People
say that the internet makes everything easier for them, but using the internet
also has its disadvantages which may put the users in danger. According to an
article, the common uses of the Internet are for (1) browsing, either for
research purpose, information or to learn some new things; (2) communication in
the forms of emails, chats, video and chats, and video conferences; (3) to
build and take part in discussion forums; and (4) the buying and selling over
the internet, or online shopping.
For
research purposes, users have to make sure that they would also look into other
sources aside from the internet because there are a lot of wrong information on
the internet. In the use of emails, chats, video chats, and video conferences
and taking parts in discussion forums, it may be easier and less costly than
the use of cellular phones or sending of telegrams, but due to the internet,
some users are having a hard time socializing and communicating with other
people in front of them and prefer to just socialize with other people in front
of their monitors. In online shopping, the buyer is required to enter his/her
credit card number in order to effect payment.
With
all the people around the world, how many of them are protected from all the
disadvantages of using the internet?
According
to NBC News,
"Government restrictions on the Internet have risen
over the past year around the world as regimes use violence against bloggers
and turn to censorship and arrest to squelch calls for reform."
And due to the disadvantages of the
use of the internet, some countries have already monitored their users, and even
implemented restrictions. A report on NBC News stated that:
"Pakistan ,
Bahrain and Ethiopia Tunisia ,
Libya and Burma , all countries that have seen dramatic
political opening or regime changes, improved over previous years along with 14
other countries, the U.S. Vietnam United States
Methods for controlling free speech on digital media
also have grown more sophisticated and diverse the past year.
Governments have passed new restrictive laws in 19
states. In Iran Pakistan China
In the Philippines Philippines
In
the case, Blas F. Ople vs. Ruben D. Torres, et. al., G.R. No. 127685, the
Petitioner prayed that A.O. No. 308 be invalidated due to two constitutional
grounds: (1) it is a usurpation of the power of
Congress to legislate; and (2) it impermissibly intrudes on our citizenry's
protected zone of privacy. The petitioner contended that:
A. The
establishment of a national computerized identification reference system
requires a legislative act. The issuance of A.O. No. 308 by the President of
the Republic of the Philippines
is, therefore, an unconstitutional usurpation of the legislative powers of the
Congress of the Republic of the Philippines
B. The
appropriation of public funds by the President for the implementation of A.O.
No. 308 is an unconstitutional usurpation of the exclusive right of Congress to
appropriate public funds for expenditure.
C. The
implementation of A.O. No. 308 insidiously lays the groundwork for a system
which will violate the Bill of Rights enshrined in the Constitution.
The
Supreme Court ruled in favor of the petitioner, Blas F. Ople. In the decision
of the Court, it was stated that it is beyond the power of the President to
issue A.O. No. 308, and that A.O. No. 308 should not be even considered as an
Administrative Order. The decision also stated that the A.O. No. 308 violates
the right to privacy. A portion of the decision reads as follows:
"While
the Congress is vested with the power to enact
laws, the President executes the laws. The
executive power is vested in the Presidents. It
is generally defined as the power to enforce and administer the laws. It is the power of carrying the laws into
practical operation and enforcing their due observance. Administrative power is
concerned with the work of applying policies and enforcing orders as determined
by proper governmental organs. It
enables the President to fix a uniform standard of administrative efficiency
and check the official conduct of his agents. To
this end, he can issue administrative orders, rules and regulations.
Assuming, arguendo, that A.O. No. 308 need not be the subject of a law,
still it cannot pass constitutional muster as an administrative legislation
because facially it violates the right to privacy. The essence of privacy is
the right to be let alone.
The right to privacy is one of the most threatened rights of man living
in a mass society. The threats emanate from various sources — governments,
journalists, employers, social scientists, etc. In the case at bar, the threat comes
from the executive branch of government which by issuing A.O. No. 308 pressures
the people to surrender their privacy by giving information about themselves on
the pretext that it will facilitate delivery of basic services. Given the
record-keeping power of the computer, only the indifferent fail to perceive the
danger that A.O. No. 308 gives the government the power to compile a
devastating dossier against unsuspecting citizens."
