I.

Scope of Privacy in Digital World under the Philippine Law

Privacy in the Philippines is guaranteed under the Bill of Rights particularly

Article III Section 2 and 3 of the 1987 Constitution. Several laws have been passed by the
Congress regarding privacy of individuals such as RA 10175 or The Cybercrime
Prevention act of 2012, RA 8792 or the E-Commerce Act and RA 10173 or The Data
Privacy Act of 2012.1

In Whalen v. Roe, the United States Supreme Court classified privacy into two
categories: decisional privacy and informational privacy. Decisional privacy involves the
right to independence in making certain important decisions, while informational
privacy – that those who oppose government collection or recording of traffic data in real-
time seek to protect.2

Informational privacy has two aspects: the right not to have private information
disclosed, and the right to live freely without surveillance and intrusion. In determining
whether or not a matter is entitled to the right to privacy, this Court has laid down a two-
fold test. The first is a subjective test, where one claiming the right must have an actual
or legitimate expectation of privacy over a certain matter. The second is an objective test,
where his or her expectation of privacy must be one society is prepared to accept as
objectively reasonable.3

The policy of the State is to protect the fundamental human right of privacy, which
is guaranteed under the 1987 Philippine Constitution.4 The protection should also include
the Informational Privacy in the digital space. As we step in the modern age and with the
evolution of technologies and gadgets, Philippines adopted laws which enhances the
scope of privacy in digital world.

Zones of privacy are recognized and protected in our laws. Within these zones,
any form of intrusion is impermissible unless excused by law and in accordance with
customary legal process. The meticulous regard we accord to these zones arises not only
from our conviction that the right to privacy is a “constitutional right” and “the right
most valued by civilized men,” but also from our adherence to the Universal Declaration
of Human Rights which mandates that, “no one shall be subjected to arbitrary

1
https://ramrodriguez.wordpress.com/2015/07/03/the-scope-of-privacy-in-digital-world-under-philippine-law-
and-jurisprudence/#_ednref2
2
Disini vs. Secretary of Justice, G.R. No. 203335, February 11, 2014.
(https://ramrodriguez.wordpress.com/2015/07/03/the-scope-of-privacy-in-digital-world-under-philippine-law-
and-jurisprudence/#_edn3)
3
Disini vs. Secretary of Justice, G.R. No. 203335, February 11, 2014.
(https://ramrodriguez.wordpress.com/2015/07/03/the-scope-of-privacy-in-digital-world-under-philippine-law-
and-jurisprudence/#_edn3)
4
Section 3 of Article III of the 1987 Constitution
interference with his privacy” and “everyone has the right to the protection of the law
against such interference or attacks.”5

Although the Constitution provides data and information protection, it does so

only as regards to the State, but not as against private individuals. It safeguards
informational privacy by ensuring that the government is not able to have instant access
to data regarding an individual, and particularly, the transmission of this data from
another country to the Philippines. Such data may only be acquired upon lawful order of
the court, or when public safety or order requires, and if so, only as prescribed by law. 6

Such protection might have been enough if only privacy that is required is that
against the government. Informational privacy is more importantly needed as regards
private individuals and organizations, particularly with regard to those who might
handle or come into contact with one’s personal data. It is in this area that the
fundamental law of the land on its own is insufficient.7

Under the Civil Code of the Philippines, Article 26 and Article 32 protects personal
privacy. To wit:

“Art. 26. Every person shall respect the dignity, personality, privacy and peace of
mind of his neighbors and other persons. The following and similar acts, though
they may not constitute a criminal offense, shall produce a cause of action for
damages, prevention and other relief:
(1) Prying into the privacy of another's residence:
(2) Meddling with or disturbing the private life or family relations of another;
(3) Intriguing to cause another to be alienated from his friends;
(4) Vexing or humiliating another on account of his religious beliefs, lowly station
in life, place of birth, physical defect, or other personal condition.”

