The Tulay’s Dilemma: A Look into the Data Privacy Act and Phone Numbers

Would the act of giving another person’s number without his consent violative of Republic Act No. 10173, more commonly known in its two year existence as the Data Privacy Act? A short question no doubt but it nevertheless is a complex one that should be discussed and a clear answer thereto be established. Sadly, short questions are prone to long and weaving answers. An absolute answer of “Yes,” or an unqualified answer of “No” can only be uttered once all the facts relative to the question of law have been established and all the other factors are certain. A famous law professor’s famous law professor once bragged that she passed the bar simply by writing only two words at the beginning of each and every answer: “it depends.” This problem is no different. The answer depends on a number of factors obviously not established in the question as it is worded. This article will serve as an exposé of those factors and how they affect the final answer to the simple query above.

In our vernacular, a tulay is a person who “bridges” the hearts and minds of two friends together into the harmonious and oftentimes complicated process of love and limerence. I will be using a group of friends, A and B, and the object of B’s (or their) obsession, C, as well as a third party, D, in giving examples of the crimes I will be discussing here. Now, bridging two people together may be done in a  variety of ways but one of the most common in today’s high tech world is by the sharing of phone numbers of the tulay’s single friends to his or her other single friends, phone numbers that are, nowadays, almost as sacred to a person as his or her name. A simple set of otherwise unrelated digits are converted into means by which people connect, interact, even build entire relationships with simply by these numbers’ input into a telecommunication device. These phone numbers are undoubtedly a part of the owner’s identity, a part of the information that make up the owner’s collective “data,” or simply a part of the owner’s “personal information.” Republic Act No. 10173 defines “personal information” thus:

“(g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.[1]

While under the Act, a phone number is not a “sensitive personal information[2]” of the “data subject,[3]” except when it falls under the fourth sub-paragraph of paragraph (l), nevertheless, it is clear from the foregoing definitions and from the declaration in Section 4 of the law as to the scope thereof that a phone number is covered by the law under “personal information” as it is defined.

Consent defined.

From the provisions of the Act, one can see that what will determine whether the act of “giving a person’s number without his consent” will depend on these factors: (1) the nature of the job and the duties arising therefrom of the one who gives the phone number; (2) the nature of the job and the duties arising therefrom of the one who receives the phone number; (3) the existence of malice in the acts of the giver and the receiver; (4) and the authority of these persons to give the phone number. But before all the above mentioned factors should be discussed, we should first define what is meant by the word “consent.”

Consent in law is used in a variety of ways. In contract law, it is one of the essential requisites of a valid contract,[4] the absence of which would make the contract void.[5] A defect or vitiation of consent, like lack of legal capacity, or when the consent is made with mistake, violence, intimidation, undue influence, or fraud, makes the contract voidable[6] under our law. Consent in contract law may also be express, or implied.[7]

Consent also makes appearances in our penal laws. Sexual intercourse without consent is Rape.[8] Violation of Domicile is committed when a public officer or employee “[searches for] papers or other effects found [in a dwelling] without the previous consent of [the] owner.[9]” An officer of corporations, partnerships, and the like are liable if he consents to or knowingly tolerates the involvement of the corporation, partnership, etc. in drug trafficking.[10]

But, in general, consent under the laws is defined as the “voluntary agreement by a person in the possession and exercise of sufficient mental capacity to make an intelligent choice to do something proposed by another,[11]” or more recently as an “agreement, approval, or permission as to some act or purpose, esp. given voluntarily by a competent person.[12]” From the foregoing, I believe the concept of “consent” is quite easy to grasp, but in case one needs a simpler definition, a popular[13] internet video defined consent (the video author was referring to a rape case, but it can nevertheless apply to any case where consent is required) as the existence of a “yes” and not the inexistence of a “no.[14]” Hence, in order to say that the data subject has given his or her consent to be the subject of data processing, he or she must have given her approval thereto, i.e. that he or she said “yes,” and not that he or she did not say “no.”

Acts Punishable under the Act related to the questionable act of giving another person’s number without his/her consent.

As to disclosure of personal information, the law provided for many safeguards[15], among them are the various punishable acts that may impute criminal liability to the one who disclosed the information. As with all crimes, these declarations making acts punishable under the law should be construed strictly and only a clear declaration that an act is a crime will suffice to convict a person under this Act.[16]

Four (4) punishable acts apply to disclosure of personal information. These are found in Sections 25, 28, 31, and 32. Section 25 punishes unauthorized processing of personal information while Section 28 punishes processing of personal information and sensitive personal information for unauthorized purposes. Section 31 and 32 more directly involve disclosure as these sections punish malicious (Section 31) and unauthorized (Section 32) disclosure.

The unconsented giving of someone’s phone number may constitute “Unauthorized Processing of Personal xxx Information” OR “Processing of Personal xxx Information for Unauthorized Purposes.

This and the next proceeding discussion is premised on the fact that the term “processing,” under the Act, encompasses a lot of procedures that can be done to personal information. The act provides:

“(j) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.[17]

Thus, from the definition it may be argued that the “giving” of someone’s personal information, like a phone number may violate this section is such “giving” is part of a procedure embraced by the term “processing,” i.e. when giving is necessary for organization, storage, use, and so on.

The crime designated under the law as “unauthorized processing of personal and sensitive personal information[18]” is committed when the following elements are proven:[19] (1) that the offender is any person; (2) that he processes personal information or sensitive personal information (this carries a heftier penalty); and (3) that the data subject did not consent to the processing of the same, or that the Act or any existing law did not authorize such processing. What is peculiar to this provision and Section 28 is the fact that it is the data subject who controls whether the act of processing is violative of the Act. The question of whether or not the processor is a criminal under Section 25 all boils down to whether or not the data subject gave his or her consent to the processing of his personal information.

To illustrate this way of violating the law consider the following circumstances: let us say A, an employee of Globe Telecommunications, works as a person who maintains the databases of the company in relation to the end users of its services; he has a friend B who is an agent of the National Intelligence Coordinating Agency and is tasked to stealthily collect information about citizens and aliens alike who are being investigated by the agency; B developed romantic feelings for C (a suspected rebel) over the course of his “investigation”; B, with proper authority from his superiors to consolidate information, asks for the phone number of the C from A, who is authorized by Globe to provide the same; A immediately complies thereto, thereby becoming the tulay of B and C.

Let’s review the facts in relation to the law: the first element is complied with because A is a person; the second is complied with because the nature of his work qualifies him to be a “personal information processor[20]” and he processes the information by consolidating the same with the database of B an agent of a “personal information controller;[21]” and finally C obviously did not consent to the consolidation of her personal information. A, therefore, is now not only considered the perfect wingman but is also considered a CRIMINAL under this law, his act of giving C’s number to B being a violation of Section 25.

Just like the preceding criminal act, “processing of personal information and sensitive personal information for unauthorized purposes[22]” is a crime defined in the Act that relates to the giving of phone numbers because of the wide-encompassing definition of the term “processing.” In order to commit an act violative of this Section in the Act, three elements must concur[23]: (1) that the offender is any person; (2) that he processes personal information or sensitive personal information; and (3) that while the data subject DID consent to the processing of the same, the act complained of was beyond that authority, or that the Act or any existing law did not authorize such processing. Here, it can be read that consent of the data subject is still a controlling factor but in this case the one processing and thereby the one committing the crime is punished for his breach of what was agreed upon between him and the data subject.

An illustration of this violation can be seen when the facts of the last story was altered a bit. Instead of the fact that C did not give her consent at all to Globe and to its agent A, a violation of Section 28 would have been committed by A had C’s consent been actually procured but such consent did not allow for the consolidation of C’s personal information with the database of B and the NICA, she consented only to the recording, organization or storage of her number. Here the consent was freely given but the since the personal information processor went beyond the rights waived by the data subject through her consent, it can be said that she did not consent to the consolidation and therefore did not consent to the giving of her phone number to B.

Giving someone else’s phone number without his or her consent may amount to “Malicious Disclosure” or “Unauthorized Disclosure.”

Now let us go to the crimes intended to punish illegal disclosure of data under the law. First is “malicious disclosure” which is embodied in Section 31[24] of the Act. Again, from my own interpretation of the words of the statute, I believe that the requisites in order to be liable under this Section are: (1) that the offender must be a personal information controller, or a personal information processor, or any of its officials, employees or agents; (2) that he or she discloses information relative to any personal information obtained by him or her; (3) that the information disclosed is either unwarranted or false; and (4) that the disclosure is with malice or bad faith.

The terms are fairly easy to understand, except “malice” and “bad faith” both of which have legal definitions established in our jurisprudence. The two are almost always intertwined and used together. One of the latest decisions of the Supreme Court defined malice as “the doing of an act conceived in the spirit of mischief or criminal indifference to the rights of others or which must partake of a criminal or wanton nature.[25]” Another new case, on the other hand, ruled that bad faith does “not simply connote bad judgment or negligence. It imports a dishonest purpose or some moral obliquity and conscious doing of a wrong, a breach of a known duty through some motive or interest or ill will that partakes of the nature of fraud.[26]

Hence, the crime of malicious disclosure can be illustrated by modifying the example discussed above in this wise: even though A is good friends with B, let us say that he (A) is also secretly in love with C; A could not uphold the Bro Code,[27] and decided instead to disclose the number of D, another Globe subscriber who A knows and hates; D now, due to the disclosure made by A, is being investigated by the government as a suspected rebel, to the prejudice of D’s privacy rights.