But in his dissenting opinion, Justice Kapunan stated
that the President has the right to issue A.O. No. 308, and that:
"The National Computerized Identification Reference
System was established pursuant to the afore-quoted provision precisely because
its principal purpose, as expressly stated in the order, is to provide the
people with the facility to conveniently transact business with the various
government agencies providing basic services. Being the administrative head, it
is unquestionably the responsibility of the President to find ways and means to
improve the government bureaucracy, and make it more professional, efficient
and reliable, specially those government agencies and instrumentalities which
provide basic services and which the citizenry constantly transact with."
The issues in this case are (1)
whether the issuance of the A.O. No. 308 is unconstitutional; and (2) whether
such Administrative Order violates the right of the people to privacy.
I agree with what Justice Kapunan and
Justice Mendoza said in their dissenting opinion. An Administrative Order is
defined, under the 1987 Administrative Code, is an act of the President which relate to particular aspects of governmental
operations in pursuance of his duties as administrative head shall be
promulgated in administrative orders.
In issuing Administrative Order No. 308, the
President's purpose was to improve government bureaucracy. As the
administrative head, the President has the right to issue such order to ultimately
achieve administrative efficiency. Moreover, such Administrative Order does not
require all the people to avail the benefits that A.O. No. 308 provide. It is
merely voluntary.
In implementing A.O. No. 308, advanced methods of the Biometrics Technology may pose danger to the
right of privacy of the people but the standard set states that:
"The need to
provide citizens and foreign residents with the facility to conveniently transact business with basic
service and social
security providers and
other government instrumentalities; the computerized system is intended to properly and efficiently identify persons seeking basic
services or social security and reduce,
if not totally eradicate fraudulent transactions and misreprentation;
the national identification reference system is established among the key
basic services and social security providers; and finally, the IACC
Secretariat shall coordinate with different Social Security and Services
Agencies to establish the standards in the use of Biometrics Technology.
Consequently, the choice of the particular form and extent of Biometrics
Technology that will be applied and the parameters for its use (as will be
defined in the guidelines) will necessarily and logically be guided, limited
and circumscribed by the afore-stated standards. The fear entertained by the
majority on the potential dangers of this new technology is thus securedly
allayed by the specific limitations set by the above-mentioned standards. More
than this, the right to privacy is well-esconced in and directly protected by
various provisions of the Bill of Rights, the Civil Code, the Revised Penal
Code, and certain laws, all so painstakingly and resourcefully catalogued in
the majority opinion. Many of these laws provide penalties for their violation
in the form of imprisonment, fines, or damages. These laws will serve as
powerful deterrents not only in the establishment of any administrative rule
that will violate the constitutionally protected right to privacy, but also to
would-be transgressors of such right."
The standards set show that the
information of the people will be protected by the government. And in cases
where it is possible that information may be disclosed, there is a sufficient number
of laws prohibiting and punishing any such unwarranted disclosures.
According to Justice Mendoza, A.O.
No. 308 does not violate the right of the people to privacy because such Order
requires only an identification system based on data which the government
agencies involved have already been requiring individuals making use of their
services to give.
After reading the case of Ople vs.
Torres and all the separate opinions of the Justices who heard such case, it
may be concluded that there would always be pros and cons in adapting into the
advancement of technology. New developments may really be hard to adapt at
first, but it may be regulated of standards and methods will be set. And if
violations would really be inevitable, corresponding penalties should be
provided by the government.
When Republic Act No. 10173, entitled
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES, the
government clearly stated that the right to privacy of the people would be
protected by such Act. Section 2 of the Act reads as follows:
"SEC.
2. Declaration of Policy. – It is the
policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and
growth. The State recognizes the vital role of information and communications
technology in nation-building and its inherent obligation to ensure that
personal information in information and communications systems in the
government and in the private sector are secured and protected."
Just like in A.O. No. 308, the people
would have to give out their information to the government and rely that the
latter would protect the information given. There is also an agency responsible
in administering and implementing the provisions in order to ensure the
compliance of the people with the standards set, both in the R.A. 10173 and in
A.O. No. 308.
