It sometimes gets thrown around that data privacy is an issue unique to this century such that it requires a modern regulatory policy like our Data Privacy Act of 2012 (DPA). A statement like that is inaccurate at best, and can actually be misleading.
Data privacy is about a person’s control over his or her personal data—who gets to collect and process it, for what purpose, in what manner it may be used, and so on. As such, it can’t possibly be a recent development or concern. Quite the contrary, it’s an issue that’s been around for some time.
While it is true that there is plenty of talk today touting data as this era’s new oil, or the modern currency that’s already made empires out of the Googles and Facebooks of the world, a quick look at history reveals plenty of concrete examples when personal data was a central figure, or at least played a critical role in determining the outcome of certain events. We can even zero in on the long line of cases showing how people’s information can be improperly collected or abused when processing is left unchecked or without controls.
During the Second World War, census data in Germany and the Netherlands were used by the Nazis to identify the Jewish members of their respective populations. They ultimately sealed the fate of many when Hitler and his cohorts went on to implement their so-called “Final Solution”. Across the Atlantic, the U.S. Government used confidential neighborhood information to forcibly relocate and incarcerate Japanese Americans after Japan’s attack of Pearl Harbor. In the cold war that followed, there was the Stasi of East Germany that specialized in spying on the population via a vast network of citizens turned informants. By the time the Berlin Wall fell, it had amassed billions of records on millions of individuals both in and outside the region. Meanwhile, in the case of the private sector, there is no shortage of accounts that tell of company practices relating to the collection and use of people’s information for purposes like profiling and direct marketing, all of which dwell on the fringes of what many consider to be acceptable social norms.
The concept of data privacy is quite dated that the first data protection policy on record was actually passed way back in 1970 in a region in Germany called Hesse(n). That’s almost half a century ago today! Other European countries like Sweden and France followed soon after. Even the U.S. came up with a Privacy Act in 1974, which established a code for fair information practices applicable to personally identifiable information maintained in government record systems.
If we take stock of its original spawning ground, it’s fair to assume that the emergence of data privacy regulation was, in part, driven by the fear of having a repeat of the horrors of World War II. People were afraid that their personal data may once again be used as a tool for discrimination and other worse applications. If we’re talking about the leading cause, though, many believe that that distinction goes to the widespread concern in the late 1960s about unfair information practices. With the increasing power of computers and the extent of their use, many countries became worried about their social impact and saw them as something, which, while brimming with useful potential, was beyond what existing laws were prepared to deal with.
Today, we have at least 108 data protection or data privacy laws in place all over the world.
That said, it would be the European Union’s 1995 Data Protection Directive that can claim to have the most impact on present-day data privacy policies—including our very own DPA. Have a look at the DPA, also called Republic Act No. 10173, and you’ll see many of its provisions copied almost word-for-word from its European predecessor. In a way, that makes our law more than two decades past its prime.
More on our country’s history with data privacy, it’s likely that the Philippines’s first foray into data protection was through its membership in the Asia-Pacific Economic Cooperation (APEC), which published its own Privacy Framework in 2005. In contrast with the EU model, the Framework gives greater emphasis on avoiding barriers to information flows and ensuring continued trade among member-nations.
In the domestic front, the DPA is not our first attempt to draw up a data protection policy. In 2006, the Department of Trade and Industry issued Administrative Order No. 8, which prescribed guidelines for a local data protection certification system. The agency planned to put up an accreditation office that would authorize private sector entities to certify whether or not a company, or an activity or program thereof, is compliant with accepted data protection standards.
If you’re wondering why you’ve never heard of this policy, there’s no reason to feel left out. The AO was never implemented because, by the time it was issued, deliberations in Congress about legislating a comprehensive data privacy law were already underway.
The DPA was signed into law in 2012, with the local BPO sector as its most visible endorser. It took four more years before former President Noynoy Aquino came around to appointing the members of the National Privacy Commission (NPC), which is a creation of the law itself and bears the responsibility of enforcing its provisions, including the issuance of its Implementing Rules and Regulations and other accessory policies.
That brings us to the present day and the spike in interest from both public and private sector entities regarding the DPA and data protection, in general. The activation of the NPC and its ongoing effort to establish a compliance system certainly has a lot to do with it. But there are other factors, too.
For multinational companies or at least those with business dealings in the EU, there’s also the impending entry into force of the General Data Protection Regulation (GDPR) this coming May 2018. It is set to replace the 1995 DP Directive. Developments in our neighboring countries are right there in the mix, too. Singapore, Malaysia, and Hong Kong already have data protection regulation. And then there is the Cross Border Privacy Rules (CBPR) System developed by the APEC, which is largely similar to what DTI’s AO No. 8 would have accomplished had it seen the light of day.
All these and more make data privacy today’s buzzword among businesses and government agencies. While they do not—under any circumstances—make it a new “thing”, they have certainly transformed it into a matter important enough that it’s gradually found its way into boardroom discussions and policy debates both here and abroad. And that, I hope, sets the record straight.
Jamael Jacob is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.