason or whatsoever.

Going back to the mobile number, I can say we cannot include it in this category. It is not permanent in nature. In fact, anyone can live even not having one. And even if one has it, that person can easily change his mobile number, especially if it’s a prepaid SIM. And even considering that it’s a postpaid, still, said subscriber can easily change it; even though a person subscribes for a particular period of time which is common nowadays (where a subscriber subscribes for a particular package or service binding him for certain period of time), it is not something that one will exert much effort to preserve. And I know that mobile numbers may be reused; after non-use for a period of time, said number will be available again and can be assigned to someone else.  So definitely it’s not really a personal thing. Neither does it form historical record, does anyway care enough to save a list of all the mobile numbers he happened to own during his lifetime?

Aside from that, what will be the effect when someone will know the mobile number of another? Does it really define who a person is by having that number? Mere knowing it does not give anyone real advantage over the other person. It’s not like that when someone knows the mobile number of a person, that someone will have undue influence controlling that person. Even if a person knows the mobile number and make that mobile number known to the whole world, I don’t think that the owner of said mobile number will feel embarrassed or ashamed or whatever it is that he might feel. Although such owner may feel some uneasiness, it is not because everyone knows something about him; it is only because he may receive unwanted calls or text messages or SMS; or in short it can be used to reach him to cause harm, not physical harm but maybe some harm which may target his emotions or mental state. It’s true that by knowing the mobile number of a person, one can have a means or access to that person, a means to abuse, attack, or embarrass that person. One may argue that that’s exactly the reason why a mobile number should be considered personal information because knowing a person’s mobile number will grant the holder of that information unwarranted access to a person. But while it may be used as a means to perpetrate an offense, this does not mean that it is personal information in character. To be used as a means is different from being the object of an offense or of an act or of unhealthy dealings. Then one may argue that SSS numbers is almost the same as mobile number; mere knowing it does not make one a target of untoward treatment. It might be true, but the difference is that, I don’t think that in a real legit transaction, one will seriously deal with another with only mobile number as the means to identify each other. So to sum it up, if there’s anything a mobile number does provide, it’s not identity but mere convenience. It was not intended to identify a person but just a means to reach him. And if ever it is required, then it is to have a means of exchanging information, and not to be treated as the very information itself.

With the foregoing, and seems all things are considered, I am of opinion that the giving of mobile number of a person to another person is not a violation of any right to privacy. Even if there can be a violation, it may be covered by another law but definitely not by Republic Act 10173. Or if there can never be any legal basis for one to be liable for such a deed, then liability may arise not out of law but out of moral obligation.

References:

Republic Act. 10073: http://www.gov.ph/2012/08/15/republic-act-no-10173/

Data Privacy Act of 2011 Legislative History: http://www.senate.gov.ph/lis/bill_res.aspx?congress=15&q=SBN-2965

Statutory Construction 5th edition, 2003, Ruben E. Agpalo

Advertisements

One Response to “TECHNOLOGY AND THE LAW – R.A. 10173”

Trackbacks/Pingbacks

  1. Students’ Take: Contacts viz RA 10173 | Berne Guerrero - July 6, 2013

    […] Ilao: [1] […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: