Technology and the Law

The Data Privacy Act of 2012 on a National Identification System:

An Analysis in Relation to Ople vs Torres

“If it looks like a duck. If it quacks like a duck. If it walks like a duck. It probably is a duck. ”

- The Duck Test

INTRODUCTION

During the Second World War, more than 100,000 Americans of Japanese descent were rounded up and held in internment camps in various states of the USA. It was confirmed that the Census Bureau played a role in their confinement when they turned over to the War Department general statistics about where Japanese-Americans lived. The list contained names, addresses and data on the age, sex, citizenship status and occupation of Japanese-Americans in the area. The Census complied with a request by the Treasury Department to turn over names of individuals of Japanese ancestry because of an unspecified threat against President Franklin Roosevelt.  It was acting legally under the Second War Powers Act, which allowed the sharing of information for national security.[1] While the law prohibits the Census Bureau to reveal data that could be linked to specific individuals, this prohibition was temporarily repealed through the Second War Powers Act of 1942 to assist in the roundup of Japanese-Americans for imprisonment in internment camps in California and six other states during the war.[2] 

In Rwanda, a national identification card system was instituted by the Belgian colonial government and retained after independence. This identification system contained indicators in group classification such as race and ethnicity. This was methodologically employed to identify and execute the Tsutsis during the 1994 Rwanda genocide. This was the most significant factor in facilitating the speed and magnitude of the 100 days of mass killing in Rwanda.[3]

During the period of Nazi Germany, identification cards were used to identify Jews. A stamped ID card meant a death sentence for the Jews as they were deported to concentration death camps.[4]

In the Philippines, a “citizen identification card system” or the so-called “ID system” was launched and implemented in Sulu. The Commission on Human Rights in its legal opinion on the matter provides that “this was made possible through the efforts of the local government, the AFP, PNP and other stake holders of peace and development in the province. The ID card’s signatory, however, is the commanding officer of the 3rd Marine Brigade, Col. Natalio C. Encarma showing thereon the seal of the Philippine Marine Corps on the upper right and the seal of the local government of Patikul on the upper left… The ID card also shows the photograph of the bearer, the name, address, age, sex, civil status, ID number and the signature of the cardholder as well as the thumbmark, blood type, date of birth, place of birth and contact persons in case of emergency. It was said that the purpose of such identification system is to protect the people, to curb crimes and to deter terrorism within the province since it would be easy to identify those who are not from Sulu as well as to serve as the “database for local census.” However, since the time of the campaign on “war on terror” by the Arroyo administration, it cannot be denied that many people have been suffering from illegal arrests and detention. Oppression and harassment is highly possible and will justify arbitrary arrests and detentions of those who are found not wearing ID cards on suspicion of being terrorists/criminals. As such, it would be a blatant violation of human rights of the people of Sulu who are left with no other option but to abide the implementation of the ID System.”[5]

These are some of actual events raising the constitutional and ethical issues involved in the manipulation of an individual’s personal information whether it be that of data collected by a government agency for a particular purpose or through the all-encompassing reach of a national identification system. In particular, the national identification system contains an individual’s private information, where linkage among government agencies is made accessibly possible through a database containing the said information. Manipulation of this data immediately raises the concern on the individual’s fundamental rights including the non-impairment clause of the right to travel and liberty of abode; the right to privacy and to be let alone; the right against self-incrimination; the right to dissent; and possibly the right against unreasonable searches without probable cause.[6]

With the enactment of Republic Act 10173, also known as the Data Privacy Act of 2012, questions as to whether this serves as a sufficient mechanism to the introduction of a National Identification System are now being raised. Will the provisions of the Data Privacy Act of 2012 serve to protect the constitutional guaranties on the fundamental right to privacy with regard to the implementation of a centralized system of identification of individuals? Or will this foretell of human rights abuses as narrated in the history of mankind, of monitoring and surveillance?  Will the Data Privacy Act of 2012 finally pave the way for the implementation of a National Identification System? It must be noted that during his term, President Fidel V. Ramos issued Administrative Order No. 308 entitled "Adoption of a National Computerized Identification Reference System." However, the Supreme Court in the leading case of Ople vs Torres declared null and void said Administrative Order No. 308 on two important constitutional grounds where 1. it is a usurpation of the power of Congress to legislate, and 2. it impermissibly intrudes on our citizenry's protected zone of privacy.[7] Given this framework, this paper attempts to provide an analysis on whether the Data Privacy Act of 2012 addresses the constitutional issues raised in Ople vs Torres for it to stand as a sufficient mechanism in the introduction of a National Identification System.

