Monday, May 20, 2013

Technology and the Law


A Critique on MalacaƱang’s Clarifications to the IP Code Amendments



xxx the language of intellectual property exists. It has political reality in the world. Sometimes the language confuses and misleads. There are two possible reactions to such a reality. One can reject it and insist on a different and “purified” nomenclature, or one can attempt to point out the misperceptions and confusions using the very language in which they are embedded.
 -James Boyle, The Public Domain: Enclosing the Commons of the Mind[1]

Introduction

            Intellectual property is not a fairly new concept in Philippine society.  A concrete proof could be found in the earlier Coca-Cola tansan where, during the ‘80s the words “Reg. Phil. Pat. Off.” can be found.  Or that symbols such as ® or accompany every product, restaurant, book or phrase as a sign that it is a protected property.

            In the Philippines, the regime of intellectual property predates any other international treaty on intellectual property in which the country is a signatory.[2]  There were already existing intellectual property laws as early as 1879 such as the Spanish Law on Intellectual Property and the Spanish Patent Law of 1888.[3] Two (2) relevant laws were passed in 1947, Republic Act 165 which created the Philippine Patent Office and Republic Act 166 or the Trademark Law.  In 1972, Presidential Decree 49 or the Copyright Law was enacted.

            Section 9(3) Article XV of the 1973 Constitution recognized “[t]he exclusive right to inventions, writings, and artistic creations shall be secured to investors, authors and artists [for a limited period].”  A more specific provision on the state’s responsibility to protect intellectual property was included in the 1987 Constitution, more specifically Section 13 Article XIV thereof which provides for protection and security of “the exclusive rights of scientists, inventors, artists, and other gifted citizens to their intellectual property and creations, particularly when beneficial to the people, x x x.”

            Right after the promulgation of the 1987 Constitution or on February 27, 1987, President Corazon Aquino issued Executive Order 133 which created the Bureau of Patents, Trademark and Technology Transfer (BPTTT).  In 1993, the Inter-Agency Committee on Intellectual Property Rights under the Office of the President was created by virtue of Executive Order 60.

RA 8293: Intellectual Property and the Globalization Framework in the Philippine Setting

            In 1995, the Senate ratified the Uruguay Round of the General Agreement on Tariffs and Trade (GATT) which is now the World Trade Organization or the WTO.  The WTO’s Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPs) introduced intellectual property rules “into the multilateral trading system for the first time”[4] and establishes the required minimum protection that governments have to give to other WTO member-countries.[5] 

            The above factual context is important since the enactment of Republic Act 8293 or the Intellectual Property Code is one of measures made by the Philippine government to prove its compliance with the TRIPs.  RA 8293 created the Intellectual Property Office (IPO) and repealed other inconsistent provisions of existing laws and consolidated patent, trademarks and copyright laws into a single intellectual property law.[6]  Special intellectual property courts were likewise designated and later on Special Commercial Courts were likewise designated to try and hear intellectual property related cases.

            Truly then, intellectual property rights, as Father Ranhilio Aquino would say, are about economic interests.[7] Investments through investor confidence, international pressure and the enforcement of intellectual property rights and protection are all inter-related.  Globalization threw technology and information in the midst of a competitive yet protectionist, profit-driven and oriented and volatile international market.

            Lastly, to cap this discussion, a phrase as cited in an online article is worth stressing:

[B]y the close of the twentieth century, in highly developed market economies at least, most symbolic production and human creativity have been captured by and subjected to market relations. Private ownership of the cultural means of production and the sale of the outputs for profit have been the customary characteristics. The exceptions - publicly supported libraries, museums, music - are few, and they are rapidly disappearing. The last fifty years have seen an acceleration in the decline of nonmarket-controlled creative work and symbolic output. At the same time, there has been a huge growth in commercial production.[8]

The Amendments to the Intellectual Property Code

Sometime in May 2011, the House of Representative approved on third reading House Bill 3841 introducing amendments to specific provisions of RA 8293.  Congressman Rufus Rodriguez, one of the authors of the Bill stated that one of its aims is to “give as much concern to the rights of performers, phonogram producers and broadcasters in the same breath as those accorded authors of artistic and literary works.”[9]  Another co-author, Aurora Representative Juan Edgardo Angara declared that the goal of the amendments is “to provide an internet environment where it is safe to distribute and license protected material.”[10] The Senate eventually passed its counterpart, Senate Bill 2842.

While Filipinos were right in the middle of the uproar created by the Cybercrime Law, President Benigno Aquino III signed into law Republic Act 10372 (An Act Amending Certain Provisions of Republic Act No. 8293, otherwise known as the Intellectual Property Code of the Philippines, and for Other Purposes) on February 28, 2013. 

The new law immediately came under fire from netizens and lawyers who raised the issue on the introduction of “problematic” amendments to the law[11] including provisions that directly violate the Constitution.[12] 

Section 7 of the amended law, expanded the power of the Intellectual Property Office (IPO) Director General and Deputies Director General.  In the original law, the IPO only exercises quasi-judicial functions over decisions rendered by other administrative bodies and those relating to disputes in licensing terms.  In RA 10372 however, the law expanded the powers of the IPO, through its Director General and Deputies Director General to include enforcement functions and visitorial powers without the benefit of a judicial warrant.

Lawyers were fast enough to raise the question of the validity of this specific amendment of the law for being violative of due process, equal protection, the right against unreasonable searches and seizures and an encroachment into the powers of the judiciary.[13]  With both the power to enforce the law and its quasi-judicial functions, the IPO and its officials will act both as the judge and the executioner at the same time.  Moreover, it seems that no other government agency, aside from the IPO, performs both quasi-judicial power and enforcement function at the same time.[14]  It should be stressed that prior to the amendment, only law enforcement agencies under the National Committee on Intellectual Property Rights, which include the BOC, the NBI, OMB and the PNP could pursue, arrest and prosecute suspected counterfeiters.[15]

The law further amended the definition of “communication to the public” (Section 171.3) and “reproduction” (Section 171.9).  Additional concepts such as “technological measure” (Section 171.12) and “rights management information” (Section 171.13) were likewise included in the amendments.

