CURRENT SOCIETAL CONCERNS
Elpidio V. Peria
27 July 2016
Mel Sta. Maria, columnist-broadcaster, AksyonTV5 (from http://interaksyon.com.ph)
Broadcaster-lawyer Mel Sta. Maria wrote in his column recently that the Data Privacy Act (DPA) of 2012 or Republic Act (RA) 10173 potentially serves to make ineffective the Executive Order (EO) on Freedom on Information (FOI) that President Rodrigo Duterte recently signed before he delivered his first State of the Nation Address last Monday.
While as a matter of general principle Atty. Mel is correct, examining closely the provisions of the Data Privacy Act and the recently-signed Executive Order would yield the following observations, which may be seen as reasons why the said law does not actually conflict with the FOI EO :
1. The concepts of “data privacy” in the law (DPA) and “privacy” in the FOI EO are different
While RA 10173 may not have defined the concepts of “data privacy” as well as “privacy”, these are two distinct concepts that operate for varying purposes and may be invoked through various means, with the more general concept of “privacy” not dependent on what the law dealing with “data privacy” provides.
“Data privacy” under RA 10173 involves personal information of individuals, without regard to their nationality, who are referred to in the law as a “data subject” and this “data subject” are provided certain rights in sec. 16 of the Act as regards the processing of their personal information while also providing for the security of personal information being processed and providing for accountability for the transfer of said personal information, among other noteworthy provisions of the law.
It can be conceded that even “privacy” as a solo concept is not as well defined in our laws, though in the 1987 Constitution, in the Bill of Rights in art. III, Sec. 3(1), it has a qualifier, like “privacy of communication and correspondence” and even the right in art. III, sec. 2 in the 1987 Constitution of individuals or citizens to be secure in their persons, houses, papers and effects against any unreasonable searches and seizures of whatever nature and for any purpose, is actually also a right to privacy in a broader sense, along with what the original notion of “privacy” is, when it was first articulated by US Supreme Court Justice Louis D. Brandeis and Samuel D. Warren in their famous Harvard Law Journal article in 1890 as the “right to be let alone.”.
Somehow, the FOI EO in its sec. 7, as referred to by Mel Sta. Maria, may be referring to this broad notion of “privacy”, not the “data privacy” referred to in the DPA. What this means is that the “privacy” in the FOI will operate under different rules and will not necessarily be affected by the provisions regarding “data privacy” in the DPA. However, if the implementing regulations of both this FOI and the DPA, and the National Privacy Commission, which implements the DPA, has been conducting nationwide consultations with its draft IRR of RA 10173, will have to be harmonized, the rules may be written as to when the broad notion of “privacy” which is in the Constitution and the notion of “data privacy” in the law, will apply and under what circumstances. As Mel Sta. Maria said, the devil is in the details.
2. The processing of personal information done under the DPA does not involve disclosure and public access to information on matters of public concern
What we as a “data subject” under the DPA should be watchful for is the “processing” of our personal information and that word is defined in sec. 3(j) the law as “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”
These acts are an entirely different character from disclosure and the giving of public access to information in the matter of public interest, thus the act of providing disclosure and public access to information in the FOI EO may not be considered the “processing” of personal information as contemplated by the law. Besides, the matters facilitated by the FOI EO, the disclosure and public access in the matter of public interest, are constitutional in character, part of the Bill of Rights of the People, dubbed as “the right of the people to information on matters of public concern”, as such rights emanating from the Constitution, they cannot just be nullified or qualified by the notion of “processing” of personal information provided for by the DPA. In other words, a law cannot be made to prevail over a provision of the Constitution. Such constitutional mandate cannot also be given an override by the FOI EO, since an Executive Order is usually considered a lower category of a regulation compared to a legislative act.
Putting the FOI EO and the law side-by-side, this is where Mel Sta. Maria is correct that, if not fine-tuned very well, the law, the DPA, may make ineffective the FOI EO, especially when the public official opposes the giving of access to personal information citing sec. 7(b) of the FOI EO where the public official may be unduly exposed to vilification, harassment or any other wrongful acts. Resolving this dilemma points us to our succeeding points below.
