CURRENT SOCIETAL CONCERNS- PRIVACY
Elpidio V. Peria
22 January 2016
Privacy Commissioner Raymund E. Liboro (from http://www.notey.com)
Recently we were able to get a copy of the decision issued by the National Privacy Commission (NPC), a newly-created government agency by Republic Act 10173, the Data Privacy Act of 2012, in relation to its finding holding liable Commission on Elections Chairman Andres Bautista for violations of the law. This case arose from several incidents of hacking of the COMELEC website leading to the elections in May 2016, which was dubbed by Pierre Tito Galla, citing the cybersecurity firm Trend Micro, as “one of the biggest government-related data breaches in history.”
We do not have the time to make a thorough-going analysis of such decision but will give our initial impressions of what may appear to be a harbinger of future difficulties by other government agencies, organizations and individuals about the law and we are flagging down here in this blog posting the things we find troubling which should be eventually resolved all the way up to the Supreme Court, to protect the rights of individuals most especially, whose privacy is the one being protected by the Data Privacy Act in the first place :
1. One can be held liable for certain acts even if the implementing regulations as well as standards for such acts have not yet been promulgated by the National Privacy Commission (NPC)
In the Decision dubbed as NPC Case No. 16-001, the NPC took pains to explain that notwithstanding the lack of implementing regulations and standards on which to prosecute COMELEC Chairman Andres Bautista, they are still within their rights to hold him accountable, citing the case of SEC v. Interport Resources Corporation (G.R. No. 135808, October 6, 2008), which mainly held that : “the mere absence of implementing rules cannot effectively invalidate provisions of law, where a reasonable construction that will support the law may be given.”
This begs the question on whether absent those implementing rules, the law, Republic Act 10173, the Data Privacy Act, can be wielded upon those who don’t follow it and on this, the NPC, through Privacy Commissioner Liboro, held that :
“…In particular, the commission of any of the criminal offenses as defined by Congress does not depend on the presence or absence of implementing regulations. To hold otherwise would be to infringe on the legislative power to define crimes and their penalties. An administrative agency can only implement laws, no more.”
The troubling part of this ruling is that the NPC reserved for itself the right to determine whether criminal acts were committed not only before implementing rules and regulations about it were written up but also before these rules and regulations have been PUBLISHED, and basic administrative law requires that penal rules and regulations, of which the Data Privacy Act is such as it prescribes certain penalties, should actually be published first before prosecutions under the law can proceed.
Another issue which the NPC tries very hard to assert that it is within its mandate to do so is that notwithstanding the lack of standards it should be setting on which to assess whether compliance with the Act can be made, it can still find violations with such non-existent standards! This is what can be reasonably interpreted from a paragraph in page 17 of the Decision which reads:
The absence of any recommendation by this Commission does not leave the standard required by Sec. 22 inapplicable, just because there are no interpreting rules and regulations on the Data Privacy Act of 2012 setting out further recommendations on industry standards.
This is breathtaking braggadocio from a newbie government agency, this is an outright violation of any person’s, not only COMELEC Commissioner Bautista’s right, to due process, since, how would one know if one has violated a certain standard of behavior when one does not even know what those standards of behavior are?
2. A government entity holding data, even if such may only be an incidental aspect of its function under the law, may incur additional functions, upon the say-so of the National Privacy Commission
The NPC should be given credit for daring to challenge the Commission on Elections (COMELEC) a body created by the 1987 Constitution, but one’s instinct borne out of legal training is to examine the 1987 Constitution to see whether all these things that the Data Privacy Act is saying as part of the COMELEC’s duties is part and parcel of the body’s functions as set out by the Constitution and there in sec. 8 in part A on Common Provisions of Article IX on Constitutional Commission states that “Each Commission shall perform such other functions as may be provided by law.” Going through the NPC Decision, there is indeed Republic Act 10367, An Act Providing for Mandatory Biometrics Registration with a provision on data security in its section 9 and Republic Act 8189, the Voters’ Registration Act of 2006.
The question for other agencies without such additional functions established by their charters that created them, should they be made to take on those additional functions as may be set by the NPC, under the authority of Republic Act 10173?
3. Shouldn’t data breach be accompanied by actual damage before any cause of action may arise for its occurrence?
The NPC talked about data breach committed on the COMELEC servers, but, notwithstanding such breach, has any one of those in the database come forward to the NPC or COMELEC complaining about the actual harm or damage that has been suffered by them? There does not appear to be any one and if that is the case, then we have the situation envisioned in tort law called damnum absque injuria, or loss without injury, which means the law does not allow one to prosecute a case when one has not demonstrated some actual harm suffered. Maybe the NPC should open up a page in its website to facilitate the crowdsourcing of this inquiry and if that happens, then perhaps there could be a clear case of violation of the provisions of the law here.