Sections 190.1 and 190.2, which contain the right to import copyrighted works even with the objection of the copyright owner, were completely deleted under RA 10372.  This provision of the law allows people to bring into the country at least three (3) copies of a copyrighted material under the certain circumstances.[16]

The deletion of this particular section drew flak from many sectors of society that it even incited a debate between IPO Director-General Ricardo Blancaflor and investigative journalist and blogger, Ms. Raissa Robles.[17]  Blancaflor in an interview with the news channel, ANC, said the provision was taken out “so you can bring as many as you can as long as you are not infringing and they are covered by fair use.”[18]  Lawyer and IT Expert and UP Professor of Law, Atty. JJ Disini on the other hand, countered Blancaflor’s statement by simply saying that the “reasonable interpretation is that Congress intended for you not to have that right…”[19]

Temporary reproduction and the removal of the personal use exception existing under Section 212 of RA 8293 makes a person copying or reproduction for personal use liable for infringement under the amended law.

Lawyer Atty. Elpidio V. Peria again expressed concern that such amendments are disadvantageous to ordinary users, students and researchers saying that the new law “severely disadvantaged the broader right of the people for access to knowledge.”[20] 

In a strongly worded statement, democracy.net.PH said that the amendment “is a dangerous measure that potentially criminalizes daily actions” which are crucial to Filipinos.[21]

Malacanang Explains (or at Least Attempted To).

Probably in an attempt to at least tone down the debate on the IP Code amendments so as to prevent it from turning into an uproar both online, on the streets and into the courts, the government issued a 6-point clarification in the form of frequently asked questions (FAQs) in the Official Gazette website captioned “FAQs on the Amendment to the Intellectual Property Code of the Philippines.”[22]

But the question still is, did these supposed FAQs clarify or substantially appease the public’s clamor for the rightful exercise of their constitutionally enshrined freedoms?

This author believes that it does not.  The questions were phrased in such a way that they are hermeneutically-distorted.  Malabnaw, as we usually call it.  The FAQs did not only muddle the issues, it even swayed away from the major one, which is, whether these amendments could stand the test of constitutionality.

a. Expanded Powers of the IPO

The last question in the FAQs is, ironically, the most important question that the people would probably want more to know: Is it legal for the Intellectual Property Office (IPO) to visit businesses to conduct searches based on reports, information, and complaints? The government answered in the affirmative and in its own defense, proceeded right away with a statement that “this in itself is constitutional.”  It emphasized that there would still be a need for the IPO to secure a search warrant but that the same can be dispensed with if the IPO is accompanied by the BOC and the OMB who can allegedly perform warrantless searches and seizures.

The government’s answer to this particular question is vague and is actually misleading.

Section 7 of the amended IP Code violates the constitutional guarantee against unreasonable searches and seizures.  Article III Section 2 of the 1987 Constitution should be re-echoed in full for emphasis and reiteration:

Section 2.  The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

The answer to FAQ #6 issued by the government failed to mention that Sec 7(d) of the amended law clearly ignored the fact that as a general rule, a search warrant must be procured from the courts before a valid search and seizure are made.  While it is true that this rule is not absolute because there are exemptions provided thereto, these exemptions must pass the test of reasonableness to be valid and the determination of reasonableness, uniqueness of the circumstances involved, the purpose for which the search and seizure was made and the absence or presence of probable cause and the manner in which it is made are all purely judicial questions.[23] More so because a warrantless search is a derogation of a constitutional right, a public office, official or officer cannot invoke regularity in the performance of their duties as a defense.[24]

As Justice Nachura accentuated in the case of Valeroso vs CA,

Unreasonable searches and seizures are the menace against which the constitutional guarantees afford full protection.  While the power to search and seize may at times be necessary for public welfare, still it may be exercised and the law enforced without transgressing the constitutional rights of the citizens, for no enforcement of any statute is of sufficient importance to justify indifference to the basic principles of government. Those who are supposed to enforce the law are not justified in disregarding the rights of an individual in the name of order.  Order is too high a price to pay for the loss of liberty.[25]

Further, Section 7 of the amended law exacerbates the susceptibility of the public to further rights violation. 

The government compares the warrantless search and seizure of the IPO to that of the BOC and the OMB.  This is deceiving and misleading. 

First, Republic Act 9239 (An Act Regulating Optical Media, Reorganizing for this Purpose the Videogram Regulatory Board, Providing Penalties Therefor, and for Other Purposes), does not dispense of a judicial search warrant.  In Section 10 (e) thereof, one of the powers and functions of the OMB is to “apply for or obtain search warrants from any court of law” and only to take preventive custody of any seized item.  The same is true with the Bureau of Customs.  While this is true with the Tariffs and Customs Code of the Philippines, the same is also with limitations as they could only conduct this under a specific purpose and only within their collection district.

Second, the visitorial powers given to the IPO is very much different compared to that given to the Department of Labor and Employment (DOLE), the Bangko Sentral ng Pilipinas (BSP) and the OMB.  These government agencies are tasked to regulate the activities of employers (DOLE), banks (BSP) and optical media producers (OMB) and at the same time issue the necessary licenses and permits for them to operate.  This is different for the IPO since it does not have either licensing or regulatory functions over the use of IP goods.[26]

b.  Reproduction, Infringement, Vicarious Liability and Jailbreaking: Misleading Questions, Misleading Answers

            The second FAQ which the government answered in the negative is whether the reproduction of a copyrighted material for personal purpose is punishable by law.  It averred that when one transfers music from a lawfully-acquired CD into a computer and transfer it into a portable device, there would be no infringement to talk about.

            Again, this is quite misleading.

            Section 171.9 introduced the law’s definition of reproduction which is the making of one (1) or more copies whether it be temporary or permanent and whether it be in whole or in part of a particular work or sound recording in any manner or form.  Clearly, under this provision, there is infringement if and when a copy is made, even a temporary one, of a copyrighted work, without the consent of the copyright owner.  This interpretation is very true more so when Section 171.9 is read together with the deleted portions of the old IP Code on personal use as an exception.