3. Sensitive personal information in the DPA does not include investigation into a public official’s alleged hidden wealth or wrongdoing
Delving further on the nitty-gritty of the DPA, there may be certain types of personal information whose processing is absolutely prohibited save for certain exceptions provided by sec. 13 of the law and we ask our readers to just consult that section for them to know what those exceptions are.
But looking at what may be considered as “sensitive” personal information, it also refers to “any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings.”
What this means is that if there’s any alleged hidden wealth or wrongdoing by a public official, which is what to be sought for disclosure by the FOI EO, the public official cannot simply allege they are sensitive as there has to be a “proceeding” first where such sensitive personal information may be involved. This “proceeding” which has to be a formal process, does not extend to any investigation done by a reporter, a researcher or anyone, to determine if there is such hidden wealth or wrongdoing. Besides, the DPA in sec. 4(d) does not apply to processing of personal information for “journalistic, artistic, literary or research purposes.”
4. The provisions on data privacy in the DPA do not apply to acts to which public officials have performed their tasks under their mandate and function
RA 10173 has expressly provided in sec. 4(a) that “information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual” is outside of the scope of the law, thus any such information about the acts of the public official on how he or she has performed his or her functions are not covered by the rights to data privacy provided by RA 10173.
When related to sec. 7(c) in the FOI EO, which states the following :
“any employee, official or director of a government office per section 2 hereof who has access, authorized or unauthorized, to personal information in the custody of the office, must not disclose that information except when authorized under this order or pursuant to existing laws, rules or regulation.”
what this means is that the DPA cannot be used to deny access to the information being requested, since the DPA has nothing to do with information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual . Instead, it is the implementing rules of the FOI EO that will deal with how this non-disclosure or disclosure of the public official’s personal information will be carried out and perhaps those rules should be written in a manner that does not defeat the people’s constitutional right to information on matters of public concern. Here, Atty. Mel is correct there can be further layers of rules that will subject the FOI EO to further limitations and contingencies, but that is not due to the DPA, but to the rules that will be further issued as stated in the FOI EO.
5. Civil liabilities arise from the violation of the general right to privacy, but in the right to data privacy, only “restitution” is possible, a remedy which is but one form of civil liability
The Civil Code in its art. 32, makes liable for damages any public officer or employee, or any private individual, who directly or indirectly obstructs, defeats, violates or in any manner defeats or impairs the constitutional rights of a person among which rights are the right to be secure in one’s person, house, papers and effects against unreasonable searches and seizures and the privacy of communication and correspondence.
What this means is that the public official concerned, whose right to privacy in the FOI EO is protected, can sue for damages anyone, including his or her fellow public employees, who may interfere with the public official’s right to privacy, the constitutional rights, but not the data privacy referred to in the DPA.
This right to sue for damages for violation of the said constitutional rights is a broad one, which is different from the right to restitution, mentioned in sec. 37 of the DPA, which is what is only provided for to those aggrieved by the implementation of the law.
Restitution, which is explained in art. 105 of the Revised Penal Code, refers to the restoration of the thing itself, which means a rectification of any error in the processing of personal information by the data subject and nothing else, though if a public official whose information may have been unduly processed under the DPA may invoke the penal provisions of the DPA and the accompanying hefty fines included therein, but given this is a special law, the general notion of damages, from moral damages, nominal damages, actual damages, exemplary damages may not be invoked when the public official is suing under the DPA.
In summary, the unqualified right to privacy may, at first glance, defeat the public’s right to information on matters of public concern but this must be distinguished with the right to data privacy which operates under rules provided by the Data Privacy Act (DPA). The DPA and the FOI EO do not outrightly clash, but the implementing rules of both the law and the Executive Order may need to be fine-tuned and harmonized to fully implement the public’s right to information on matters of public concern.
The passage of a law on FOI may have to await how these two measures will play out, so let’s have those implementing rules and implement them already so that we will all benefit from experience how they may be made to work with each other and the future law on FOI will be the means to resolve their possible areas of conflict, if ever there may be a real one.