Data Privacy Potentially Grey?


The 1987 Constitution recognizes the right to privacy the constitution particularly stated in is Art. III or its Bill or Rights Sec. 2 The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized[1]. The framers of the 1987 constitution did not think that the 1987 would live for 27 yrs. Hence they never thought of internet privacy to be included in the Bill of rights they only included the right to be protected in their houses, papers, and effects against unreasonable searches and seizures and to be protected from warrants that are irregularly issued.

The new age is pure of technologies, pure of rapid change that a person born in the 19’s can almost never come up with society’s new found technologies such as new phones, gadgets, technologies and the like that’s why the 15th Congress in 2012 created RA 10173 or An Act Protecting Individual Personal Information and Communications Systems in the Government and the Private Sector (Data Privacy Act). The new legislation fills the void of the constitution and other laws.

The Data Privacy Act in its Sec. 2 or the Declaration of Policy It is provided that the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected[2]. It is the policy of the state to protect the right of every person to his privacy such as hic communication while ensuring the free flow of information and growth among the people of the Philippines. In connection with the 1987 constitution the data privacy act is the state’s answer to privacy which was left out in the 1987 constitution. Moreover, the data privacy act is a means of protection of individual personal data and communications systems in the Government and in the private sector.

According to Ms. Caroline Corro, the data privacy act has its own prominent characteristics they are;

  1. The law deals with the processing of personal information(Sec 3[g]) and sensitive personal information(Sec. 3[l]).
  2. It created the National Privacy Commission which would create the Implementing Rules and Regulations of the law.
  3. Personal Information may subcontract the processing of personal information. Provided that the information shall be liable for ensuring that proper safeguards are in place (Sec. 14)
  4. Data Subject has the right to know if their personal information is being processed. One has the right to request the removal of his data, unless there is a legal obligation that it be kept or processed ( Sec 16 and 18)
  5. If the data subject passed away or became incapacitated their legal assignee or legal heirs may invoke their data privacy rights ( Sec 17)
  6. Heads of Government must ensure their system compliance to the law. Personnel can only access sensitive personal information from 1000 or more individuals.
  7. Penalties of imprisonment ranging from three (3) years to six (6) and a fine not less than One Million Pesos (Php1,000,000.00) but not to exceed Five Million Pesos (Php5,000,000.00) shall be imposed on the processing of personal information and sensitive personal information based on the following acts:

a. Unauthorized Processing (Sec. 25);

b. Accessing due to Negligence (Sec. 26);

c. Improper disposal (Sec. 27);

d. Processing for Unauthorized Purposes (Sec. 28);

e. Unauthorized Access or Intentional Breach (Sec. 29);

f. Concealment of Security Breaches (Sec. 30);

g. Malicious Disclosure (Sec. 31); and

h. Unauthorized Disclosure (Sec. 32).

  1. An accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied if the offense is committed by a public officer (Sec. 36).[3 Carroline Corro]

Black, White or Grey?

Science is an exact art just like measurements it needs to be exact or a person drinking medicines or a anesthesiologist injecting anesthesia to his patient needed to be exact it needs exact decisions like on where to go black or white but there’s no answer that “let’s leave him like that”. Unlike law it has grey areas, areas which are not touched upon by the law itself and unlike any law the data privacy act also has grey areas that would probably tickle the mind of a lawyer on what argument to take.

The data privacy act provided in its Sec. 12[3] the Criteria for Lawful Processing of Personal Information.  The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

The law speaks of its criteria in processing of personal information a question of can a office clerk get the information of his co-worker if they have agreed upon a legal obligation then the co-worker did not appear as provided by the law (b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract[4]; settled is the rule on Obligations and Contracts become perfect it must conform within the following elements The obligation is constituted upon the concurrence of the essential elements thereof, viz: (a) The vinculum juris or juridical tie which is the efficient cause established by the various sources of obligations (law, contracts, quasi-contracts, delicts and quasi-delicts); (b) the object which is the prestation or conduct; required to be observed (to give, to do or not to do); and (c) the subject-persons who, viewed from the demandability of the obligation, are the active (obligee) and the passive (obligor) subjects. And in connection a contract is perfected by the Consent or meeting of the minds, determinate subject matter, price certain and its equivalent. Furthermore, would it include Online sellers in the obligation or contract? This is the First grey area,the contemplation and the parameters are not set by the law some would probably say “yes” it included because it is information necessary and is related to the fulfillment of the contract of sale between the online seller and the buyer for the  buyer to be cautious on the sellers identity, some would say “no” because it is private information and is not necessary for this transaction.