            Again, as Atty. JJ Disini pointed out in his Position Paper against these amendments, such concept and definition would not be realistic in the day-to-day realities of modern day technology.  Say for example, a computer user runs or launches a particular software or listens to a legitimate sound recording over the internet or merely by visiting a legitimate page over the internet, these acts would leave temporary copies of these pages over the computer’s RAM.  Then, eventually, this computer user would be committing infringement and would be liable under the amended law.[27]

            The amendment is even made more confusing and vague in that while Section 216 provides for a very nebulous and obscure definition of what infringement is.  Imagine, a person infringes a right when he “directly commits an infringement.”[28]  But what really is infringement? The law does not actually define it.  This is very dangerous as it allows the IPO to actually go after anyone for doing almost anything that they could arbitrarily interpret as an act of infringement.

            This amended provision would not only be dangerous to individuals but also to legitimate businesses if read together with Section 216(b) on the liability of those who benefit from a particular infringing activity. 

That is why the answers to FAQ #3 and #4 are likewise misleading.

In answering FAQ #5, the government said that mall owners are not automatically penalized for the infringing acts of their tenants because “when a lessor finds out about an infringement activity, he or she must give notice to the tenant, then he or she will be afforded time to act upon this knowledge.”

FAQ # 5 is obviously an answer to the issue raised by Atty. Disini on vicarious liability where he pointed out as an example the liability of a mall owner with his lessees who may be committing an infringing activity under the law.  But take note, despite the government’s answer to FAQ #5, nowhere is there any provision or sentence in Section 216(b) that provides for a specific time or opportunity within which the mall owners could take corrective actions to stop the infringing activity of its lessee.  The government’s answer is quite vague.  How much time will be afforded? The law does not say.

The fourth FAQ is something close to the heart of many Filipino smartphone users who cannot fully enjoy the capabilities of their phone because of expensive software applications.  Is jailbreaking a crime? The government says, jailbreaking or rooting “by themselves” are not illegal.  It only increases the penalty.  Under the amended law it is an aggravating circumstance.  So it is in itself a prohibited act.

c.  Importation Rights or No Right At All


            FAQ #1 is also of great interest for many Filipinos: Am I still allowed to import books, DVDs and CDs from abroad?  Yes, says the government.  It boasts of the fact that the amendment “removed the original limitation of three copies  x x x.  As long as they were legally purchased, you can bring as many copies as you want.”

            This is not only misleading, it is also false.

            Sections 190.1 and 190.2 were completely deleted in the amended law.  These provisions are important since they provide that an individual has a right to import copyrighted works even against the copyright owner’s will.  While this right is limited, an importer does not hold a heavy burden of proving to a customs officer that he is acting within the limitations provided for by law.  On the other hand, a customs officer, will not have unbridled power to detain a supposed illegal or infringing article or material.

            As Atty. Disini succinctly puts it in his critique of the then proposed amendments, the deletion of these provisions creates an importation right “that only the copyright holder or its licensees have the authority to import the works into the country.”[29]

CONCLUSION

            The inevitable conclusion is simple.  The clarifications issued by the government on the amendments of the IP Code through these six-item frequently-asked-questions do not really clarify the law.  These clarifications only muddled the salient points of the law and in truth deprived every Filipinos’ right to be informed.

            Clearly, the amendments to the Intellectual Property Code pose many fundamental issues that must be addressed truthfully since the provisions thereof have a great impact on our individual rights.  It is true that the state has the duty to protect intellectual property rights, but a balance must be created between the rights given to the owners of these intellectual properties and the fundamental rights of each and every Filipino clearly enshrined under our Constitution. 




[2] Zuraida Mae D. Cabilo, “Philippine Intellectual Property Rights under the World Trade Organization, 1995-2005: Implementing the Flexibilities under a TRIPs-Plus Commitment,” at http://journals.upd.edu.ph/index.php/kasarinlan/.../1974 last accessed on 18 May 2013.
[3] Ibid.
[5] Ibid.
[6] Cabilo, supra.
[7] Fr. Ranhilio C. Aquino, “Intellectual Property Rights: Protecting Economic Interests,” at http://www.dlsu.edu.ph/research/centers/cberd/conferences/ipr.pdf last accessed on 18 May 2013.
[9] Philippine News Agency, “House Passes Amendments to Intellectual Property Code,” at http://www.interaksyon.com/article/4513/house-passes-amendments-to-intellectual-property-code last accessed on 19 May 2013.
[10] Ibid.
[11] JM Tuazon, “New Law Under Fire,” at http://www.interaksyon.com/infotech/new-law-under-fire-critics-slam-problematic-ip-code-amendments last accessed on 18 May 2013.
[12] Melvin Calimag, “IP Code Amendments Violate Constitution, Says Internet Lawyer,” at http://newsbytes.ph/2013/03/04/ip-code-amendments-violate-constitution-says-internet-lawyer/ last accessed on 18 May 2013.
[13] Atty. JJ Disini, “Position Paper on the Proposed Amendments to the IP Code.”
[14] Atty. Elpidio V. Peria, “The Enforcement Provisions of the IP Code Amendments Do Not Have Safeguards in Cases of Abuse,” at http://bitsinbits.wordpress.com/2013/02/20/the-enforcement-provisions-of-the-ip-code-amendments-do-not-have-safeguards-in-cases-of-abuse/ last accessed on 18 May 2013.
[15] Alma Anonas-Carpio, “While We Were Not Looking: IP Law Amendments,” at http://www.philippinegraphic.ph/index.php/tech/112-while-we-were-not-looking-ip-law-amendments last accessed on 17 May 2013.
[16]   Section 190.  Importation for Personal Purposes. – 190.1.  Notwithstanding the provisions of Subsection 177.6, but subject to the limitation under the Subsection 185.2, the importation of a copy of a work by an individual for his personal purposes shall be permitted without the authorization of the author of, or other owner of a copyright in, the work under the following circumstances:

         (a)  when copies of the work are not available in the Philippines and:
                                                                                            i.                        not more than one (1) copy at one time is imported for strictly individual use only; or
                                                                                          ii.                        the importation is by authority of and for the use of the Philippine Government; or
                                                                                        iii.                        the importation, consisting of not more than three (3) such copies or likeness in any one invoice, is not for sale but for the use only of any religious, charitable, or educational society or institution duly incorporated or registered, or is for the encouragement of the fine arts, or for any state school, college, university, or free public library in the Philippines.

