Saving eSalvar

Late last month, I gave a brief lecture on the country’s Data Privacy Act (DPA), juxtaposed with the law on mandatory reporting of diseases and the “digital contracting system” of Naga City (my hometown): eSalvar. The eSalvar system is buttressed by City Ordinance No. 2020-86, which was enacted on 8 September 2020.

eSalvar is not unlike some contact tracing systems already out here today. As per its protocols, establishments and individuals are asked to register with the platform, thereby allowing the establishments to download the app to any smart device with a camera that can read QR codes, while giving each individual a unique QR code that can be printed out or stored in a mobile device. Each time a registered individual enters a registered establishment, his or her QR code is scanned, followed by a temperature check. The visit to that establishment is recorded and stored in the system for a specific period before being automatically deleted. The registration information is retained while the system is in operation.

Pretty straightforward, right? Well, yes and no.

While preparing my lecture, I performed a quick study of the Ordinance and the eSalvar Privacy Statement and managed to spot a number of issues relating to data privacy:

• Collection of consent is superfluous and ultimately, unnecessary. Section 6 of the Ordinance says registration is mandatory for all permanent or temporary residents. Despite this, the individual registrant is still asked to give his/her consent to the processing of his/her personal data when he/she registers at the eSalvar website. Unless the city government intends to use the collected data for purposes other than those specified in Ordinance 20-086, consent is unnecessary.

• Inconsistent retention periods. Section 10(c) of the Ordinance which talks about the retention period for the check-in/out record of an individual is inconsistent with the Privacy Statement. The latter says the retention period is 30 days, while the Ordinance says 60 days.

• Procedure for temperature checks is incomplete. Section 9 of the Ordinance talks about establishments conducting mandatory temperature checks on all individuals entering their premises. It doesn’t say what it will do with the results. As far as digital logbooking (i.e., scanning of QR codes) is concerned, Section 9(f) of the Ordinance says scanning will only log the date and time of entry of an individual. The Privacy Statement though says a temperature higher than 37.5 will be collected—but doesn’t say how, exactly. Whether this means it will always be a combination of digital and manual logbooking is anybody’s guess.

• Privacy Statement. The document features most information one would expect to find in a typical Privacy Notice. So that’s good. It also provides a general description of the system’s security features, which is not necessary, and therefore commendable. Unfortunately, it also lists down information that are not considered personal data. If you know your data privacy then you know it only cares about personal data. There’s the usual confusion regarding the use of “gender” as opposed to “sex”. You know it’s asking for the latter, but for some reason says it needs the former. The Privacy Statement also suggests that eSalvar collects personal data not specified in the Ordinance—with the purpose behind the collection of one datapoint (i.e., nationality) unclear. Finally, it does not feature the contact details of the city’s Data Protection Officer.

• There is a vague reference to “data controllers” in the Ordinance. Section 10(b) of the Ordinance mentions “duly designated data controllers” who are to “manage and keep all information with utmost care and confidentiality and shall use the same for contact tracing purposes”. It is not clear if the Ordinance is actually referring to “personal information controllers” as defined in the DPA. If it is, then I’m afraid there has been a misunderstanding as to what that term means.

Outside of these, I also made some general observations, among which I find these two most relevant:

• The Ordinance is unclear if registration is mandatory for transients (or non-residents). As far as registration is concerned, Section 6 of the policy only talks about permanent or temporary residents. On the other hand, Section 11 talks about the establishment of assistance centers that will aid residents “and other individuals” during registration. Meanwhile, Section 9(g) of the Ordinance states that offices and establishments shall not allow entry to individuals with no QR ID cards. That implies registration is mandatory for everyone.

• The purpose for manual logbooking is unclear. Still on the issue of “no QR ID cards, no entry”, Section 8 of the Ordinance lays down the procedure for manual logbooking. It says manual logbooking may be resorted to in 2 instances, either: (1) an individual has no QR ID card; or (2) the office or establishment has not yet registered for digital logbooking. That said, Section 9(g) of the Ordinance seems to limit manual logbooking to the second scenario only, since it says individuals with no QR ID cards shall not be allowed entry. So what is it, really?

The lecture was about three weeks ago today. I thought that would be the last time I’d hear about eSalvar and what I perceived to be its inherent flaws. That all changed this week when I learned that a case had actually been filed against the city government, asking the court to strike down pretty much the entire Ordinance for being unconstitutional.

The petition takes issue with a number of its provisions, arguing that they violate people’s fundamental freedoms, such as the right to liberty and the right to privacy. If the petitioners are to be believed, the policy is also contrary to existing laws and jurisprudence, including the DPA.

As a privacy practitioner, I’ve gone over the arguments and I would have to say that while I agree with some of the concerns raised—two or three I’ve actually pointed out here—the others stand on very uneven footing.

A better appreciation of the fundamental concepts and principles that constitute the core of the DPA would have helped. I believe the comparison made with PhilSys, the country’s national ID system, and Staysafe.PH, supposedly the national government’s official contact tracing app, was misplaced. The sweeping claim that these systems appear to be safer and offer more protection towards privacy is very dangerous. I’ve looked into these systems. There is no doubt in my mind that they pose a more serious threat to privacy and data protection.

All in all, I think the case, just like the Ordinance and the System it seeks to upend is laced with good intentions. And just like the Ordinance, it is in need of tweaking if it is to succeed.

My hope is that the case actually ends up improving eSalvar—that it gets to save lives, without having to ask people to give up their rights. The latter is a bargain offered and fancied mostly by despots and their ilk. We’ve rejected it before. We need to keep it that way.

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.