CURRENT SOCIETAL CONCERNS
Elpidio V. Peria
17 July 2016
NPC DepComm Ivy Patdu in Davao City, 14 July 2016 (photo: EVPeria)
The quick answer to this is : because someone else will find some use about our personal data which we may not be even aware of and those who may use our personal data will find ways to make the data valuable to them either by knowing a lot more about us so they can sell us their products or our data is combined with others like us and these are shared with others for a fee or it may be used for their own surveillance purposes or it may be involved in unsavory activities like identity theft or other cybercriminal activities if they got our details online. Finally, if we’re not bothered with data privacy, then the law that’s supposed to prevent these things, the Data Privacy Act or Republic Act 10173, which even gives us some rights which we should be aware of since it is ours, will be a useless piece of legislation.
In developed countries like those within the European Union, people will even demand their government to negotiate a data transfer deal with the US on how their personal data will be handled and used by Facebook or Google, companies based in the US which deal with a lot of personal data, since the Europeans look more at their privacy rights as part of who they are, compared to the Americans who don’t have that kind of outlook on their personal data.
These are my reflections from the consultation held in Davao City last 14 July 2016 by the National Privacy Commission (NPC), co-organized with the Foundation for Media Alternatives (FMA), on the draft implementing rules and regulations (IRR) of Republic Act 10173, the Data Privacy Act, a law that was passed in 2012, but the Commission was only formally organized in March 2016 when then President Aquino appointed the Commissioners who will implement the law.
The consultations on the draft implementing rules and regulations are on-going and any Filipino citizen concerned about his or her data privacy should make their views known to the NPC, and it seems the deadline for any one, including those who read this blog, who would like to make their views known on the draft regulation may email it to firstname.lastname@example.org. Al Alegre, the head of the Foundation for Media Alternatives, said the deadline where comments can be made is until 25 July 2016.
Having attended such consultations, here are some of the issues discussed that we Pinoys concerned about their data privacy should be bothered with, because these things are on-going without us noticing them even if we are not immediately affected or harmed by it :
1) The NPC cannot yet deal with social media entities as personal information controllers
In the informal exchanges before the start of the consultations, a participant asked Deputy Commissioner (Dep.Comm) Patdu whether Facebook, twitter or other social media accounts are covered by the concept of “personal information controllers”, this is the body which makes decisions on what information is collected, or the purpose or extent of processing and against them, the ordinary Pinoy, who is referred to in the law as a “data subject”, will have some rights that the controller will have to be mindful of lest they be subject to certain penalties or indemnities. Her answer which seems not a straightforward yes or no is that this will be dealt with by the NPC later as their concern at this stage is to have the law implemented and they will deal with the peoples’s issues on data privacy in social media at a later stage. How social media deals with the personal data of Filipinos is important since Facebook is facing privacy lawsuits in other countries and the Filipinos who are avid users of this platform need to be aware how to protect the privacy of their personal data.
2) There is a very recent data breach that just happened, involving the Filipino voter’s sensitive data, and the COMELEC has been subject to the orders of the NPC to remedy such breach and notify those whose information have been exposed.
Just after the May 9 elections, news came out that some 55million Filipino voters and their personal details have been exposed by a hacker who broke into COMELEC servers. What happened is called in the law as a data breach and the COMELEC is already under orders from the National Privacy Commission to send information to each Filipino voter that certifies there has been a data breach such that if said Filipino voter may be involved in an illegal online activity without the person knowing it, then that certification can be presented and the voter may be freed from liability.
3) We need to be wary of giving our consent by way of filling up forms done by private companies in the guise of enabling us to join raffles, contests and the like
Consent, according to Dep.Comm. Patdu, is an important principle in the Data Privacy Act that makes the processing of personal information lawful, and in fact she wants this done in an express manner. A participant asked if consent can be construed from people who participate in contests where they give out their personal details and such person is now swamped with regular text or SMS messages advertising a product or a service, perhaps something should be done about it. She made a point that somehow, those private entities gathering information in exchange for some service is something that they cannot just regulate. Maybe if the abuse is intrusive such that it affects the serenity of a person, like, those telemarketers who got your information from such raffle schemes, and they call at unholy hours like siesta or late night, then perhaps it may be something that the NPC may look into.
4) There was a concern raised on meta-data, and the NPC and most participants thought this need not be mentioned in the IRR.
A participant asked for clarity if meta-data, defined by Merriam-Webster as data that provides information about other data, should be included in the IRR though DepComm Patdu said that to the extent that they are related to the personal information of the data subject they are already included in the concept of personal data, since in the IRR, personal data which is found in the IRR and personal information, which are found in the text of the law, are deemed interchangeable.
