A couple of weeks from now, a little-known deadline is set to expire. On July 2, individuals that collect and use personal data as “personal information controllers” or “personal information processors” are expected to have registered already with the National Privacy Commission (NPC). More specifically, those required to comply must either have at least 250 employees or process sensitive personal information of at least 1,000 persons.
All this according to the Commission’s press statement last March 8.
This rather obscure registration requirement is problematic for many reasons, that people’s lack of awareness doesn’t even make the list. That may actually prove to be a lucky break for the Commission, considering everything going against the system:
- It has no stable legal footing. In the entire Data Privacy Act (DPA), the concept of registration is taken up only once—in Section 24. It simply says that a government agency entering into a contract that involves processing sensitive personal information of at least 1,000 individuals must require the other party to register its processing system with the Commission. The law’s Implementing Rules and Regulations (IRR) brought up, for the first time, the idea of having a larger group of entities for registration. They declared that, in addition to the initial criteria, three other factors will determine who are required to register: (1) having at least 250 employees; (2) having processing activities that are not occasional; and (3) having data processing activities that are likely to pose a risk to people’s rights and freedoms. This means the only policy to date that lays down the notion of requiring both individuals and organizations to register is the Commission’s very own Circular No. 17-01. Inherently self-serving, even that document is rife with provisions suggesting that the registration system is principally about organizations. Only sole proprietorships ought to qualify as falling under the category of individuals. Adopting a broader interpretation establishes a loose and murky regulatory system that gives the Commission no idea how vast its regulated sector is. That’s a glaring red flag. Indeed, even mere encoders to whom the processing of thousands of personal data has been outsourced may qualify as a personal information processors. Would they be required to register, too?
- It runs against the rationale behind registration as a regulatory mechanism. Transparency underpins registration systems as a regulatory tool. At the time they were first introduced, data processing had evolved so much that it became difficult for the public and regulators alike to keep up. The structure of companies and their operations had also become more complex. Registration was seen as a way to rein in this growing sophistication. The coerced transparency, it was hoped, would compel companies to treat data processing with better care. Unsafe or controversial uses of personal data would be discouraged, if not avoided altogether. It is difficult to make a similar argument vis-à-vis individual processors, who normally just have one processing system in place. If transparency remains the overall goal for registration, other less taxing requirements like privacy notices and consent forms would suffice.
- It is inconsistent with the principle of data minimization. A core principle of data protection is data minimization. The idea is that one should only collect the least amount of information necessary to accomplish or pursue a specific (legitimate) purpose. This applies to all data processing activities and all entities engaged in them—including data protection authorities like the NPC. Requiring individual practitioners or professionals who process personal data to register—especially with no further qualifications or limitations to consider—may be seen as an unnecessary data processing system. There are less burdensome but more effective means to enforce transparency. The NPC would also be taking on all risks inherent in unwarranted data collection, which it has (ironically enough) been warning everyone about. Finally, it bears mentioning that European Union (EU) data protection authorities already observed as early as 1997 that the introduction of data protection officers (DPOs) would limit the need for centralized supervision mechanisms (e.g., registration). Back then, the designation of DPOs was not yet mandatory. It is now, both under the EU’s General Data Protection Regulation (GDPR) and the DPA.
- Its value as a regulatory mechanism is, at best, uncertain. Registration is a dated regulatory mechanism that is slowly being discarded by more mature data protection regimes. Take the case of the GDPR. This new law abolished indiscriminate registration schemes to lighten the administrative load of data controllers. Years of experience have shown that it only imposes significant administrative and overhead costs to businesses with little or no discernible benefits. From now on, EU authorities want data controllers to focus instead on developing internal policies and procedures that secure data processing activities. Regulators like the United Kingdom’s Information Commissioner’s Office have already announced that they will no longer require registration. Those following these developments from afar are expected to make similar adjustments. In Hong Kong, registration of “data users” is not mandatory, albeit their law gives the data protection authority the power to make it so for some types of data users. In 2014, initial registration plans were shelved in anticipation of the GDPR. Deference to the approach of the new EU law is understandable: HK’s data protection law is broadly based on the EU model, just like the DPA. With the EU abandoning registration, it is likely that HK will follow suit. Slovakia, an EU member, did not even wait for the GDPR. A year after passing its own data protection law in 2013, it amended the statute, and among the critical changes made was the removal of the registration requirement. Other countries influenced by the EU, like Singapore, did not even bother to include a registration system in their data protection laws. With all these developments, the NPC seems to be taking the Philippines in the opposite direction. Instead of removing or at least limiting registration, it’s dead set on expanding it. What could possibly be the wisdom behind such a strategy?
There are a number of other points to consider about the NPC’s registration system for individuals, but these four make up the more prominent questions the agency needs to reflect on right now.
Thus far, it has only been medical practitioners who have expressed alarm over their inclusion in the scope of the system, but that is easily attributable to the fact that other professions are less informed about it, if at all. Should the Commission begin throwing its weight around to force the realization of its vision in this matter, that’s the time it will get a real sense of the opposition it is up against. If it is not up to the task, it may not only be individual registration that could be at stake, but the entire registration system altogether. As a privacy advocate, one would hate to see it all crumble—especially this early—as that would be a significant blow to the still-emerging field of data privacy, and this neophyte regulatory agency that is the NPC, which, after two years in operation, is still trying to get its bearings.
Jamael Jacob is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.