Applying Republic Act No. 10173 or DATA PRIVACY ACT OF 2012 in our Day to Day Lives.
In this era of Information Technology, it is very common to us Filipinos that we fully utilize the usage of cellular phones be it for texting, calling, internet browsing, gaming and even posting “selfies” [i] on the internet by extensively using your own camera to take a picture of yourself.
A lot of us, if not all, even the informal settlers who do not have their own real property[ii] legally named after them have their own cellular phone.
It can be safely concluded that if you have a cellular/mobile phone, there is a corresponding mobile no. that such cell phone user is using, be it for personal, business or any other purpose as the user deems it necessary.
With all this day to day, activities with our cell phones, have you ever wondered if you are already violating a law by using your cell phone or any other information that is contained in your cell phone?
I think a lot of people can relate to the scenario given that will be discussed in this paper which is :
“Is the act of a person, A, disclosing the mobile number of B, to a third person, without B’s consent, considered a violation of RA 10173?
I know we have this saying that even the finest lawyers will have a hard time answering or defending difficult questions of law but sometimes, the simple and basic hypothetical questions will give you a harder time explaining and searching for answer/s.
The hypothetical scenario is already stated above.
We now proceed in answering it and try to dissect the meat of the issue which is:
Is the act of giving another person’s mobile number to another person without his/her consent under the scope of RA 10173[iii]?
The answer is on the negative if we just based it on a normal circumstance like your friend, classmate, cousin etc. asks for a certain mobile number of a friend / acquaintance of yours.
The act of giving away another person’s number is not in violation of RA 10173.
We have to check the Scope of the said law.
Section 4 of RA. 10173 states that :
“SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”
It is basic knowledge in Statutory Construction that what the law does not include, it excludes or as the latin phrase states: expressio unius est exclusio alterius.
The rule of expressio unius est exclusio alterius and its variations are canons of restrictive interpretation. They are based on the rules of logic and the natural workings of the human mind. They are predicated upon one’s own voluntary act and not upon that of others. They proceed from the premise that the legislature would not have made specified enumeration in a statute had the intention been not to restrict its meaning and confine its terms to those expressly mentioned.[iv]
From the aforesaid scope of the RA 10173, it can be deduced that the act of giving another person’s number is not violative of any law even if it was done without the consent of the person (on a normal and regular setting).
My answer will still be the same even if we put it strictly on the context of RA 10173 and the primary parties involved and defined under such law.
The law defined certain people in the law such as Personal information controller and Personal information processor.[v]
(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
Assuming these people will disclose to one interested party the mobile no. of another without his/her consent, still, it would not fall under the prohibitions laid down by the law.
Personal information is defined as “any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information.”
It includes facts and figures about a person’s race, ethnic origin, marital status, age, color and religious, philosophical and political affiliations. Or practically his life story.
The most significant aspects of the law are: the procedures to be followed in the collection, processing and handling of personal information; the rights of data subjects; and the creation of a National Privacy Commission.
The law requires information collectors, holders and processors to follow strict rules on transparency, legitimacy and proportionality in the conduct of their activities.
Among others, the collection should be conducted for “specific and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only.”
Accuracy, relevance and essentiality of purpose must likewise be observed during the collection stage.
Inaccurate or incomplete data should be corrected, supplemented, destroyed or their further processing restricted.
The information can be stored only as long as needed for the purpose for which it was obtained, or “for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.”
Once collected, the information can be processed or used only if it is not prohibited by law and the person who provided the information (or data subject) has given his consent; if no such consent is given, the processing can still go on provided it meets the “necessity” test.
The data subject’s lack of consent will not bar the processing if it is related to the fulfillment of a contract with him or in order to take the steps he requested prior to entering into the contract.
It may also be conducted in the following instances: to comply with a legal obligation that the information collector has to obey; to protect the data subject’s vital interests, such as life and health; to respond to the exigencies of a national emergency or public order and security; and to serve the legitimate interests of the entity to which the information has been disclosed as long as no constitutional rights are violated.
In the latter cases, the processing is allowed to continue even in the face of the data subject’s opposition due to legal considerations (either on the part of the data subject or the party that collects the information) or in order to serve the greater interests of the public.
Such liberality, however, is tempered by the rights that the law gives to data subjects to protect their privacy.
They have the right to know whether their personal information “shall be, are being or have been processed.”
Before any such data are included in the collector’s information system, or at the next practical opportunity, they can demand information about, among others, the purpose for which it is processed, the scope and methodology of the process, the length of information storage, and the identity of the people to whom their personal information shall be disclosed. [vi]
In my understanding, mobile numbers are not considered sensitive personal information that needs to be protected by law as it was never included in the RA 10173.
If the authors of the law deemed it necessary to protect/regulate the act of giving away someone’s mobile number an intrusion to one’s right to privacy it would have specifically included it or stated it in the law.
We still do not have any case about the scenario but personally, the closest ground or legal basis if you really want to sue a person by giving away your mobile number without your consent can be found in the New Civil Code.[vii]
Well, that provision is for you to analyze and expound if you really want to file a legal action against someone who gave away your number without your consent.
Part of Art.26 states that “Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons.”
Sounds logically to argue that, right?
But I will go overboard if I still discuss here the POSSIBILITIES of Art. 26 as a ground for legal action because it is no longer the topic assigned to us.
[ii] Art.415 (1) New Civil Code
[iv] Ruben E. Agpalo, Statutory Construction, (1990), pp. 160-161, citing the cases of Canlas vs. Republic, 103 Phil. 712 (1958); Lao Oh Kim vs. Reyes, 103 Phil. 1139 (1958); People vs. Aquino, 83 Phil. 614 (1949); Escribano vs. Avila, 85 SCRA 245 (1978); People vs. Lantin, 30 SCRA 81 (1969); Manila Lodge No. 761 vs. Court of Appeals, 73 SCRA 162 (1976); Santos vs. Court of Appeals, 96 SCRA 448 (1980); Lerum vs. Cruz, 87 Phil. 652 (1950); Velasco vs. Blas, 115 SCRA 540 (1982).
[v] REPUBLIC ACT NO. 10173 Sec 3 (H) (I)
[vii] Article 26 New Civil Code