“Art. 32. Any public officer or employee, or any private individual, who directly
or indirectly obstructs, defeats, violates or in any manner impedes or impairs any
of the following rights and liberties of another person shall be liable to the latter
for damages:
…
(9) The right to be secure in one's person, house, papers, and effects against
unreasonable searches and seizures;
…
(11) The privacy of communication and correspondence;
…”
5
Disini vs. Secretary of Justice, G.R. No. 203335, February 11, 2014.
(https://ramrodriguez.wordpress.com/2015/07/03/the-scope-of-privacy-in-digital-world-under-philippine-law-
and-jurisprudence/#_ednref6)
6
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
7
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
 There are several laws that have been passed by the Congress regarding privacy
of individuals such as Republic Act 10175 or The Cybercrime Prevention Act of 2012,
Republic Act 8792 or The E-Commerce Act, and Republic Act 10173 or The Data Privacy
Act of 2012.

Republic Act 10175 or The Cybercrime Prevention Act of 2012,

The Cybercrime Prevention Act was passed to penalize crimes which are
committed with the use of computer. It also protects individual or entities from
intellectual property infringements by its cyber-squatting provision. Chapter II Section 4
(a) (6) of the law provides the acts constituting cyber-squatting:

Republic Act 8792 or The Electronic Commerce Act

Electronic Commerce is defined as the process of buying and selling goods
electronically by consumers and from company to company through computerized
business transactions.8
The law provides in its declaration of policy that “the State recognizes the vital
role of information and communication technology (ICT) in nation-building” and further
provides that the State recognizes “the need to create an information-friendly
environment which supports and ensures the availability, diversity and affordability of
ICT products and services.”9
The declaration of policy further recognizes the “obligation to facilitate the transfer
and promotion of adaptation technology for the national benefit” and further states “the
need to marshal, organize and deploy national information infrastructures, comprising
both telecommunications network and strategic information services, including their
interconnection to the global information networks, with the necessary and appropriate
legal financial, diplomatic and technical framework, systems and facilities.” 10
Section 24 provides that parties to any electronic transaction are free to determine
the type and level of electronic data message or electronic document security needed, and
to select and use or implement appropriate technological methods that suit their needs.
It merely provides that the parties involved may control the level of security they need.
It may include the type and level of encryption they would like to employ when
transmitting data to one another, or maybe the security software they would use to
prevent data leakage as the data passes through the network. 11
Section 32 provides for an obligation of confidentiality on the part of the collecting
person or entity with regard to any electronic information obtained.12

8
G. Sy, Electronic Commerce Act 73 (2001) (https://ramrodriguez.wordpress.com/2015/07/03/the-scope-of-
privacy-in-digital-world-under-philippine-law-and-jurisprudence/#_edn12)
9
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
10
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
11
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
12
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
 Neither do these two provisions specifically refer to personal data. Without
jurisprudence to test these definitions as regards informational privacy, it can at most
only be inferred and maybe even hoped that these definitions would cover informational
privacy. Such makes the electronic commerce act insufficient.13

Republic Act 8792 or The E-Commerce Act (ECA) has the following salient
features: (1) it provides legal recognition of electronic data messages, signatures, and
documents and their communication; (2) it penalizes hacking and privacy; (3) it
recognizes the vital role of information and communications technology in nation
building; (4) it facilitates domestic and international dealings, transactions,
arrangements, contracts and exchanges and storage of information; it applies to both
commercial and non-commercial transactions; (5) it made the Department of Trade and
Industry (DTI) the lead agency to direct and supervise the promotion and development
of electronic commerce in the country; and (6) it provides for the extent of liability of
service providers.

Republic Act 10173 or The Data Privacy Act of 2012

It established the National Privacy Commission tasked to ensure that proper
handling of privileged and sensitive information of an individual, also called the data
subject, by the data controllers and data processors.
The scope of the law is broad enough to grant reliefs to those whose right to
privacy have been intruded. Information Technology (IT) industry and Business Process
Outsourcing (BPO) industry will benefit most in this law because of the size of
information processed in these industries which must be within the standards of
International Standards of privacy for them to be able to compete in the global market.14

II. International Legal Frameworks on Privacy and Data Protection

A. The Universal Declaration of Human Rights mandates that, “no one shall
be subjected to arbitrary interference with his privacy” and “everyone has
the right to the protection of the law against such interference or attacks.”15
B. European Convention on Human Rights16 and American Convention on
Human Rights17 recognize privacy as a human right.

