Amending the Data Privacy Act, Part II
In the first of this 2-part series, we did a quick scan of HB 5612, which is one of the two bills at the House of Representatives seeking to amend the Data Privacy Act of 2012. We’re only halfway through.
As we continue our review, let us now go over some of the minor, but still noteworthy changes being offered:
- Direct Marketing. The term, “direct marketing” and its corresponding definition will be removed. This is a no-brainer. The DPA, after defining the concept, never refers to it again anyway.
- Data Protection Officer. The law would already use the term “data protection officer,” further cementing the concept in local data protection lore.
- Fees. The NPC will have the authority to collect “reasonable” fees from participants of its capacity-building events. It may then use the proceeds to keep conducting such activities, and for other purposes, too. At the same time, it can retain whatever amount it collects by way of fees, fines, royalties, and other charges for equipment upgrades and personnel development, sans the approval of any other government agency.
- Term Limits. The proposal is to lengthen the term of Commission members to four years (from the current three). Reappointment will still be possible. The new law would also clarify that, in the event of a premature vacancy (e.g., resignation, death, etc.) in the body, the new appointee will only serve out the unexpired term of his or her predecessor.
- Vital Interests of Another. Upholding the “vitally important interests” of another individual is added as a legal basis for processing personal information.
- A Limit to Consent. Interestingly, the proposal qualifies consent as a ground for processing sensitive personal information. It recognizes a scenario wherein a specific law would prohibit processing such data even if the data subject is prepared to give consent.
- Enhanced Right to be Informed. On top of those already enumerated in the DPA today, three items have been added to the list of information that need to be relayed to data subjects by default: (1) existence of automated decision-making, and its significant impact on the data subject; (2) cross-border transfers or those made to an international organization; and (3) contact details of the data protection officer.
Now, for the really juicy part. Let’s pinpoint some of the areas where the law fell short and which the bill still fails to address. For many of these areas, their problematic nature was already apparent back when the DPA was itself still a mere proposal. In the case of others, the complications they give rise to only surfaced once people started trying in earnest to comply with the law.
- Public Authorities. The proposal fails to provide a definition for a key term in the law: public authorities. Keep in mind that the DPA, in its current state, mentions the word three times, without even hinting as to the scope of its true meaning. Granted, this issue is somewhat addressed by the Implementing Rules which do give it a definition. But it would certainly be better if that definition is etched in law.
- Redundant Exemption. This one is related to the first. While the bill retains as an “exemption” information needed by public authorities to carry out their functions, it adds another one that is essentially the same. Specifically, it says that also exempted are the processing of information necessary for law enforcement or regulatory authorities to perform their functions. If one will consult the definition given by the Implementing Rules to public authorities, it actually refers to law enforcement authorities and regulators. A backup exemption perhaps?
- Privileged Information. The concept of privileged information has always been an odd addition to the mix. Congressional records do not provide a clue what prompted its inclusion in the DPA. It should be removed. It only foments confusion. The law is about personal data and not confidential information per se. And privileged information (a.k.a. privileged communication) is essentially more of the latter. Then there’s the fact that not all privileged communication will involve personal data. Why would you then embed it in a policy that revolves around personal data? When one gets to the end of the DPA, there is that feeling that even the legislators seem to have forgotten their reason for putting it in the law. After going through the trouble of defining the term and establishing the legal bases for its processing (which also opens its own can of worms, by the way), the law doesn’t actually penalize any offense involving privileged information.
- General Principles vs. Data Privacy Principles. This is another source of confusion. Under the title, “General Data Privacy Principles,” the DPA speaks of adherence to the general principles of transparency, legitimate purpose, and proportionality, then goes on to enumerate six (6) so-called data privacy principles. Does that make 9 general data privacy principles? No? Are they supposed to be separate? If so, how does each set relate to the other? Does one hold more weight than the other? Having discussed these concepts hundreds of times at this point, I know how exhausting it is to constantly engage in legal acrobatics just to get past this conundrum. Other data protection laws only refer to one set of principles. They are either called “data privacy principles” or “data protection principles”. We should do the same.
- Registration of DPS. Many consider the registration of data processing systems one of the hallmarks of older data protection regimes. In the EU, it is now considered a relic. When it was conceptualized, it was meant to nudge organizations into compliance. The idea was that compelling them to register (or “notify”) with regulators forces them take compliance seriously. After twenty years of tinkering with this idea, the EU found it too burdensome on the part of organizations and ultimately, ineffective. They wisely left it out of their new law: the GDPR. It turns out that a better motivator for compliance would be to require organizations to appoint a DPO. And that is exactly what they did.
- Offenses. There are a number of talking points when dealing with the offenses under the DPA and how it treats them (i.e., as crimes). This is but one of them. The law gives the term, “processing” such a broad meaning that practically anything you do with personal data qualifies as processing. This could pose a problem when you criminalize the act (i.e., when done without proper authorization). Just take a look at the crimes listed under the law. There you will find the very generic act of processing, alongside specific acts like disclosure, access, and disposal, all of which would also be considered processing. Now try coming up with the elements of the crime of unauthorized processing—in a way that would distinguish it from the other specific types of processing. Do you see where the problem lies?
The first portion of this article was meant to inspire hope. The point was to show how much things can still get better if we really set our minds to improving the DPA. This last exercise, on the other hand, was meant to allow a glimpse into the weaknesses of our data protection law—both in its current form and even after Congress manages to patch up some of its shortcomings.
From this point onwards, it’s up to all the stakeholders to collaborate and make sure the positive spin to the process comes out on top. After all, it’s far from a foregone conclusion. There is still a chance to cure many of the gaps, such as those pointed out in this space. Every person who truly cares about data privacy should take advantage of this opportunity and make his or her voice be heard on this matter.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.