Wednesday, December 5, 2012

OUR RIGHT to privacy




    In view of the State’s avowed policy to protect the human right of privacy of communication, Congress enacted the Data Privacy Act of 2012, which was approved by President Noynoy Aquino in August of this year. 

WHAT IS THE “DATA PRIVACY ACT OF 2012?

           The “Data Privacy Act of 2012” seeks to strike the proverbial balance between privacy of communication and the free flow of information by regulating the processing of personal information and generally prohibiting the processing of sensitive personal information subject to certain exceptions.
          
                 The law defines “processing” as “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”  While “personal information” is “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”  Examples of personal information would be one’s full name, social security number, telephone number, home address, parents’ names, and the like.   

            Personal information is considered “sensitive” if it is (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and (4) specifically established by an executive order or an act of Congress to be kept classified.  The processing of these kinds of information is prohibited except in the instances specifically provided for under the law. 

            The law also enumerates the rights of a “data subject”.  A “data subject” is an individual whose personal information is processed.    

            Another significant aspect of the law is that it prohibits and penalizes the following acts:
(1)   The Unauthorized Processing of Personal Information and Sensitive Personal Information;
(2)   Accessing Personal Information and Sensitive Personal Information Due to Negligence;
(3)   Improper Disposal of Personal Information and Sensitive Personal Information;
(4)   Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes;
(5)    Unauthorized Access or Intentional Breach of any system where personal and sensitive personal information is stored;
(6)   Concealment of Security Breaches Involving Sensitive Personal Information;
(7)   Malicious disclosure of unwarranted or false information relative to any personal information or personal sensitive information;
(8)   Unauthorized disclosure of personal information;
(9)   A combination or series of the above acts

THE WILLING DATA SUBJECT

            In the information age, such as the one we are in, everybody could be or is a “data subject”.  The information age, so-called because of the proliferation of and rapid advancements in information and communication technology making information quite literally at our fingertips, moves members of the “Me” Generation to be willing data subjects.  In fact, what first struck me about this law is how much information we share on the internet that could properly be considered as personal and sensitive personal information.

It is very likely that one need not go beyond our Facebook page to know our full name, age, and marital status.  Just a little more snooping around someone's Facebook wall and you're bound to find out the owner of that wall's parents' names and where he/she went to school.  A few more hours on that same wall and I'm pretty sure you'll find there the exact date when that person was down with the colds or found out she had dengue.  You might even find that not a few netizens find pleasure in posting details of their sexual life.  These are all personal information and sensitive personal information that the Data Privacy Act of 2012 seeks to protect from the abovementioned acts.  And this is just Facebook, who knows how much more information we're sharing about ourselves on the internet?

The “Me” generation wants an “audience”.  We can justify our need to share these information on the World Wide Web.  We sometimes call it networking. We sometimes call it marketing.  We call it “keeping in touch”.   We call it being well-informed.  We can even call it a refuge from the stress of our everyday mundane life; after all, in the World Wide Web we are all celebrities. But it all boils down to the question, “what happens to the information we put out there?” An interesting line from an American series on the FBI's Behavioral Analysis Unit, “Criminal Minds”, is ominous, “THE INTERNET NEVER FORGETS”[i].

So yes, we may forget a lot of the things that we post on the internet but the internet won't.  What we put out there remains out there and we can hardly control how that information, which we so willingly shared with the world, will be used.

To my mind, in divulging so much personal information about ourselves and generally eradicating the line that separates the personal from the public, we are not just risking the unauthorized use of these information, we are risking our very own safety and security.  It doesn't need a tech-savvy criminal to find a way to use, to our detriment and harm, the information he/she can get about us off the internet. 

After several readings of the Data Privacy Act of 2012, the moving power behind the law finally sank.  And I found it quite unsettling to know that with the very information that I post on the internet I am thus making my life accessible to any Pedro or Juan who has access to the internet.

However, while I salute the government for recognizing this malady and trying to do something to protect its citizens, I get this nagging feeling that the government may have overstretched their good intentions and created a monster.