Second grey is which the law provided comes from Sec.12(c) which provides for the processing is necessary for compliance with a legal obligation to which the personal information controller is subject[5]; the law provided in sec.12 that at least one of the conditions exist for data processing be allowed the law specifically did not provide for what kind of legal obligation would it include paying of tax? If yes the BIR letter of Revenue Regulation 18-2013 provided relative due process rights of the taxpayers as provided for in  its Section 2 of RR No. 18-2013 amending Section 3 of RR No. 12-99 provides that upon the issuance of Preliminary Assessment Notice (PAN), the subject taxpayer may reply thereto stating its agreement or disagreement of the assessments on the said PAN, but subsequently be issued of Formal Letter of Demand and Final Assessment Notice (FLD/FAN) calling for payment of the taxpayer’s deficiency tax liability. Hence, such procedure renders the subject taxpayer’s reply pointless since whether he agrees or disagrees to the assessment, notice shall be sent calling for payment of tax liability, hence anent to the issue of due process. Furthermore, with this kind of obligation not paying our own tax responsibilities can the government get more information from us to forcibly pay taxes? This is one of the situational grey areas that the law is now experiencing. Most of the time these grey areas are questions thru a doctrinal cases that would answer the floating questions in our minds.


The law provided for in Sec. 13 (c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing[6]. Third grey area is the processing to protect life and health of the data subject, the most convenient thing to do is let the data subject know of the circumstances and in case he is incapacitated let his heirs know of situations that the data subjects data would be used. Hence, if not it is against the data privacy of the person who is able to give his consent. Moreover, nowadays fraudsters are now very patent some would just text the data controller that a certain employee had encountered an accident in which his life is in grave danger and he needs the information kept in the data controller. A grey area now occurs the data controller should let the heirs recorded there that he is going to give his personal data to someone who is also an heir to the family member who had an accident, so that the data would be given away easily and also to protect the interest of the data subject.

Fourth grey area of the law is phone numbers, without the owner’s consent can it be given away? According to the law processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Moreover,Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject[7]. According to Ms. Carroline Corro, Mobile Numbers alone cannot be considered personal information even put together with other information, it would not serve the purpose of direct identification of the person who owns said mobile number or phone numbers. Moreover, the processing of a mere number is a data per se that is considered to be within the boundaries of the Data Privacy Act. Moreover, on my take on this if phone number or mobile numbers are private my take is yes phone numbers are a very private information, as an individual we don’t see senators, congressman, the President and Secretary of the cabinet, the cabinet secretary and the like we don’t see them give their phone numbers or mobile numbers out in public but give other numbers why is this so? Because phone numbers or mobile numbers are a very private information that is not intended for the public to know. Hence, phone numbers and mobile numbers should be included in the data privacy act to be somehow private. Nevertheless, should be contacted by the data keeper if something happens to the data subject.

Fifth grey area which are contentious are Sec. 16(a) of the law  which provides for the Rights of the Data Subject. The data subject is entitled to be informed whether personal information pertaining to him or her shall be, are being or have been processed. How can the data controller inform me when I’m out of town when I changed my phone number without informing the data controller are some of the questions and situations that are grey for the law. Hence, isn’t to late if the data has already be given to others without 1st notifying the owner. What would be 1st his consent or the giving of his data to the other person.

Last grey area in question can be found on Sec. 17 or the Transmissibility of Rights of the Data Subject.  The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section. a question or a situation comes into my mind is what if the data subject left no heir or assignee? Until what degree is the data heir? Would it interfere with the rights of the dead? A situation if the data subject left no heir or assignee? Then subsequently they already got the information needed from the data subject? Would it be inviolable or violable to the right of the assignee himself? My take on this is the deceased data subject should still be respected and make all the necessary efforts to find an heir or assignee. The problem within the government system is every move that an heir would encounter is tax, take note tax is not a matter to be laughed to because, tax can be little pricier.


As a final point, the data privacy act is not a perfect law. However, it is a supplemental law that answers the lacking words or provision as provided by the 1987 constitution. The data privacy act though it faces many controversy and grey areas its just like any law which omits grey areas from time to time it is up to the Supreme Court to answer because they are the highest court of the land. In addition, we should all be vigilant in what information we give because, at some point in our lives that information may be stolen from us. Moreover, I don’t believe that the data privacy act would be prone for identity theft because of the penalty imposed by law as provided for in the law ranges from 5,000,000 to 2,000,000,000 Php. The lawmakers make it a point that we should all respect the privacy and the data of a person.



[1] 1987 Constitution of the Philippines

[2] RA 10173 An Act Protecting Individual Personal Information and Communications Systems in the Government and the Private Sector (Data Privacy Act). The new legislation fills the void of the constitution and other laws.

[3] Supra.

[4] Supra.

[5] Supra.

[6] Supra.

[7] Caroline Corro;

[8] Rosell, L., Tomarong-Canabano, S., 2012, Analysis: the Philippine’ Data Privacy Act of     2012

[9] Wordpres, 2012.

[10] Palabrica, R,.Data Privacy Act of 2012.















One thought on “Data Privacy Potentially Grey?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s