(b)               When such copies form part of the libraries and personal baggage belonging to persons or families arriving from foreign countries and are not intended for sale: Provided, that such copies do not exceed three (3).
[18] Raissa Robles, “Reply to Ricardo Blancaflor, Intellectual Property Office Director_General,” at http://raissarobles.com/2013/02/15/reply-to-ricardo-blancaflor-intellectual-property-office-director-general/ last accessed on 20 May 2013.
[19] Joyce Ilas, “Amendments to IP Code Questioned,” at http://www.solarnews.ph/news/2013/02/15/amendments-to-ip-code-questioned last accessed on 17 May 2013.
[20] Elpidio V. Peria, “Philippine Copyright Law Amendments Disadvantageous to Ordinary Users, Students and Researchers,” at http://bitsinbits.wordpress.com/2013/02/16/philippine-copyright-law-amendments-disadvantageous-to-ordinary-users-students-and-researchers/ last accessed on 18 May 2013.
[23] Valeroso vs Court of Appeals, G.R. No. 164815  September 3, 2009.
[24] Ibid.
[25] ibid.
[26] Disini, supra.-
[27] ibid.
[28] Section 216(a).
[29] Disini, supra.

Monday, May 6, 2013

Technology and the Law


The Data Privacy Act of 2012 on a National Identification System:
An Analysis in Relation to Ople vs Torres

“If it looks like a duck. If it quacks like a duck. If it walks like a duck. It probably is a duck. ”
- The Duck Test

INTRODUCTION

During the Second World War, more than 100,000 Americans of Japanese descent were rounded up and held in internment camps in various states of the USA. It was confirmed that the Census Bureau played a role in their confinement when they turned over to the War Department general statistics about where Japanese-Americans lived. The list contained names, addresses and data on the age, sex, citizenship status and occupation of Japanese-Americans in the area. The Census complied with a request by the Treasury Department to turn over names of individuals of Japanese ancestry because of an unspecified threat against President Franklin Roosevelt.  It was acting legally under the Second War Powers Act, which allowed the sharing of information for national security.[1] While the law prohibits the Census Bureau to reveal data that could be linked to specific individuals, this prohibition was temporarily repealed through the Second War Powers Act of 1942 to assist in the roundup of Japanese-Americans for imprisonment in internment camps in California and six other states during the war.[2] 

In Rwanda, a national identification card system was instituted by the Belgian colonial government and retained after independence. This identification system contained indicators in group classification such as race and ethnicity. This was methodologically employed to identify and execute the Tsutsis during the 1994 Rwanda genocide. This was the most significant factor in facilitating the speed and magnitude of the 100 days of mass killing in Rwanda.[3]

During the period of Nazi Germany, identification cards were used to identify Jews. A stamped ID card meant a death sentence for the Jews as they were deported to concentration death camps.[4]

In the Philippines, a citizen identification card system” or the so-called “ID system” was launched and implemented in Sulu. The Commission on Human Rights in its legal opinion on the matter provides that “this was made possible through the efforts of the local government, the AFP, PNP and other stake holders of peace and development in the province. The ID card’s signatory, however, is the commanding officer of the 3rd Marine Brigade, Col. Natalio C. Encarma showing thereon the seal of the Philippine Marine Corps on the upper right and the seal of the local government of Patikul on the upper left… The ID card also shows the photograph of the bearer, the name, address, age, sex, civil status, ID number and the signature of the cardholder as well as the thumbmark, blood type, date of birth, place of birth and contact persons in case of emergency. It was said that the purpose of such identification system is to protect the people, to curb crimes and to deter terrorism within the province since it would be easy to identify those who are not from Sulu as well as to serve as the “database for local census.” However, since the time of the campaign on “war on terror” by the Arroyo administration, it cannot be denied that many people have been suffering from illegal arrests and detention. Oppression and harassment is highly possible and will justify arbitrary arrests and detentions of those who are found not wearing ID cards on suspicion of being terrorists/criminals. As such, it would be a blatant violation of human rights of the people of Sulu who are left with no other option but to abide the implementation of the ID System.”[5]

These are some of actual events raising the constitutional and ethical issues involved in the manipulation of an individual’s personal information whether it be that of data collected by a government agency for a particular purpose or through the all-encompassing reach of a national identification system. In particular, the national identification system contains an individual’s private information, where linkage among government agencies is made accessibly possible through a database containing the said information. Manipulation of this data immediately raises the concern on the individual’s fundamental rights including the non-impairment clause of the right to travel and liberty of abode; the right to privacy and to be let alone; the right against self-incrimination; the right to dissent; and possibly the right against unreasonable searches without probable cause.[6]

With the enactment of Republic Act 10173, also known as the Data Privacy Act of 2012, questions as to whether this serves as a sufficient mechanism to the introduction of a National Identification System are now being raised. Will the provisions of the Data Privacy Act of 2012 serve to protect the constitutional guaranties on the fundamental right to privacy with regard to the implementation of a centralized system of identification of individuals? Or will this foretell of human rights abuses as narrated in the history of mankind, of monitoring and surveillance?  Will the Data Privacy Act of 2012 finally pave the way for the implementation of a National Identification System? It must be noted that during his term, President Fidel V. Ramos issued Administrative Order No. 308 entitled "Adoption of a National Computerized Identification Reference System." However, the Supreme Court in the leading case of Ople vs Torres declared null and void said Administrative Order No. 308 on two important constitutional grounds where 1. it is a usurpation of the power of Congress to legislate, and 2. it impermissibly intrudes on our citizenry's protected zone of privacy.[7] Given this framework, this paper attempts to provide an analysis on whether the Data Privacy Act of 2012 addresses the constitutional issues raised in Ople vs Torres for it to stand as a sufficient mechanism in the introduction of a National Identification System.

For the purposes of this paper, we shall focus on the contentions raised in Ople vs Reyes as to whether or not there still exists a violation of the fundamental right to privacy and to be let alone with the adoption of the Data Privacy Act of 2012.

“If you kept the small rules, you could break the big ones.” – George Orwell, 1984

THE NATIONAL IDENTIFICATION SYSTEM

Background

To lay the groundwork for the application of the Data Privacy Law to the National Identification System, let us have an understanding of the National Identification System as it is.