For the purposes of this paper, we shall focus on the contentions raised in Ople vs Reyes as to whether or not there still exists a violation of the fundamental right to privacy and to be let alone with the adoption of the Data Privacy Act of 2012.

“If you kept the small rules, you could break the big ones.” – George Orwell, 1984

THE NATIONAL IDENTIFICATION SYSTEM

Background

To lay the groundwork for the application of the Data Privacy Law to the National Identification System, let us have an understanding of the National Identification System as it is.

The Philippine Senate Economic Planning Office defines in broad terms the national identification (ID) system as “a mechanism used by governments to assist public agencies in identifying and verifying the identities of citizens who are availing of government services or making public transactions.” An identification number is assigned to a person at birth or when he or she reaches legal age.[8] Personal information such as name, birth date, place of birth, gender, eye color, height, current address, photograph, and other information is linked to this identification number and stored in a centralized database.[9] However, information that is not required to either establish or verify the cardholder’s identity may also be included. This additional information “may also contain service-related information, such as account numbers, medical insurance information, training achievements, employee information, or level of security clearance.”[10] The national identification system is employed by a number of countries. The purpose of such is particular to the country’s socio-political environment. Generally, advocates of the identification system provide that this system is to be used to deter crimes, prevent fraud, access social security and basic government services, or to combat terrorism.

However, this concept was first used by countries with diverse ethnic groups to identify people of a certain race, political affiliation, or religion.[11] Historically, it was shown that group classification in identification systems were manipulated and used by oppressive regimes to discriminate against certain ethnicities, religion, or political groups. Even from the start, it has been a repressive tool into the invasion of personal privacy where each data collected and stored could be used as a dossier to wipe out a certain ethnicity, race, or group of individuals of a certain political affiliation.

Records show that the national identification system has been an instrument of the government, its own Big Brother creating a culture of impunity where privacy is an illusion and its intrusion into the lives of people is the norm. Past records could be invoked in the future for a crime that did not yet exist at that time. Less tolerant governments could very well overuse and abuse information at their disposal in the name of police power.  Even with security measures, in the name of national security, individual privacies can be sacrificed if for the so-called “greater good.” Take the case of the American-Japanese prisoners during the Second World War. No amount of laudable intentions and protections could outweigh the potential dangers of this system.   It is also important to note that many countries adopt the national ID system during military or authoritarian regimes.[12]

While a number of countries have adopted the national identification system, this has always been strongly opposed precisely because of its very nature of monitoring and surveillance. On the part of the government, this can be a tool to record a person’s movement. Imagine a person in the government watchlist for being highly critical of the government. Imagine this person to be the target of status and identity checks from police, airport personnel, banks, random searches at checkpoints. Failure to carry a national identification card would highly yield a justification for search, detention, or arrest. “The stigma and humiliation of constantly proving lawful status is unacceptable.”[13]

On the part of the private sector, this system is likewise a dangerous well of information available to individuals or corporations alike. With the advent of technology, identification databases now include biometric identifiers. Biometrics is "the science of the application of statistical methods to biological facts; a mathematical analysis of biological data." The term "biometrics" has evolved into a broad category of technologies which provide precise confirmation of an individual's identity through the use of the individual's own physiological and behavioral characteristics.”[14] Biometric identifiers “authenticate or verify identity based on physical characteristics such as fingerprints, iris, face and palm prints, gait, voice and DNA. While supporters argue that biometric identifiers are an efficient way to accurately identify people, biometrics are costly, prone to error, and present extreme risks to privacy and individual freedom. Once biometric data is captured, it frequently flows between governmental and private sector users. Companies have developed biometric systems to control access to places, products and services. Citizens can be asked for a thumbprint to access e-government services or enter a room in a corporate headquarters. Geolocation tracking, video surveillance and facial recognition software built on top of large biometrics collections can further enable pervasive surveillance systems.”[15]