HOW DO WE POLICE THE WORLD WIDE WEB?

Does the Philippine government now have the sophistication to enforce the provisions of the Data Privacy Act of 2012?  Do they have in place rules and regulations that appreciate the intricacies of the internet and of social media?  If this law is any indication, I’d say the answer is in the negative.

If, say, we “Like” or “Re-post” a post on Facebook regarding a friend who announced that she had the colds, have we now committed an “unauthorized processing” of sensitive personal information, which act could subject us to “imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00)”?  With the wealth of personal and sensitive personal information on the internet how do we now ensure that our actions do not constitute a violation of the Data Privacy Act of 2012?  How do we ensure we remain within the bounds of the law?

Personally, I believe the law stands the test of necessity. I believe that there should be a law that protects our personal information.  However, I am extremely skeptical of its effectiveness in protecting the right it seeks to protect and penalizing the acts it seeks to correct. I will not be surprised to know that very few “data subjects” are knowledgeable of their rights under the Data Privacy Act of 2012.  I am also quite certain that, given our general lack of familiarity with this new law, taken together with the vagueness and overreach of the provisions, we could very likely be both victim and violator at the same time.  

Atty. Jose Jesus Disini, “a legal expert on information technology” himself, had this to say about the law, “it is difficult to understand what its saying, and I had to read it four to five times before I had a framework on how it works”[ii] (http://pcij.org).  If a known legal expert is having a hard time understanding the Data Privacy Act of 2012, I do not see how the billions of Facebook users and other netizens could ever be faulted for their lack of understanding of this law.  If “ignorance of the law excuses no one from compliance therewith” then we're in big trouble, my fellow netizens and Facebook/Twitter/other social media users.

It is true that rights mean nothing until we fight for them.  But how do we fight for a right we do not know nor understand?  It is quite possible that our rights under the law has already been or is currently being violated but without knowledge and understanding of our rights, we may be hard-pressed to enforce them and petition the government and the courts to bring the violators to justice.

Therefore, if anything, the law succeeds in inspiring vigilance over the information we put out there. However, the law is equally effective in discouraging the use or access of any and all forms of social media. Which brings me to an interesting point, the irony that is the Data Privacy Act of 2012.

KILLING THE RIGHT IT SEEKS TO PROTECT

The Dr. Jovito R. Salonga Center for Law and Development of the College of Law in Siliman University, in their website, defines the right to privacy as “the right to be left alone”[iii] (http://salongacenter.org).  Many netizens, however, might feel that it is exactly their right “to be left alone” which the law curtails.  Immersed as we are in this “Me” Generation wherein everybody is looking for an audience it might take a little stretch of imagination to understand why the information that the law seeks to protect NEEDS to be protected.

Furthermore, because of the vagueness of it provisions, its metes and bounds are not well-defined, so to speak.  This creates a dangerous scenario, possibly more dangerous than the evil it seeks to slay. Atty. Disini describes the law as “more encompassing” than the infamous “Cybercrime Law” “in how it regulates the flow of information.”

Thus, we find here a classic case of desiring one thing and achieving the complete opposite thereof.  While the moving spirit behind the law is commendable enough, if stripped to its bare policies the law could in fact turn out to be the very curtailment of the right its seeks to protect.

OUR FIRST LINE OF DEFENSE

Given the foregoing, I submit, therefore, that our first line of defense against the unauthorized access and use of our personal information is still the responsible use of the internet and social media.  It is our bounden duty as actors in the World Wide Web to ensure the security of the information we put out there.  It is first and foremost the duty of the source, the data subject. to make a conscious decision to sift which information is to be shared, to whom, how, when, and where.
Description: https://mail.google.com/mail/images/cleardot.gif




[i] Criminal Minds - Season 5, Episode 22: The Internet Is Forever; Original Air Date: May 19, 2010
[ii] http://pcij.org/blog/2012/09/28/cybercrime-data-privacy-acts-a-double-blow-for-netizens
[iii] http://salongacenter.org/2011/07/right-to-privacy/

No comments:

Post a Comment