13
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf
14
https://ramrodriguez.wordpress.com/2015/07/03/the-scope-of-privacy-in-digital-world-under-philippine-law-
and-jurisprudence/#_ednref12
15
Article 12 of the Universal Declaration of Human Rights. See also Article 17 (1) and (2) of the International
Covenant on Civil and Political Rights.
16
Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 4.XI. 1950.
17
Article 11 of American Convention on Human Rights "PACT OF SAN JOSE, COSTA RICA" (B-32).
 C. The European Union adopted several Directives on data protection18,
further its constitutional instruments now recognize that protection of
personal data is in itself a basic human right separate from the broader right
to privacy.

In 1980, the Organization for Economic Cooperation and Development (OECD)

developed guidelines based on the principle that privacy protection is an
important human right. The free flow of trans-border data is a prerequisite for a
free economy19, but such free flow of information is affected by privacy protection.

The OECD Privacy Guidelines broadly influenced policy-making by introducing

broad principles that can harmonize privacy protection in different states. It set
out the following eight basic privacy principles:
1. Collection Limitation – Requires that the collection of data be limited to
what is RELEVANT and NECESSARY for the purposes for which they are
collected and that it will be obtained by lawful and fair means with the
knowledge of the data subject.
2. Data Quality. Personal data collected should be relevant for the purpose for
which it is to be used, to the extent necessary for these purposes, and should
be accurate and up to date.
3. Purpose Specification and Notice. The purpose for which personal data are
collected should be specified not later than the time of data collection. The
subsequent use of data is limited to such purposes and to other purposes
not incompatible with such.
4. Use Limitation. As a general rule, data should not be disclosed, made
available or used for purposes other than those specified for its collection.
The exceptions are when the individual consents or when the law so
requires its disclosure.
5. Security Safeguard. This requires that personal data be protected by
reasonable security safeguards against risks like loss, unauthorized access,
destruction, use, modification or disclosure of data.
6. Openness. This refers to practices and policies regarding personal data.
Means should be readily available for establishing the existence and nature
of personal data, and the main purposes of their use, as well as identity and
usual residence of the data possessor or collector.
7. Individual Participation. The individual should have the right to have
reasonable access to data collected, the right to challenge data relating to

18
Directive 96/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the
Free Movement of such Data (“EU Directive”)
19
Tony Lam An Overview of the Principles Established by the APEC Privacy Framework, available at
http://www.apec.org.
(http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf)
 him or her and, if the challenge is unsuccessful, to have the data erased,
rectified, completed or amended.
8. Accountability. The data controller is made accountable for giving effect to
these principles by complying with the protection accorded the individual.

In November 2004, the APEC nations endorsed its Privacy Framework.20 The
framework, which consists of nine principles, aims to balance privacy rights and
the public interest in e-commerce. The principles are as follows:
1. Preventing Harm. The aim of privacy protection is to prevent harm to
individuals resulting from wrongful collection or misuse of their personal
information. This principle endorses proportionality, for example,
remedies should be proportional to the likelihood and severity of the risk
of harm.
2. Notice. A data controller must inform the individual the purpose for which
personal information is being collected. This principle also requires that all
reasonably practicable steps, including the use of web sites, be taken to
provide the notice before or at the time of data collection.
3. Collection Limitation. This is similar to the OECD principle.
4. Use of Personal Information. Use of personal information should be limited
to fulfilling the purposes of collection and other compatible or related
purposes.
5. Choice. This provides individuals with mechanisms to exercise choice in
relation to the collection, use and disclosure of their personal information.
6. Integrity of Personal Information. Personal Information should be accurate,
complete, and kept up-to-date to the extent necessary for the purpose of
use.
7. Security Safeguards. Appropriate security safeguards are required to be
applied to personal information provided these safeguards are
proportional to the likelihood and severity of the information and the
context in which it is held.
8. Access and Correction. Individuals are given the right to access their
personal information, challenge its accuracy, and request correction when
appropriate. However, access need not be provided if the burden or
expense of doing so would be unreasonable or disproportionate to the risks
or disclosure to the individual would compromise security or the
confidentiality of commercial information.
9. Accountability. The data controller is accountable for complying with
measures that give effect to the said principles. 21

III. Public Disclosure of Private Facts

20
APEC Privacy Framework, available at http://www.apecsec.org.sg
(http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf)
21
http://www.ateneolawjournal.com/Media/uploads/d64d00e31ff6fda3ad1982c86d6cf5c0.pdf