The issue about meta-data may not be immediately apparent and indeed meta-data would refer to a broad set of data some of it does not relate outright to a person, but we can cite an example where metadata about a person is gathered regularly, like when a person uses a cellphone to make a call, and when that call is made, information about where the person is making the call is gathered so that the telecommunication company can make the connection and complete the call. According to Prof. Stephen Wicker, of Cornell University, the information gathered through that call, like knowing where you go, down to the level of street addresses, can reveal a lot: your job, your religion, food preferences, what kind of car you drive, where your kids go to school and which medical specialists you visit, to name just a few possibilities, and while this may not be an obvious problem, something should be done such that telecommunication companies should not retain information about a person’s location (the meta-data) more than what is necessary, or perhaps later the NPC may also delve on what kinds of anonymizing technologies (technologies to enhance the anonymity of persons being tracked) may be used to protect such person’s locational privacy.
5) Surveillance in the name of human security and anti-terrorism are modified, but surveillance through CCTVs are to be addressed later
The law which created the NPC specifically amended sec. 7 of the Human Security Act which allows a police or law enforcement official upon a written order of the Court of Appeals, to listen to, intercept and record, any communication, message, conversation, discussion, or spoken or written words between members of a judicially declared and outlawed terrorist organization, association, or group of persons or of any person charged with or suspected of the crime of terrorism or conspiracy to commit terrorism though how the amendment is to be carried out is a matter for the IRR to clarify, but another innocuous technology that should be subjected to privacy audits or guidelines are the CCTVs that are installed in schools, malls, street corners, even private buildings.
On the matter of surveillance technology, the NPC may want to develop further Helen Nissenbaum’s concept of contextual integrity which clarifies when violations of privacy will happen especially when the norms of context and norms of flow or distribution are violated (see also BITS in bits post on this dated 2 November 2014). BITS Policy Center made a presentation on this to an FMA-organized workshop last year during the 2nd National Privacy Consultative Conference 2015, held in Quezon City.
A point was also made in the consultations on how the NPC may go against the PNP or other agencies that deal with the surveillance in the name of anti-terrorism actions but a suggestion here was made that perhaps the NPC may tap the writ of habeas data by the Supreme Court to hasten corrective actions on unnecessary or needless surveillance.
6) Companies are concerned about the costs of encryption that are gradually being imposed on them, but it seems no one is bothered they make money out of people’s individual data set
A participant from the business of dealing with health information raised the issue of creeping regulation from the NPC which may eventually put additional burden or costs on their businesses which they will have to comply with. He also pointed to the already increasing costs they incur in setting up encryption technologies (these are technologies that make access to the data difficult, and costly, as those who want to open the data set protected by encryption are subjected to various algorithms that are difficult to crack using normal computational prowess), so he urged the NPC to go easy on the tendency to issue regulation on matters that may not necessarily be subject to regulation.
Reflecting on that point, but those creeping costs should be the burden of the health information processor, after all, they are making money out of people’s data, they should not be complaining as much; rather, they should instead consider sharing the benefits of using the data to the people who provided the data in the first place.
7) There is confusion about data sharing and data use and this should bother the ordinary Pinoy since at the end of it, someone will definitely earn money out of the Pinoy data subject who gave out his or her data
This last point is related to the previous point – given that businesses will make money out of the data subject, or the person, then perhaps in addition to ensuring that these are protected from breach, some amount of benefit may be shared to the person, since, after all, the information or data pertaining to the person is being “used”.
A point was raised in the consultation about whether data “sharing” or “use” should be the word placed in the IRR. The problem with the word “sharing” is that it is not a concept found in the law itself, and while the IRR is supposed to clarify ambiguity in the law, it should not be introducing concepts that are new or are themselves subject to further ambiguity. This is the case of the word “sharing”. What we have in the definition of the word “processing” is the inclusion of the verb “use” and nowhere is the word “sharing” found in what “processing” of personal information is all about. Perhaps the IRR should just build on the word “use” and definitely the idea of data-sharing is an activity encompassed by the word “use”.
All this boils down to the clarification of who actually owns the data, and while this may not have been explicitly spelled out by the Data Privacy Act, since sec. 16 of the Act mainly talks about basic rights of the data subject, the person, who has been transformed into a data set, all these rights in said provision emanate from the fact that the person, or data subject, is the owner of all the data being used. Is the IRR prepared to clarify this? We hope they would, since this will ensure that benefits will have to be shared by those who will use the data, similar to the concept in the utilization of genetic resources and associated traditional knowledge that is laid down by the Nagoya Protocol under the Convention on Biological Diversity where fair and equitable sharing of benefits is mandated when there is such utilization of the genetic resources and associated traditional knowledge.