Gray areas in the application of the Data Privacy Act

“Now the right to life has come to mean the right to enjoy life, — the right to be let alone.”

–          Samuel Warren and Louis Brandeis, 1890


The Information Age

It is true that the right to privacy is not something new to people. As seen in the quote above, the right to privacy or the right to be let alone dates back from the 1800s. This right however, keeps evolving and is continuously updated since the economy and the people keeps on inventing new ways to get information. There was a friend of mine who asked me “What is the greatest asset a person could have?” of course I answered money, love, and other assets that came to my mind, but of course I was wrong. The greatest asset is information! Bill Gates and Steve Jobs did not became the richest men because they created the ultimate gaming console that is the personal computer, they became rich because they knew that information is the greatest asset and through the personal computer, men will have information at the tip of their fingers.

Because of this information overload we are experiencing, many people in the world are having their privacies violated. Bad hackers are accessing private accounts, identities are being stolen, and a lot more ways. Thus we look into our current laws which may possibly hold penalties for these acts and if not, our legislature will then create laws that would. And through this, the Data Privacy Act of 2012 was created.


The Right to Privacy

The right to privacy is a right granted by the Constitution to the people. As stated by Justice Douglas: “Liberty in the constitutional sense must mean more than freedom from unlawful governmental restraint; it must include privacy as well, if it is to be a repository of freedom. The right to be let alone is indeed the beginning of all freedom.” Our right to privacy is well protected by the Constitution as stated in the following provisions:

–          Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.


–          Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.


–          Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

–          Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law.


–          Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.


–          Sec. 17. No person shall be compelled to be a witness against himself.


The Revised Penal Code also provides protection for the invasion of our privacy such as:

–          Anti-Wiretapping Law

–          The Secrecy of Bank Deposits Act

–          The Intellectual Property Code

These laws mentioned above are proof that though information may be obtained in numerous ways, there are laws created to protect us. The question is, why are there still instances where people invade other’s privacy and gets away with it? The answer to this question lies in the “gray areas” of these laws.


Identity Thief

There was this movie entitled “Identity Thief” wherein a girl named Diana live it up on the outskirts of Miami, where the queen of retail buys whatever strikes her fancy. She obtained unlimited funds by using the IDs of a man which she stole the identity from. The movie was indeed hilarious, but if it were true it wouldn’t have been funny at all. Think that everything you’ve worked for was just being spent by another individual who you don’t even know of. There are a lot of con artists in the world today and they are part of the reasons why there are laws providing for the protection of our private information. And this is also part of the reason why the penalties for such offenses are quite steep for not only could it affect your reputation but it also could or will affect your livelihood.


The Problem Industry

I was thinking of industries or jobs that might face problems with RA 10173. I also did some research and found out that almost all industries might get affected with this law since almost everybody needs contacts and information regarding natural and juridical persons, which are within the scope of RA 10173, who are in connection with their businesses. Such businesses needs to set up a system that would protect these information that are in their possession or they might be charged for violating the law.

However, there are jobs or industries that might fall within the scope of this law such as a private investigator (PI). A PI may be hired to get information regarding a certain person or company which they would present to their clients. In my own opinion, though licensed, a PI acquires information illegally for not asking for a consent from the individual whom they took it from. And their job is not included in the list of non-applicability as stated in Sec. 4 of RA 10173.

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a)  Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1)  The fact that the individual is or was an officer or employee of the government institution;

(2)  The title, business address and office telephone number of the individual;

(3)  The classification, salary range and responsibilities of the position held by the individual; and

(4)  The name of the individual on a document prepared by the individual in the course of employment with the government;

(b)  Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c)  Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d)  Personal information processed for journalistic, artistic, literary or research purposes;

(e)  Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f)   Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g)  Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

As for the consent, it is clear that consent is not or will not be taken as to the nature of their work. RA 10173 also provides for the requirement of the consent in SEC. 12(a) and SEC. 13(a).

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a)  The data subject has given his or her consent

SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

(a)  The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing

In Sec. 12(a), it may or may not be taken but the other requirements, or at least one of them, must be present. On the other hand, in Sec. 13(a), consent is required and it will be deemed illegal if consent is not given.

Another industry is the bank industry. Private banking companies have a list of people’s information which according to RA 10173 is legal since it will be provided for the BSP. However, other banks somehow are getting hold of these information and keep them for their benefit. The main question here is: “Do we automatically give our consent to the bank when we signed the forms they require?” Is it considered a SPAM if credit card companies keeps on calling you and offering to be provided with their services?


Consenting to the Consent

As we can see, consent is one of the major factors that is affecting our privacy. Sometimes it is not even the other party who committed the wrongful act but the individual himself by signing an unread waiver. It is possible.

There are some companies that allows electronically made consents. These are agreements made and signed on the computer. Will these be allowed? An electronically made consent may easily become fraud and may cause a lot of problems with both parties. Although given the fact that an electronic signature may be accepted as an evidence as provided in the Rules on Electronic Evidence Sec. 2, it still cannot be a hundred percent sure thing that the signature is in fact real. Unlike an actual signature by hand, an electronic signature done on a computer is much less consistent to be the same every time. For example, our IDs like the driver’s license is required to be electronically signed. The signature appearing in the driver’s license will not look like the one signed in paper and that is for the majority of the people. So what are the ways that may ascertain that the electronic signature is really genuine and not a fraud? Maybe a call must first be done to consent the consent?


 Another Remedy!

The writ of habeas data is a remedy available to any person whose right to privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of data information regarding the person, family, home and correspondence of the aggrieved party.



The right to privacy is indeed a right protected by our laws, but our changing economy and the constant upgrades and updates in our information gathering tools provides such gray areas in our laws which should also be updated consistently to cover all the essentials. Be it as it may, though our laws cannot possibly cover everything 100%, its good to know that our government is catching up.



–          R.A. 10173, Data privacy Act of 2012


–          Gamboa vs Chan et al., G.R. No. 193636


Disclaimer: This blog are only ideas of a law student. 


One thought on “Gray areas in the application of the Data Privacy Act

  1. Pingback: Students’ Take: MCPIF (SB 53), Data Privacy Act (RA 10173) | Berne Guerrero

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s