Purpose & Relevance
The purpose of the paper is to look into RA 10173 or the Data Privacy Act of 2012 and explore the possibility as to whether the said law may help address the points raised by the Supreme Court in its decision in the case of Ople v Torres and, for purposes of academic discussion, may sway said decision as regards the establishment of a national ID system.
The introduction of RA 10173 which could potentially address the shortcomings of Administrative Order 308 as enunciated in Ople may help alter the Court’s as well as the general public’s acceptance of a national ID system which does not merely operate to establish a unified identification system but also with the potential of becoming a key part of an individual’s record of identity, while living or sojourning in the Philippines.
Nearly 15 years stand between the decision in Ople and the enactment of RA 10173. It is well to note that within that decade and a half, there has been a great leap as to how data privacy is viewed by the general public in terms of their openness in giving out personal information and how the courts now treat technology and its products as being more and more reliable or acceptable for use in its proceedings and decision-making.
Background in the Ople v Torres case
In July 23, 1998 the Supreme Court rendered a decision in favor of the petitioner, Senator Blas Ople, who opposed Administrative Order 308 issued by President Fidel Ramos establishing the National Computerized Identification Reference System, more popularly known as the national ID system.
Ople’s main contentions were that the national ID system lays the groundwork for a system which will violate the individual’s right to privacy and that its issuance is an encroachment upon the legislative powers of Congress not only due to the fact that it involved appropriations of public funds but more so because of its subject matter and scope.
The decision of the Supreme Court in favor of Ople, primarily on the right to privacy, centered on the Court’s strong apprehension as to the implications brought about by the AO 308’s failure to provide “what specific biological characteristics and what particular biometrics technology shall be used to identify people who will seek its coverage.” It also held that the purpose of the generation of the PRN or the Population Reference Number was not confined to the sole purpose of identifying each individual but may also be used for other things remotely related to the avowed purposes of the administrative order.
As can be gleaned from the decision, there was also a doubt as to the data integrity or how the records will be handled and protected from potential intrusions and misuse and as to how much control the data subject has over the information he gave to the data controller.
The dissenters were not as pessimistic as those who voted for the majority decision. They were not as threatened and did not see AO 308 giving the government the power to go so far as gathering data which could potentially work to the detriment of the individual by the apparent misuse or intrusion of the information by those who would have access to them.
Background in RA 10173
Signed into law by President Noynoy Aquino on August 15, 2012, RA 10173 establishes the National Privacy Commission responsible for ensuring that the privileged and personal sensitive information of an individual, also known as the data subject, will be properly handled by the data controllers and processors as defined by the law. Under this law, government agencies will have a linkage
The law provides guidelines as to how such information will be processed –including but not limited to such procedures as gathering, storing, retrieval, editing, and transfer of data. It also sets out measures as to the right of the data subject as regards the personal data she or he provided and her or his right to be informed of any process done with such information, subject to exceptions.
RA 10173 criminalizes any breach of the measures provided to ensure the privacy of the individual’s personal and sensitive information. It provides for penalties and imprisonment whether the prohibited act be done intentionally or through neglect.
RA 10173 vis-à-vis AO 308
RA 10173, however, does not have the same aim as AO 308 as its only concern is to set forth guidelines as to how sensitive personal information, once gathered from data subjects, primarily by the government, will be managed properly for the protection and peace of mind of said individuals. Unlike AO 308, it does not go so far as to establish a national ID system carried out through assigning each individual with a reference number and linking the different government agencies for ease of delivery of services to them by consolidating their voluntarily given personal records.
At best RA 10173 may be treated as a precursor to such a national identification system only with the preliminary purpose of laying the groundwork for ensuring integrity in data management and elimination of doubts as to possible intrusions and misuse of such data.
In fine, RA 10173 only concerns itself with the data gathering, storing and maintenance of its integrity during any process done to it with the ultimate goal of giving the individual confidence over the safety and privacy of any personal or sensitive information given up by her or him.
RA 10173 vis a vis Ople
On its face RA 10173 addresses one of the main concerns of the Supreme Court in the Ople decision: data privacy processing. Processing under RA 10173 “refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”
In the Ople case, one of the main apprehensions of the Supreme Court was that AO 308 did not provide who has control and access to the personal data and under what circumstances and for what purposes such data is to be accessed. RA 10173 addresses said issue by defining who a data controller and a data processor is in the event that sensitive and personal information would be taken from individuals and providing for their responsibilities in maintaining the privacy of such as well as their liabilities should they fail to conduct the proper procedures. Even the superioirs or heads of the National Privacy Commission may be held liable in some instances.
As mentioned above the law seems to define processing or data process as anything which may be done to the data. Knowledge and consent of the individual is vital all throughout any process done to his personal or sensitive information. Even the mere retrieval of the data has to be brought to the attention of the data subject, except for some general circumstances as when the data is to be used purely for research or statistical reports purposes.
Being able to stress the importance of the individual’s knowledge, consent and right as to the data she or he provided can help lessen the apprehensions as to the possible impact on one’s civil liberties as the individual would seem to have full access to her or his data and knowledge of what is done to it even after it has been collected from her or him. In relation thereto, care has to be taken that proper standards be set as to how under Subsection 2, Paragraph f, Section 20 of the law, “the Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects.”
