On History of Philippine Privacy Laws
Privacy is nothing new to the Philippine scene. For example, the 1950 Civil Code of the Philippines contains a provision protecting letters and other private communications in writing from being published or disseminated without the consent of the writer or his heirs. In 1965, Republic Act No. 4200 prohibited wiretapping except for the purpose of law enforcement and even then, generally applicable only to crimes against the national security and other serious offenses. The Philippine Constitution itself protects the individualâs right to be secure in their person, house, papers and effects against unreasonable searches and seizures and guarantees the individualâs right to the privacy of communication and correspondence.
Special attention should be made of Ople vs. Torres, a 1998 Supreme Court case that tackled the potential disuse of personal data in the adoption of a National ID System in the Philippines. After recognizing that the individualâs right to privacy is enshrined in the Constitution, the Supreme Court declared the order issued by the President for the implementation of the National ID System unconstitutional as the lack of a specific purpose in the order âcan give the government the roving authority to store and retrieve information for a purpose other than the identification of the individual through his PRN.â It suffered from proper safeguards such as âwho shall control and access the data, under what circumstances and for what purpose.âÂ
The Supreme Court categorically rejected the Solicitor Generalâs argument that the purposes of the order justify the incursions into the right to privacy considering that the means are rationally related to the end. The Supreme Court ruled that other than lacking sufficient safeguards within the administrative order itself, the government also failed to prove compelling interests to justify diminishing the individualâs right to privacy.Â
These principles espoused by the Supreme Court â purpose limitation, security and lawfulness â would later be statutorily guaranteed by the passage of the Data Privacy Act of 2012 (DPA). Signed as Republic Act No. 10173 on 15 August 2012, the law marks the first time in the Philippines that data protection and informational privacy was expressly identified, secured and protected.Â
The DPA is part of three âcyberlawsâ pushed by the Philippine Congress, the other two being the Cybercrime Prevention Act of 2012 and the Department of Information and Communications Technology Act of 2015. In his sponsorship speech of the bill that would become the DPA,11 Senator Edgardo Angara declared that the privacy law was adopted to help the outsourcing industry in the Philippines to maximize its potential. At this time, other countries in Asia have also been developing their own privacy laws, threatening to undermine the country from attracting outsourcing companies with a European clientele.Â
Senator Angara also expressly acknowledged that the bill closely follows the Asia-Pacific Economic Cooperation (APEC) 2005 Privacy Framework over other private regulations. Unlike the EU model, the 2005 APEC Privacy Framework is more flexible when it comes to cross-border data flows â a must for the Philippines, considering the movement of data between BPOs and the PICs overseas. This is not to say, of course, that the Philippines ignored the EU model: The APEC Privacy Framework is still consistent with the core values of the OECD Guidelines, itself partly consistent with the abovementioned Convention 108. In the end, the DPA reflects the international flavor of data protection, adapted and filtered through distinctly Filipino needs.