The Philippine Senate Economic Planning Office defines in broad terms the national identification (ID) system as “a mechanism used by governments to assist public agencies in identifying and verifying the identities of citizens who are availing of government services or making public transactions.” An identification number is assigned to a person at birth or when he or she reaches legal age.[8] Personal information such as name, birth date, place of birth, gender, eye color, height, current address, photograph, and other information is linked to this identification number and stored in a centralized database.[9] However, information that is not required to either establish or verify the cardholder’s identity may also be included. This additional information “may also contain service-related information, such as account numbers, medical insurance information, training achievements, employee information, or level of security clearance.”[10] The national identification system is employed by a number of countries. The purpose of such is particular to the country’s socio-political environment. Generally, advocates of the identification system provide that this system is to be used to deter crimes, prevent fraud, access social security and basic government services, or to combat terrorism.

However, this concept was first used by countries with diverse ethnic groups to identify people of a certain race, political affiliation, or religion.[11] Historically, it was shown that group classification in identification systems were manipulated and used by oppressive regimes to discriminate against certain ethnicities, religion, or political groups. Even from the start, it has been a repressive tool into the invasion of personal privacy where each data collected and stored could be used as a dossier to wipe out a certain ethnicity, race, or group of individuals of a certain political affiliation.

Records show that the national identification system has been an instrument of the government, its own Big Brother creating a culture of impunity where privacy is an illusion and its intrusion into the lives of people is the norm. Past records could be invoked in the future for a crime that did not yet exist at that time. Less tolerant governments could very well overuse and abuse information at their disposal in the name of police power.  Even with security measures, in the name of national security, individual privacies can be sacrificed if for the so-called “greater good.” Take the case of the American-Japanese prisoners during the Second World War. No amount of laudable intentions and protections could outweigh the potential dangers of this system.   It is also important to note that many countries adopt the national ID system during military or authoritarian regimes.[12]

While a number of countries have adopted the national identification system, this has always been strongly opposed precisely because of its very nature of monitoring and surveillance. On the part of the government, this can be a tool to record a person’s movement. Imagine a person in the government watchlist for being highly critical of the government. Imagine this person to be the target of status and identity checks from police, airport personnel, banks, random searches at checkpoints. Failure to carry a national identification card would highly yield a justification for search, detention, or arrest. “The stigma and humiliation of constantly proving lawful status is unacceptable.”[13]

On the part of the private sector, this system is likewise a dangerous well of information available to individuals or corporations alike. With the advent of technology, identification databases now include biometric identifiers. Biometrics is "the science of the application of statistical methods to biological facts; a mathematical analysis of biological data." The term "biometrics" has evolved into a broad category of technologies which provide precise confirmation of an individual's identity through the use of the individual's own physiological and behavioral characteristics.”[14] Biometric identifiers “authenticate or verify identity based on physical characteristics such as fingerprints, iris, face and palm prints, gait, voice and DNA. While supporters argue that biometric identifiers are an efficient way to accurately identify people, biometrics are costly, prone to error, and present extreme risks to privacy and individual freedom. Once biometric data is captured, it frequently flows between governmental and private sector users. Companies have developed biometric systems to control access to places, products and services. Citizens can be asked for a thumbprint to access e-government services or enter a room in a corporate headquarters. Geolocation tracking, video surveillance and facial recognition software built on top of large biometrics collections can further enable pervasive surveillance systems.”[15]

It was pointed out by the American Civil Liberties Union that the "linkage of government databases with corporate databases increases the likelihood that intimate personal information—credit histories, spending habits, unlisted telephone numbers, voting, medical and employment histories—could be easily accessed without a person's knowledge."[16] This makes the system vulnerable to hackers or persons who can use and abuse data in their hands. Facial recognition may be grabbed from a photo in Facebook. Voice recognition may be recorded from wiretapped conversations. There are a thousand and one ways to break into the system as a means to access and manipulate data.

Philippines

The Philippines is no stranger to the national identification system. During Martial Law, President Ferdinand Marcos issued Presidential Decree No. 278 which sought to introduce a National Reference Card System through the creation of a National Registration Coordinating Committee. However, this did not push through. As earlier mentioned, President Fidel V. Ramos also proposed for a similar system. He issued Administrative Order  No. 308 for the adoption of a Nationalized Computer System, which was struck down by the Supreme Court for being unconstitutional. President Gloria Macapagal Arroyo refined some of the points of the system limiting the scope to government agencies, government-owned and controlled corporations, harmonizing and streamlining their identification systems. As of  late, a bill was proposed in Congress once again reviving this bill.[17]

So why, despite the perennial revamp of this identification system, does it remain in its initial stages of conception? An astute foresight is given by former US Supreme Court Justice William Douglas, “The Constitution is not neutral. It was designed to take the government off the backs of people.” Anchoring on the leading case of Ople vs Torres, we shall answer the foregoing question with a set of questions: On what legal grounds does the Supreme Court support its decision in declaring the adoption of a Nationalized Computer System in Administrative Order  No. 308 as null and void? Why was it struck down as unconstitutional?

“I am not a number, I am a free man!” – Patrick McGoohan, The Prisoner

ADMINISTRATIVE ORDER NO. 308

Briefly, Administrative Order No. 308 provides that a computerized system is required to properly and efficiently identify persons seeking basic services on social security and reduce, if not totally eradicate, fraudulent transactions and misrepresentations. This is in response to the need to provide Filipino citizens and foreign residents with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities. This will be made possible through the concerted and collaborative effort among the various basic services and social security providing agencies and other government instrumentalities where a decentralized Identification Reference System among the key basic services and social security providers will be established. An important feature in the linkage among agencies would be the Population Reference Number (PRN) generated by the NSO which shall serve as the common reference number to establish a linkage among concerned agencies. The IACC Secretariat shall coordinate with the different Social Security and Services Agencies to establish the standards in the use of Biometrics Technology and in computer application designs of their respective systems.[18]

OPLE VS TORRES

            As to the questions: On what legal grounds does the Supreme Court support its decision in declaring the adoption of a Nationalized Computer System in Administrative Order  No. 308 as null and void? Why was it struck down as unconstitutional?

