The risky business of profiling

There is an ongoing debate regarding the legality (or at least propriety) of profiling. That practice loosely defined as the collection of information about a person in order to categorize him or her and possibly predict his or her behavior.

The primary trigger has been all these reports of police officers gathering personal data about the organizers of community pantries that have sprouted all throughout the country. According to one account, at least, law enforcement operatives had asked people to fill up a form requiring them to disclose their name, birthdate, education and work background, various contact information, and even their Facebook account.

Responses by the authorities to the accusation have been conflicting. While the Philippine National Police (PNP) and the Department of the Interior and Local Government (DILG) both deny handing out orders authorizing any such activity, the notorious National Task Force to End Local Communist Armed Conflict (NTF-ELCAC) has admitted to conducting background checks on said individuals.

Between the two, though, the latter appears to be a better fit for the government’s evident strategy.

A couple of days ago, the Alliance of Concerned Teachers (ACT), a government-accredited teachers’ union, called out the Department of Education for carrying out what is essentially a similar maneuver. They were reacting to a DepEd directive instructing division offices to disseminate an online survey meant to identify teachers who are members of ACT or the Teachers’ Dignity Coalition (TDC). The NTF-ELCAC has branded ACT as a legal front for the Communist Party of the Philippines.

In 2019, the PNP tried a more direct approach by going straight to the schools and asking them for the names of their ACT-affiliated faculty.

Just last month, the PNP was chastised when it asked courts to disclose the names of lawyers representing what it considers as “communist terrorist groups”. It was around the same time the DILG was caught singling out who among its own employees are members of another red-tagged organization.

Under a data protection regime, profiling is an inherently risk-laden affair. It is risky for those targeted because being improperly labeled or classified could subject them to discrimination, harassment, physical harm, and other negative consequences. On the other hand, it is also risky for those behind it given the way it exposes them to all sorts of potential liabilities.

The implementing rules of our Data Privacy Act (DPA) offers a narrow definition of profiling (i.e., that limited to those committed via automated processing). But this does not remove “profiling”, as it is being conducted in the examples provided, from the scope of the law. It simply means it will have to be evaluated just like any other personal data processing activity. Its adherence to the so-called data protection principles will be crucial, especially the part about its lawfulness.

One of the universally-recognized principles in data protection is lawfulness, or the requirement that every personal data processing activity should be required or at least allowed by law. Failure to comply with this principle could result in such crimes as unauthorized processing, processing for unauthorized purposes, unauthorized access, or unauthorized disclosure. Depending on the circumstances, administrative and civil liabilities may also be warranted.

To steer clear of those potential legal troubles, every so-called personal information controller should consult Sections 12 and 13 of the DPA to make sure at least one of the lawful grounds featured there authorizes its personal data processing activities.

For the PNP, DILG, NTF-ELCAC, and DepEd, they should limit their options to Section 13 since that one relates to the processing of sensitive personal information (SPI). As it happens, the DPA treats the political affiliations of a person as SPI. In the case of the police, its featured data collection form actually asks for a lot of other SPI such as an individual’s age and educational background.

To better appreciate this, one can evaluate DepEd’s explanation for its approach. According to Education Secretary Leonor Briones, its data collection is a “standard requirement” the agency imposes on all organizations. Juxtaposing her statement with Section 13 of the DPA, she is in fact implying that there is either a law or regulation requiring or authorizing DepEd’s data collection. The same policy guarantees the protection of the collected information. If this is true, then the agency should have no problem citing such policy, when pressed to do so.

The other three government entities may also rely on the same ground or some other legal basis featured in the same provision. If they are feeling lucky, they may also look to the special cases or exemptions recognized by the DPA for refuge.

At the same time, people seeking to challenge the profiling activities of government agencies could also use the same references as a starting point. They can check the compliance by said institutions with the other requirements of the DPA to further bolster their case.

If convinced that they have a strong case in their hands, they can proceed directly to the courts to avail of appropriate remedies.

Of course, there is always the option of referring the matter to the National Privacy Commission (NPC). The agency did, after all, release a statement taking note of the concerns expressed by some sectors regarding the profiling of community pantry organizers, and asking the PNP itself to look into the matter. In 2019, the Commission also committed to require the police force to explain its profiling activities against teachers.

Beyond these declarations, however, the Commission has so far shown no appetite to go after government officials who run afoul of the DPA. Not since 2016 (with its recommendation to file charges against former COMELEC Chairman Andres Bautista for his supposed role in his agency’s infamous data breach) has the privacy body actively taken action against a particular government officer or agency. And it certainly has not been for lack of blatant violations of the law during the past five years.

At any rate, it is clear that the practice of profiling will always be a sensitive subject. One that should be approached with great care in view of the many different ways it could blow up and ignite other contentious issues. It delves into more unsettled territory when national security is brought up because of the inherent vagueness of the latter concept, the necessarily broad and continuing nature of information gathering it entails, and the temptation to utilize the collected data to curb political dissent. All these conditions seem present under the current circumstances.

It is a dangerous time for everyone. Even as containing the pandemic remains elusive for the country, it still has to contend with many peripheral but no less pressing issues like unlawful profiling, which seems to be spreading like some other contagion. Both need to be stamped out soon, before more people are deprived of their lives or denied their most basic rights.

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.