All the elements are present: A is a personal information processor; he discloses D’s personal information (his phone number) which was obtained by A in his capacity as an employee who maintains the databases of Globe Telecommunications; the disclosure was unwarranted since what was asked from A was the number of C; and the disclosure was malicious and was done in bad faith because A deliberately disclosed the unwarranted information to the prejudice of the owner of the information simply because he hates D. A is therefore liable for malicious disclosure under Section 31.

As for “unauthorized disclosure,” the Act defines the crime in the negative. Under Section 32 (a) of R.A. No 10173, a “personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the [section on Malicious Disclosure] without the consent of the data subject” shall be liable for the crime designated as unauthorized disclosure.

From my understanding of the Section, the elements required to be proven in order to convict a person accused of violating Section 32 (a) of this Act are: (1) that the accused is a personal information controller or personal information processor or any of its officials, employees or agents; (2) that he or she discloses information relative to any personal information obtained by him or her; (3) that such disclosure was without the consent of the data subject; and (3) that the disclosure does not fall under malicious disclosure. This crime can plainly be illustrated by the same example I gave for unauthorized processing of personal information, except that instead of the purpose of B being to consolidate the information obtained by his office and that of A’s, the purpose here is simply to obtain the number of the girl he has been obsessing about, C. If A obliges, he is liable for unauthorized disclosure.

Conclusion

All the above examples fit into the simple question stated at the very beginning of this article. In each of the situations a person “gave” another person’s phone number to a third person without the consent of the owner of the number. Very thin lines separate these four crimes from one another when it comes to the “giving” of phone numbers to a third party, as evidenced by my examples. And most importantly, in all of these cases, we discovered that the person who gave the number may be criminally liable under R.A. No. 10173, provided, that the elements of the crimes as discussed above are alleged and shown to exist. The short answer then to the short question propounded above is a not so easy “YES.”


[1] Section 3 (g), R.A. No. 10173

[2] Section 3 (l), R.A. No. 10173 states that:

“(l) Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.”

[3] Section 3 (c), R.A. No. 10173 defines a data subject as “an individual whose personal information is processed.”

[4] Article 1318 (1), The New Civil Code.

[5] Jurado, Comments and Jurisprudence on Obligations and Contracts, 11th Revised Ed. (2002, Rex Book Store, Inc.), page 566 citing 8 Manresa, 5th Ed., Book 2, page 608.

[6] Ibid., page 523.

[7] Article 1320, The New Civil Code.

[8] Article 266-A, Revised Penal Code, as amended.

[9]Article 128. Revised Penal Code, as amended.

[10] Section 30, R.A. No. 9165, as amended.

[11] Black’s Law Dictionary, 6th ed., page 305.

[12] Ibid. 9th ed., page 375.

[13] It has been viewed more than 275,000 times.

[14] “WTF HAPPENED IN STAUBENVILLE?” a video by user lacigreen. http://www.youtube.com/watch?v=z86oaQ4aLcM (accessed July 4, 2013).

[15] Like those declared under Chapters III to VII of the Act.

[16] This is essentially the maxim nullum crimen, nulla poena sine lege, that is, “there is no crime when there is no law punishing it.”

[17] Section 3 (j), R.A. No. 10173

[18] Section 25 , R.A. No. 10173 states that:

Section 25. Unauthorized Processing of Personal Information and Sensitive Personal Information. – (a) The unauthorized processing of personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.

(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law.”

[19] Disclaimer: this is based on none other than my rookie interpretation of the words of the statute.

[20] Section 3 (i) states that:

“(i) Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.”

[21] Section 3 (h) defines this person as:

“(h) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

(1) A person or organization who performs such functions as instructed by another person or organization; and

(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.”

[22] Section 28

[23] Ibid. at 19.

[24] It provides:

Section 31. Malicious Disclosure. – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).”

[25] Lagaya vs. People, 677 SCRA 478(2012) citing Lucas v. Sps. Royo, 398 Phil. 400, 411; 344 SCRA 481, 490 (2000).

[26] Aliling vs. Feliciano, 671 SCRA 186(2012) citing Nazareno v. City of Dumaguete, 590 SCRA 110, 141-142 (2009).

[27] NOT a real law or code (unless you’re a bro)

Advertisements

1 Comment

Filed under Uncategorized

One response to “The Tulay’s Dilemma: A Look into the Data Privacy Act and Phone Numbers

  1. Pingback: Students’ Take: Contacts viz RA 10173 | Berne Guerrero

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s