In the first place, Administrative Order No. 308 involved a subject that is not appropriate to be covered by an administrative order and usurps the power of Congress to legislate. The President’s administrative power is concerned with the work of applying policies and enforcing orders as determined by proper governmental organs. Administrative Order No. 308 establishes for the first time a National Computerized Identification Reference System. Such a System requires a delicate adjustment of various contending state policies — the primacy of national security, the extent of privacy interest against dossier-gathering by government, the choice of policies, among others. This administrative order redefines the parameters of some basic rights of the citizenry vis-a-vis the State, as well as the line that separates the administrative power of the President to make rules and the legislative power of Congress. Under A.O. No. 308, a citizen cannot transact business with government agencies delivering basic services to the people without the contemplated identification card. No citizen will refuse to get this identification card for no one can avoid dealing with government. It is thus clear as daylight that without the ID, a citizen will have difficulty exercising his rights and enjoying his privileges. Given this reality, the contention that A.O. No. 308 gives no right and imposes no duty cannot stand. It deals with a subject that should be covered by law.[19]

But going into the heart of the matter, Administrative Order No. 308 violates the constitutionally protected right to privacy. Ople vs Torres provides[20]:

XXX The right to privacy is a fundamental right guaranteed by the Constitution. Therefore, it is the burden of government to show that A.O. 308 is justified by some compelling state interest and that it is narrowly drawn. The government failed to discharge this burden. While it is debatable whether the interests of Administrative Order No. 308 are compelling enough to warrant the issuance of A.O. 308, it is not arguable that the broadness, the vagueness, the overbreadth of A.O. 308, if implemented, will put our people’s right to privacy in clear and present danger.

The heart of A.O. 308 lies in its Section 4 which provides for a Population Reference Number (PRN) as a “common reference number to establish a linkage among concerned agencies” through the use of “Biometrics Technology” and “computer application designs.”  A.O. 308 does not state what specific biological characteristics and what particular biometrics technology shall be used. Moreover, A.O. 308 does not state whether encoding of data is limited to biological information alone for identification purposes. The Solicitor General’s claim that the adoption of the Identification Reference System will contribute to the “generation of population data for development planning” is an admission that the PRN will not be used solely for identification but for the generation of other data with remote relation to the avowed purposes of A.O. 308. The computer linkage gives other government agencies access to the information, but there are no controls to guard against leakage of information. When the access code of the control programs of the particular computer system is broken, an intruder, without fear of sanction or penalty, can make use of the data for whatever purpose, or worse, manipulate the data stored within the system.

A.O. 308 falls short of assuring that personal information which will be gathered about our people will only be processed for unequivocally specified purposes. The lack of proper safeguards in this regard of A.O. 308 may interfere with the individual’s liberty of abode and travel by enabling authorities to track down his movement; it may also enable unscrupulous persons to access confidential information and circumvent the right against self-incrimination; it may pave the way for “fishing expeditions” by government authorities and evade the right against unreasonable searches and seizures. The possibilities of abuse and misuse of the PRN, biometrics and computer technology are accentuated when we consider that the individual lacks control over what can be read or placed on his ID, much less verify the correctness of the data encoded. They threaten the very abuses that the Bill of Rights seeks to prevent. XXX

Given the above contentions, the National Identification System espoused in Administrative Order No. 308 does not guarantee the people’s safety and welfare, enough for it to be struck down even at its infancy, in the interest of the Filipino people. The well-being of the individual will always be paramount at all times. In the words of Morfe v. Mutuc, “In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.” And as Ople vs Torres closes its decision it said, “XXX the right to privacy was not engraved in our Constitution for flattery.”

Meanwhile, a new law, the Republic Act No.10173 or the Data Privacy Act of 2012 was enforced to fill “a void in the Philippine legal system. Prior to the promulgation of the Act, there was no Philippine law dealing specifically with personal data privacy. While the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy, they deal with the protection of personal information in only a general manner.”[21]

Let us look into the sufficiency of this law to answer the questions previously raised as to whether this serves as a mechanism for the introduction of the National Identification System. Having discussed the arguments justifying the unconstitutionality of Administrative Order No. 308, will the Data Privacy Act of 2012 provide the protections on the privacy of the individual found lacking in Administrative Order No. 308?

“If I can’t trust the president of the United States, who can I trust?” – Superman

DATA PRIVACY ACT OF 2012 AND ITS IMPLICATIONS IN RELATION TO THE NATIONAL IDENTIFICATION SYSTEM

Privacy

Privacy in this context refers to the constraints on the collection, use and release of personal information, as well as the imposition of measures to protect such information. This evolution of meaning was brought about by the increasing requirements for identity confirmation and for transactions of almost any kind to require personal identification.[22]

Protecting privacy in the context of identification systems means protecting the individual’s rights to control how personal information is collected and promulgated. This includes protection against identity theft, or the use of an individual’s personal information for fraudulent purposes. Information security is a critical component in protecting privacy, and this entails protecting the confidentiality, integrity, and availability of information that identifies or otherwise describes an individual.[23]

Background

            As earlier mentioned, the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy only in a general manner. The Data Privacy Act of 2012 (the Act) is the first data privacy law adopted in the Philippines. It is intended to protect the integrity and security of personal data in both the private and public sectors.[24]

Specifically, Sen. Edgardo Angara states that this Act is meant to protect individuals whose sensitive information is being sent electronically, stressing that data privacy has become a major concern because of the growth of the business process outsourcing (BPO) sector in the country.[25] Sen. Angara, chair of the Senate Committee on Science and Technology (S&T), emphasized that the country's data privacy policy should protect the personal information of users without bogging down the ease of access companies need to efficiently operate, as in what happened in India where their data privacy rules caused an uproar in the BPO industry. While this Act is a measure providing adequate controls that would protect the public from abuse, the aim also is not to constrain the rapid growth of the IT-BPO sector. The framework promotes a flexible approach to data privacy minus needless barriers to information flows.[26]  Apparently, by these statements, the purpose of this Act is geared towards maintaining a competitive market and boost investments in its information technology-business process outsourcing (IT-BPO) sector and support a healthy information and communications technology (ICT) industry. [27] On the other hand, by whatever “flexible approach” means remains to be qualified.

