This Tuesday, September 8, the Data Privacy Act of 2012 (DPA) — the country’s comprehensive data protection law — will be eight years old, counted from the day it actually came into effect. The following day, September 9, the statute’s Implementing Rules and Regulations (IRR) will also celebrate their fourth year of effectivity.
For a privacy practitioner, the opportunity to ponder on the significance of these milestones is hard to resist. The law and the government body it gave birth to — the National Privacy Commission (NPC) — are important cogs of the Philippine government’s human rights apparatus. With this, one has to ask: have they actually lived up to the hype they initially generated?
Recently, the NPC made much of the fact that the President gave special mention to data privacy in his State of the Nation Address (SONA). It went so far as to gather quotes from notable figures in the field, lauding the executive for his perceived commitment to the advocacy, premised on the notion that it was a valid indicator of just how serious people are now looking at data privacy.
I don’t think it was. Holding on to a belief like that glosses over the fact that the President himself regularly steps over the bounds set by the DPA. His tirades which often involve the disclosure of personal data and his propensity to come up with lists of individuals he links to the illegal drug trade are recurring examples.
Also, like many people still, his appreciation of the true scope of data privacy remains suspect. In his speech, the President basically associated data privacy almost exclusively with the online environment. Everyone ought to know by now that it is so much bigger than that.
If not the President’s sentiments then, where does one turn to for an effective gauge of the role data privacy plays today in our domain?
The answer to that is actually everywhere. One just has to care enough to see it.
These past couple of years, I could sense a growing apathy among people and institutions when it comes to complying with the DPA.
Interest remains confined to the major urban centers, with only multinationals and large organizations making significant investments in compliance initiatives. Often, they do so not because they are afraid of getting fined by the NPC or of being sent to prison by the courts, but rather because they need to transact with their foreign counterparts who insist that data protection be made an integral part of their relationship. Either that or because their engagements are with one another — all similarly invested already to the cause.
One cannot blame them. To date, there has yet to be a prominent local case exhibiting the successful application of the law. Meanwhile, it is common to hear of such cases in countries and regions with strong and effective data protection regulations.
Anyone quick to point to the 2016 “Comeleak” incident should reassess their position and appreciate the fact that no one has really been held to account for that fiasco. No one was found administratively liable, while the NPC’s recommendation for prosecution has remained unheeded to this day. It is for this reason that fear-mongering tactics that use that as an example have not aged well. After all, what is one supposed to be afraid of — getting away with crimes or at least incompetence?
But there must have been plenty of investigations, though, right? The NPC launched a considerable number of them for perceived violations of the law, including those involving confirmed and suspected data breaches. We know this because they were announced to the public, frequently with fanfare. Were they ever resolved? If so, no one seems to be saying anything about it.
Fast-forward to the current pandemic. There is little about it one can look to with favor. But if it is to have one, it is how it surfaces or highlights existing problems that normally manage to linger under the radar. And it has certainly done this vis-à-vis the state of our data privacy landscape.
Almost half a dozen months into this crisis, people have witnessed numerous violations of the DPA. The worst of them committed by government officials and offices, usually involving the identification of Covid-19 cases or, at the very least, people’s health information. Issues have also been raised regarding the introduction and use of technologies developed specifically to address the spread of the virus or its impact on society.
Response has so far been in the form of some guidelines, a couple of advisories, and a number of press statements and public reminders. Meanwhile, there has been no news of erring parties getting penalized, or sanctions being imposed, or some other type of penalty being meted out. It is unclear if cases have been filed or if, at least, motu proprio investigations have been initiated for the more blatant transgressions.
In the meantime, other compliance directives by the NPC appear to be stuck in limbo. Its prescribed registration for data processing systems and its annual security incident reporting requirement come to mind. No one is benefitting from this stagnation, except maybe those who do not care for these things anyway.
Early into its work, the NPC made it a point to describe its role as an enabler, rather than a heavy-handed regulator. It aims to make things easier for everyone, it is fond of saying. Make it easy for individuals to assert their rights. Make it easy for companies to comply with the law.
Being an enabler, though, cuts both ways. If the strategy is used properly, it can empower those who lack capacity. If not, it is tantamount to tolerating or even encouraging abuses or wrongdoings.
Eight and four years into their existence, the DPA and the NPC respectively are at a crucial junction. If they are to remain relevant not just in the local regulatory ecosystem, but in the overall consciousness of Filipinos and residents alike, they have to confront difficult issues head on and with consistency. They will sometimes find themselves at odds with other laws and other government offices, but that is how regulatory agencies work.
Meanwhile, there are a lot of gaps in the law to plug through appropriate regulatory issuances. Enforcement has to be a key priority, too. Without it, what good are the policies for? Sure, information dissemination will always be necessary and needs to continue. But it can’t be all there is to it.
Playing catch up is tricky. It allows one to reminisce good memories, but it tends to unearth bad ones as well. My hope is that when the DPA celebrates its first decade of existence, it will be more of the former. With luck, we will see this important legislation and the office charged with its implementation realizing their true potential as wardens of a fundamental privacy right and protectors of the people.
The author is a lawyer, artist, photographer, and privacy advocate