In a January 4, 2019 decision, a Makati court nullified an issuance by the Credit Information Corporation (CIC) which required insurance companies to turn over specific client data on the ground that these constitute credit information that must be submitted to the agency under the Credit Information System Act (CISA). The outcome was lauded by the Philippine Life Insurance Association (PLIA), Inc., which filed the case, and the Insurance Commission, which supported the effort.
The result is a welcome one especially if set against the backdrop of intensified data collection by the Philippine government. If sustained, it provides a necessary check on a State that is, at best, overzealous in performing its work, or, at worst, keen on engaging in unnecessary or excessive surveillance activities.
It would be interesting to see if this case sparks a similar pushback against other government data collection initiatives.
Take, for instance, the Securities and Exchange Commission (SEC), which has trained its sights on non-profit organizations (NPOs) through its SEC Memorandum Circular 2018-15, which came out late last year. The MC establishes an enhanced registration and monitoring system for NPOs, which includes mandatory disclosures for all covered entities, as well as “enhanced compliance requirements” for so-called “NPOs at Risk”. This beefed up system is being justified as necessary to protect NPOs from money laundering and terrorist financing abuse.
Some lawmakers have expressed their concerns over the Circular. They accuse the SEC of engaging in criminal profiling and witch hunt operations in violation of fundamental rights such as freedom of association, free expression, and the right to privacy, to name a few. The Makabayan bloc at the House of Representatives has even called for a review of the issuance, noting how it is prone to abuse when used against legitimate organizations of human rights defenders, development workers, social workers, and volunteers.
A cursory study of the MC reveals at least five (5) key features that appear to confirm the fears of its critics:
- Vague definition for an “NPO at Risk”. According to the Circular, an NPO at Risk is one that is classified as medium or high risk based on three possible criteria: (1) according to risk factors identified in the MC itself; (2) according to a risk-based points system that may be developed by the SEC; or (3) other factors the SEC may deem material in assessing an NPO’s risk level. Each one is problematic. The so-called “risk factors” just refer to the basic information all NPOs are required to submit to the SEC. The risk-based points system does not yet exist, and its development does not seem to be mandatory. As for the “other factors”, it is entirely up to the SEC to declare what they will consist of. It is easy to see how the system is ripe for abuse.
- Broad definition for a “Politically Exposed Person” (PEP). The MC requires each NPO to “establish and record the true and full identity” of its donors who are considered as PEPs. A PEP is a person who is or has been entrusted with a prominent public position/function in: (1) the Philippines, with substantial authority over policy, operations, or the use or allocation of government-owned resources; (b) a foreign country; or (c) an international organization. The term also includes immediate family members, close relationships, or associates of the main or primary PEP. Family members include the spouse or partner of the PEP, his or her children, the spouses of such children, his or her parents or parents in law, or siblings. On top of this, associates can mean any of the following: (a) beneficial owners of a legal entity or legal arrangement known to exist for the benefit of the main/principal PEP; (b) business partners or associates, especially those that share beneficial ownership of legal entities or legal arrangements with the PEP; (c) persons who are connected to the PEP; (d) prominent members of the same political party, civil organization, labor or employee union as the PEP; or (e) sexual or romantic partners outside of the family, like a girlfriend or boyfriend, a mistress, etc. In other words, the MC forces every NPO to intrude into the private lives of its donors. How else is it supposed to know if one of its donors has a mistress, and if so, who?
- Unbridled authority to require the submission of any document. The MC allows the SEC to require the submission of any document it thinks is necessary to properly assess the risk of an NPO of being subjected to money laundering or terrorist financing abuse. Any time someone is given such a blanket authority, expect red flags to appear.
- Information sharing scheme. The Circular also allows the SEC to enter into agreements with NPO self-regulatory organizations and private organizations for cooperation, coordination, and information sharing purposes. In the case of NPOs at Risk, information sharing is mandatory but with other government agencies, including law enforcement. While data sharing is not prohibited per se, if left unchecked, it facilitates pervasive surveillance and allows the actors behind it to circumvent control mechanisms. Things turn for the worse once law enforcement agencies become involved since they get to skip the need for warrants, subpoenas, or court orders.
- Lack of criteria for determining the need for an investigation. With self-restraint as its only limit, the SEC is also permitted to conduct an investigation on a person who “has violated or is about to violate” the mandatory provisions of the Circular, or on an NPO being used for money laundering or terrorist financing. It is not clear how the SEC gets to predict if a person is about to violate the MC. Does it have predictive technology we are not aware of?
At a time when the prevailing political climate is widely perceived — both locally and abroad — as growing more hostile by the day to activists, human rights advocates, and even the press, these features should not be dismissed so easily. Sure, describing them as an exercise of the State’s police power accords them a presumption of validity. But that policies like this MC can be a tool for State oppression is not exactly unprecedented. Other countries not really known for their adherence to democratic principles (e.g., Russia, Hungary, Romania, Vietnam, etc.) have done it before. Some are doing it again today.
This is where the Makati court ruling becomes so relevant. It proves at least that the government is not infallible and that its measures are not immune to a strong legal challenge. If presented with sufficient evidence, courts have consistently ruled against State policies and have insisted that there must be a reasonable relation between the purpose of a government measure and the means employed to accomplish it. The protection of public interest is no magic wand that permits the arbitrary invasion of individual rights and freedoms by the government.
Be that as it may, it is equally important to emphasize that the SEC is also not wrong to develop initiatives against money laundering and terrorist financing schemes, especially those that utilize or prey on NPOs. It would also be remiss in its duties were it to allow them to transpire just because of certain flaws in its policy. Here, the Commission can still rectify matters by going over its MC and addressing the concerns raised by stakeholders. It can clarify and narrow down vague and overly broad definitions to allay fears of abuse. It can put up safeguards to make sure information sharing is done only on a limited basis, involving the minimum amount of information necessary to accomplish legitimate objectives. It can also do away with blanket authorities and provide for reasonable criteria that trigger the conduct of an investigation and limit the types of documents that may be collected. Any one of these could make the issuance significantly better. Adopting all of them could stave off any legal challenge filed before the judiciary.
But it is all up to the Commission now. NPOs, for their part, can hope for the best but they, too, should explore all available options in this controversy.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.