Application

Application of the Act is broad enough to apply to processing of all types of personal information of an individual (data subject). This includes the collection, use and release of personal information. Personal information is defined here as that which makes apparent the identity of an individual or can be reasonably ascertained by the entity holding the information or when put together with other information, will directly and certainly identify an individual. Sensitive personal information is likewise covered by this Act which is information that does not necessarily either establish or verify the identity of an individual. This includes race, ethnicity, religious or political affiliations, genetic or sexual life of a person, criminal record, social security numbers, and tax returns, among others. Stringent requirements are applied in the processing of sensitive personal information. Information is processed by information controllers and processors through the Filing System or Information and Communications System. Administration, implementation, monitoring and ensuring compliance of this law is assigned to the National Privacy Commission (NPC) which was created for the purpose.

If this would be the framework for a national identification system, up to what extent of information is necessary for “identifying and verifying the identities of citizens who are availing of government services or making public transactions?”[28] History shows that group classification in the identification system is dangerous information in the wrong hands. This is not merely speaking of potential dangers but lessons learned from actual events that measure our humanity.

General Principles

            The General Data Privacy Principles stipulate that personal information must be collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection; and later processed in a way compatible with such declared purposes only. Immediately, there is a gap as to what comprises a specified and legitimate purpose “before or as soon as reasonably practicable after collection.” There exists a period open to what may possibly be determined and declared between “before or as soon as reasonably practicable after collection.” A specific and legitimate purpose surely cannot be open to what may transpire during this interim? Is this what Senator Angara refers to as a “flexible approach to data privacy minus needless barriers to information flows?

The Act states that personal information is to be retained only for as long as necessary for the stated purpose. However, personal information collected for “other purposes” may lie processed for historical, statistical, or scientific purposes, and in cases “laid down by law” may be stored for longer periods, given the adequate safeguards. To be precise, the general principles laid down several purposes[29] for the processing of personal information, a number of which is vague and too broad to pin down as to raise the concern on the determination of what the “other purposes” are. And for that matter, the provisions likewise stipulate that personal information be adequate and not excessive in relation to the purposes for which they are collected and processed. In relation to that, what is the measure for adequate and not excessive as to the “other purposes?” Again, there exists a vacuum to the extent of application of the law. “Flexible approach” perhaps?

Conditions for the Lawful Processing of Personal Information

            It is important to note that the criteria for lawful processing of sensitive personal information are more stringent than that of personal information, where Section 13 provides that processing of sensitive personal information is generally prohibited. However, processing is considered lawful even without the consent of the individual if it complies with the exceptions provided by the law. This means that once the information leaves the data subject, even without the consent, its processing becomes subject to the conditions laid by law, which conditions are subject to the needs of the Controller or the government,[30] and only upon the regulation of the NPC.

Notification Requirement

            The rights of the data subject include being informed whether personal information pertaining to him/her shall be, are being or have been processed. The data subject must be furnished with the particular information to be processed before the entry of personal information into the processing system of the personal information controller, or at the next practical opportunity.

Again, there is room allowing an interval by which the individual must have been notified. To be clear, this set of information which requires notification upon the data subject includes disclosure of personal information to “possible recipients or classes of recipients” meaning third parties. This is information personal to the data subject and it is unacceptable that such information be out in the open without the individual’s knowledge until “the next practical opportunity.” If this law were to be made a mechanism for the national identification system, then there is a clear breach in confidentiality and security in this area. “A critical component of protecting privacy is information security – protecting the confidentiality, integrity, and availability of information that identifies or otherwise describes an individual. To be considered privacy enabled, an identification system must be designed to satisfy these parameters.”[31]

Then again, if this were to be for an identification system personal to the needs of the individual, who exactly comprise “possible recipients or classes of recipients?” Being personal for that matter, what are the instances by which there is a need to provide third parties with information personal to an individual and why?

Rights of Data Subjects

            Among the rights[32] stated in the Act is for the data subject to “dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately XXX Provided, that the third parties who have previously received such processed personal information shall be informed of its inaccuracy and its rectification upon reasonable request of the data subject.”[33] Further, the data subject may “suspend, withdraw or order the blocking, removal or destruction of his personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes XXX In this case, the personal information controller may notify third parties who have previously received such processed personal information.”

These provisions show that it is not within the powers of the law to mandatorily impose upon the controller to protect the integrity of the personal information of the data subject. In the former it states that inaccuracies will be corrected “upon reasonable request of the data subject.” However, it cannot be presumed that these data subjects are informed of their rights in the first place, where there is even a provision in this law wherein data subjects are notified only at the next practical opportunity of who these third persons are. This Act is hard enough to comprehend as it is for these data subjects to understand the implications of this provision.

In the latter, it is discretionary for the controller to notify these third parties of any wrongful information which is damaging to the person of the data subject. The rules on statutory construction provide that the use of the word “may” in a statute will be interpreted in the permissive or discretionary sense. How is it justifiable that one’s character which is wrongfully recorded and presented to third persons remain uncorrected upon the discretion of the controller? Will the next provision pertaining to indemnification of damages provide enough redress to the wrong done upon one’s personal character? And we have not even addressed technological and digital security issues yet as when electronic information leaks beyond the custody of the controller and third party.

Transfer of Personal Information, Subcontracting, and Accountability

            Section 14 provides for the subcontracting of personal information upon ensuring proper safeguards to protect the confidentiality of the personal information processed and prevent its use for unauthorized purposes.  Section 21 provides for the accountability of the controller having the custody and control of the personal information to be transferred to a third party for processing, whether domestically or internationally.

            The digital world is constantly improving. Subjecting personal information, and possibly sensitive personal information, to various transfers through electronic means leave behind data in the digital systems where these transits take place. During these digital times, there is no foolproof safeguard in ensuring the protection of one’s identity in the digital world. It can even be said that in this context, passing the accountability to the controller is unqualified when there are technological breakthroughs that could break into the system, which is beyond the controller’s control.

            The use of “contractual or other reasonable means” to provide a “comparable level of protection” while the information are being processed by a third party do not provide adequate protection with regard to personal and sensitive personal information. In connection to the national identification system, an individual’s personal information should not even be a proper object or subject matter of a contract. It is against public policy to subject a person to a high probability of exposure of his personal identity on the basis of these transfers where there is a likelihood of identity theft in the transitions. Moreover, privacy in the context of a national identification system should not be subject to a ”comparable level of protection.” Comparable to what, by all means. There is a need for accuracy and precision in providing for information security. These jargons in the Act do not provide sufficient protective measures for the transfer of personal data.