The only difference in A.O. No. 308 and
R.A. No. 10173 is that in the latter, the government was able to emphasize on
the provisions stating how the information given by the people would be
protected.
Section
20 of R.A. No. 10173 speaks of the measures to be observed in order to protect
the personal information of the people against any accidental or unlawful destruction, alteration and disclosure, as
well as against any other unlawful processing. The provision reads as follows:
"SEC.
20. Security of Personal
Information. – (a) The
personal information controller must implement reasonable and appropriate
organizational, physical and technical measures intended for the protection of
personal information against any accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing.
(b)
The personal information controller shall implement reasonable and appropriate
measures to protect personal information against natural dangers such as
accidental loss or destruction, and human dangers such as unlawful access,
fraudulent misuse, unlawful destruction, alteration and contamination.
(c)
The determination of the appropriate level of security under this section must
take into account the nature of the personal information to be protected, the
risks represented by the processing, the size of the organization and
complexity of its operations, current data privacy best practices and the cost
of security implementation. Subject to guidelines as the Commission may issue
from time to time, the measures implemented must include:
(1)
Safeguards to protect its computer network against accidental, unlawful or
unauthorized usage or interference with or hindering of their functioning or
availability;
(2)
A security policy with respect to the processing of personal information;
(3)
A process for identifying and accessing reasonably foreseeable vulnerabilities
in its computer networks, and for taking preventive, corrective and mitigating
action against security incidents that can lead to a security breach; and
(4)
Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach.
(d)
The personal information controller must further ensure that third parties
processing personal information on its behalf shall implement the security
measures required by this provision.
(e)
The employees, agents or representatives of a personal information controller
who are involved in the processing of personal information shall operate and
hold personal information under strict confidentiality if the personal
information are not intended for public disclosure. This obligation shall
continue even after leaving the public service, transfer to another position or
upon termination of employment or contractual relations.
(f)
The personal information controller shall promptly notify the Commission and
affected data subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes (bat such
unauthorized acquisition is likely to give rise to a real risk of serious harm
to any affected data subject. The notification shall at least describe the
nature of the breach, the sensitive personal information possibly involved, and
the measures taken by the entity to address the breach. Notification may be
delayed only to the extent necessary to determine the scope of the breach, to
prevent further disclosures, or to restore reasonable integrity to the
information and communications system."
While Section 22 of the
same Act speaks of how sensitive personal information should be protected by
the heads of agencies. The provision states that:
"All sensitive personal information maintained by the
government, its agencies and instrumentalities shall be secured, as far as
practicable, with the use of the most appropriate standard recognized by the
information and communications technology industry, and as recommended by the
Commission. The head of each government agency or instrumentality shall be
responsible for complying with the security requirements mentioned herein while
the Commission shall monitor the compliance and may recommend the necessary
action in order to satisfy the minimum standards."
Sections 20 and 22 of R.A. 10173 are the
provisions lacking in A.O. No. 308 which caused the petitioner to file a
petition alleging that the Order violates the right to privacy of the people. A.O.
No. 308 failed to assure the people that all personal information given will be
protected by the government.
Wherefore, I think R.A. 10173 will provide sufficient mechanism to the introduction of a
national I.T. system in the Philippines
References:
1. http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html. Accessed May 5, 2013.
2. http://www.gov.ph/2012/08/15/republic-act-no-10173/. Accessed May 5, 2013.
3. http://www.nbcnews.com/technology/technolog/more-countries-restrict-internet-stifle-critics-report-1B6042342. Accessed May 5, 2013.
4. http://www.bizymoms.com/computers-and-technology/uses-of-the-internet.html. Accessed May 5, 2013.
[Disclaimer: This blog is for our Technology and the Law class only. The contents of this entry is the writer's opinion and is not intended in any way to serve as a legal advice.]
Please provide your analysis of Sections 20 and 22 of the Data Privacy Act as to its sufficiency in addressing the constitutionality issues raised in AO No. 308.
ReplyDelete