Allowing the personal infomation controller to be exempt from notifying the data subject, based on reasonable judgment, may lead to a slippery slope that could lead to a way for the controller, or the government for that matter, to escape responsibility with respect to the safeguarding of the privacy of data or from ever letting the data subject know that a process is being done. Such can render the purported respect for the individuals knowledge and consent upon anything done to her or his personal and sensitive information to be nugatory and of no value. It should be stressed that such case should only be allowed using the strictest of qualifications and may even require a court order or approval before proceeding with such.
If such a strict requirement can be established then perhaps RA 10173 may be said to have laid the foundation for other laws (or administrative order?) aimed at establishing a national ID system but only in so far as the apprehension involves data integrity and safety.
Other grounds for the Supreme Court’s decision in favor of Ople
Encroachment upon the Legislative Power of Congress
Whether the issuance of AO 308 is an encroachment upon the legislative powers of Congress or not would depend on how we understood AO 308. In the case of Ople it appears that there were two main things that the majority impliedly saw in the administrative order. First, that it is compulsory such that the government would eventually ask everyone to register and have a big repository of every activity and personal information that the data subject would give out to the government during every transaction she or he has with the latter. Second is that the national ID system would be a unified identification system containing extremely personal information brought about by the provision of the AO pertaining to biometrics technology. The dissenters however would hold the complete opposite.
If we are to follow the position held by the dissenters, an unassuming position that is, then we may have already realized the fruit of what they were contemplating AO 308 was about. The existence of the current Philippine Unified Multi-purpose ID is a linkage of various government agencies not just with the sharing of the information but also for the implementation of the project itself. It is initially aimed at using one identification card for transactions with any of the major government offices offering various services to the public. These include the SSS, GSIS, BIR, NSO and Pag-Ibig, with provisions of the “Uni-card” being used as a voter’s ID. It also involves biometric scanning such as the Automated Fingerprint Identification System (AFIS) as well as a Central Verification and Enrollment System that will have the data record of some pertinent personal information of the individual. It is not yet compulsory and not in lieu of all the other individual cards existing for each of the mentioned government agencies. It does not mean that if one does not have the Uni-card she or he will not be able to transact with any of the government agencies.
If this is the view we will hold as that national ID system contemplated by AO 308, there would seem to be no problem in holding that RA 10173 would address the apprehensions of the Supreme Court in Ople. Safeguards as to how the personal and sensitive information has been put in place and there seems to be no other intent but to unify the records system of the government for improvement of services.
If we are, on the other hand, to take the position of the majority in the Ople case, which deemed AO 308 as unconstitutional, we would be looking into the idea of a national ID card system more akin to that contemplated in the Identity Cards Act of 2006 in the United Kingdom. Such national identity reference system had provisions for the card to be used in lieu of a passport. It had provisions for the card and the central record system to contain fifty categories of information that the National Identity Register could hold on each citizen, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives and indices to other Government databases (including National Insurance Number) – which would allow them to be connected. The legislation on this resident register also said that any further information could be added.
A similar national identity card system had been proposed, largely debated, in many other countries – first world countries at that, but have miserably failed due to opposition mainly from different concerned groups, lawyers, activists and minorities. In the UK, the failure had also been due to the challenges faced during implementation with the realization along the way of the pros and cons and as to what extent it may really benefit a country, considering that for first world countries such is pursued primarily to combat terrorism and internal security issue which although the threat is on a daily basis, the actual occurence will never be as often and actual cost, although considerably high may not measure up. with an all encompassing national ID system which is too costly and too exhausting for a government to fully implement, cumpolsorily and completely and altering the existing and somehow working identification systems.
If the view we take as to what AO 308 contemplated would be that of the majority then we can conclude that RA 10173 is nowhere near in even partially addresing the Courts decision (only for academic purposes, of course) as it would seem that it is not the laying of the groundwork for data integrity and data privacy that is the most compelling of the apprehensions of the Supreme Court, and perhaps the general public.
The intent of laws or administrative orders aimed at establishing certain measures of identification for each member of the society, noble or threatening as it may appear, has yet to be truly effective in terms of application. Laying guidelines as to how data is to be securely kept and properly maintained would be the only requisite in a perfect world. Such improbable success in effective implementation has been proven even by nations who are deemed more technologically capable and who, in many terms, seem just capable to do so.
In reality, even though it was very well said in the ponencia that “as technology advances, the level of reasonably expected privacy decreases.” And that “The measure of protection granted by the reasonable expectation diminishes as relevant technology becomes more widely accepted” and even considering that more than a decade has passed since the Ople decision, and everyday we voluntarily give up many private, even real-time personal information as to our activities, likes and whereabouts through the various social media apparently part of our daily existence, when it comes to the government playing the role of facebook, twitter, pinterest or four square in taking care of our personal information, sensitive or not, we make a 180 degree turn as to its acceptability and the fun is suddenly gone.
Overall, it can be said that RA 10173 not being able to address the possibility of the issuance of AO 308 establishing a national ID system as contemplated by the majority decision in Ople is neither due to the AO’s lack of sufficient standard nor to its vagueness and not even due to the encroachment of the powers of the Congress by the President. It is ultimately due to the fact that it is the government who is to handle our personal and sensitive information. To this we are never ready. If its the government , we neither consider it as playtime nor fun.
(My research as to the national ID systems in other countries is not as detailed but I would presume that for now such an idea is only possible of implementation in countries such as China and Russia.)