Sanctions

            It is commendable that this law provided for stiff sanctions in cases of violations. However, it has been said that prevention is better than cure. In the implementation of a national identification system, these penalties are not enough to deter violators. This law cannot possibly prevent spillovers beyond the custody of the controller or the third parties. What happens then when a non-party gets hold of these information? What happens when a violator is someone who is not even aware that s/he is processing personal information in social media?

The law is too broad and vague that it can be made to apply even to innocent actions of people in the internet, particularly in social media. It can be applicable to anyone who processes private information. This includes people who access social networks.

CONCLUSION

The Data Privacy Act of 2012 is not a sufficient mechanism for the introduction of a National Identification System, in relation to the constitutionality issues raised in Ople vs. Torres. The law does not provide adequate protection to the right to privacy

And as to its framework, there still exists a void as to the purpose for which this law is made to apply. Obviously, we do not want a “flexible approach” as coined by Sen. Angara, when it comes to the handling of personal information in our identification system. This “flexibility” can be gleaned from Sections 4, and 11. And in Section 12 where even without the consent of the data subject, if otherwise not prohibited by law, and when at least one of the conditions exists, processing of personal information is lawful. A framework that considers the interests of the BPO sector almost at par with that of the individual cannot be a sufficient measure to lay the grounds for a national identification system, or to justify what is lawful. 

It must be stressed that Section 12 likewise provides that processing is necessary to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; and in Section 13 where one of the exceptions to the prohibition of processing of sensitive information is when the same is provided for by existing laws and regulations where the consent of the data subject is not required by law or regulation permitting the same.  While the Committee stresses on the protection of personal information and stringently so for sensitive personal information, the individual’s right to privacy is compromised in times of national emergency and in the name of public order and safety, or when there is a law made applicable for this. Again, this brings us to past lessons when a less tolerant government gains access to personal data in the name of police power, or sensitive personal data for that matter, for their manipulation. Here lies the basis for violating the individual’s fundamental right to privacy, and even the right to travel and liberty of abode; the right against self- incrimination; the right to dissent; and possibly the right against unreasonable searches without probable cause.

            In sum, there still remains no sufficient mechanism for a national identification system in the Philippines in the context of protection of a person’s privacy. The Data Privacy Act of 2012, being the first data privacy law adopted, does not address the constitutional issue on the right to privacy as raised in Ople vs. Torres.

– Albert Einstein.




Disclaimer:      This paper is not intended to be and should not be taken as legal advice.
























[3] Prosecutor vs. Jean-Paul Akayesu, (Case No. ICTR-96-4-T), Judgement, 2 September 1998, paragraph 123. The comparison between the Nazi and Rwandan ID cards and a call for further research on this topic was made by Henry R. Huttenbach in an article entitled "The letter of the Law and the Mark of Cain: When "J" was and "T" is lethal," Genocide Forum, year 1 (1994), no. 5, http://www.preventgenocide.org/prevent/removing-facilitating-factors/IDcards/index.htm#2

[4] Transcript of the trial of Adolf Eichmann, Session 36 (11 May 1961), Testimony of Henrietta Samuel, http://www.preventgenocide.org/prevent/removing-facilitating-factors/IDcards/index.htm#2

[5] Jose Manuel S. Mamauag (February 14, 2008), Legal Opinion: ID System in Sulu, an Experimental Implementation of National ID System?, Commission on Human Rights-IX

[6] KASAMA Vol. 11 No. 1 (January-February-March 1997), Ramos Orders I.D. Cards, Solidarity Philippines Australia Network

[7] Ople vs Torres, G.R. No. 127685, July 23, 1998

[8] Senate Economic Planning Office (December 2005) PI-07-05, National Identification System: Do We Need One?, Policy Insights, http://www.senate.gov.ph/publications/PI%202005-12%20-%20National%20Identification%20System%20-%20Do%20We%20Need%20One.pdf

[9] Electronic Frontier Foundation, Mandatory National IDs and Biometric Databases, https://www.eff.org/issues/national-ids


[10] Smart Card Alliance (February 2003), Privacy and Secure Identification Systems: The Role of Smart Clouds as a Privacy-Enabling Technology,  http://www.smartcardalliance.org/resources/lib/Privacy_White_Paper.pdf

[11] Senate Economic Planning Office (December 2005) PI-07-05, supra

[12] Electronic Frontier Foundation, Mandatory National IDs and Biometric Databases, supra


[13] Electronic Frontier Foundation, National Identification Systems, http://w2.eff.org/Privacy/Surveillance/?f=nationalidsystem-resources.html

[14] Ople vs. Torres, citing several sources, supra

[15] Electronic Frontier Foundation, Mandatory National IDs and Biometric Databases, supra

[16] Electronic Frontier Foundation, National Identification Systems, supra

[17] Alexander Yano (May 24, 2012), The proposed national ID system, The Manila Times.net, http://www.manilatimes.net/index.php/opinion/columnist1/23504-..


[18] Administrative Order No. 308

[19] Ople vs. Torres, supra

[20] Ibid

[21] Laxmi Rosell, Sheilah Marie Tomarong-CaƱabano (September 14, 2012), ANALYSIS: The Philippines’ Data Privacy Act Of 2012, World Data Protection Report, Global Law Watch, http://www.globallawwatch.com/2012/09/analysis-the-philippines-data-privacy-act-of-2012/

[22] Smart Card Alliance, supra

[23] Ibid

[24] Laxmi Rossel, supra

[25] David Dizon, ABS-CBNnews.com (June 2, 2012), Angara: Data Privacy Act targets leaks, ABS-CBNnews.com, http://www.abs-cbnnews.com/nation/06/01/12/angara-data-privacy-act-targets-leaks

[26] Press Release (July 20, 2011), Senate of the Philippines, http://www.senate.gov.ph/press_release/2011/0720_angara1.asp

[27] Laxmi Rossel, supra

[28] Senate Economic Planning Office, supra

[29] Section 11, Republic Act No. 10173

[30] Section 12 & 13, Republic Act No. 10173

[31] Smart Card Alliance, supra

[32] Section 16, Republic Act No. 10173

[33] Ibid