It was pointed out by the American Civil Liberties Union that the "linkage of government databases with corporate databases increases the likelihood that intimate personal information—credit histories, spending habits, unlisted telephone numbers, voting, medical and employment histories—could be easily accessed without a person's knowledge."[16] This makes the system vulnerable to hackers or persons who can use and abuse data in their hands. Facial recognition may be grabbed from a photo in Facebook. Voice recognition may be recorded from wiretapped conversations. There are a thousand and one ways to break into the system as a means to access and manipulate data.

Philippines

The Philippines is no stranger to the national identification system. During Martial Law, President Ferdinand Marcos issued Presidential Decree No. 278 which sought to introduce a National Reference Card System through the creation of a National Registration Coordinating Committee. However, this did not push through. As earlier mentioned, President Fidel V. Ramos also proposed for a similar system. He issued Administrative Order  No. 308 for the adoption of a Nationalized Computer System, which was struck down by the Supreme Court for being unconstitutional. President Gloria Macapagal Arroyo refined some of the points of the system limiting the scope to government agencies, government-owned and controlled corporations, harmonizing and streamlining their identification systems. As of  late, a bill was proposed in Congress once again reviving this bill.[17]

So why, despite the perennial revamp of this identification system, does it remain in its initial stages of conception? An astute foresight is given by former US Supreme Court Justice William Douglas, “The Constitution is not neutral. It was designed to take the government off the backs of people.” Anchoring on the leading case of Ople vs Torres, we shall answer the foregoing question with a set of questions: On what legal grounds does the Supreme Court support its decision in declaring the adoption of a Nationalized Computer System in Administrative Order  No. 308 as null and void? Why was it struck down as unconstitutional?

“I am not a number, I am a free man!” – Patrick McGoohan, The Prisoner

ADMINISTRATIVE ORDER NO. 308

Briefly, Administrative Order No. 308 provides that a computerized system is required to properly and efficiently identify persons seeking basic services on social security and reduce, if not totally eradicate, fraudulent transactions and misrepresentations. This is in response to the need to provide Filipino citizens and foreign residents with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities. This will be made possible through the concerted and collaborative effort among the various basic services and social security providing agencies and other government instrumentalities where a decentralized Identification Reference System among the key basic services and social security providers will be established. An important feature in the linkage among agencies would be the Population Reference Number (PRN) generated by the NSO which shall serve as the common reference number to establish a linkage among concerned agencies. The IACC Secretariat shall coordinate with the different Social Security and Services Agencies to establish the standards in the use of Biometrics Technology and in computer application designs of their respective systems.[18]

OPLE VS TORRES

            As to the questions: On what legal grounds does the Supreme Court support its decision in declaring the adoption of a Nationalized Computer System in Administrative Order  No. 308 as null and void? Why was it struck down as unconstitutional?

In the first place, Administrative Order No. 308 involved a subject that is not appropriate to be covered by an administrative order and usurps the power of Congress to legislate. The President’s administrative power is concerned with the work of applying policies and enforcing orders as determined by proper governmental organs. Administrative Order No. 308 establishes for the first time a National Computerized Identification Reference System. Such a System requires a delicate adjustment of various contending state policies — the primacy of national security, the extent of privacy interest against dossier-gathering by government, the choice of policies, among others. This administrative order redefines the parameters of some basic rights of the citizenry vis-a-vis the State, as well as the line that separates the administrative power of the President to make rules and the legislative power of Congress. Under A.O. No. 308, a citizen cannot transact business with government agencies delivering basic services to the people without the contemplated identification card. No citizen will refuse to get this identification card for no one can avoid dealing with government. It is thus clear as daylight that without the ID, a citizen will have difficulty exercising his rights and enjoying his privileges. Given this reality, the contention that A.O. No. 308 gives no right and imposes no duty cannot stand. It deals with a subject that should be covered by law.[19]

But going into the heart of the matter, Administrative Order No. 308 violates the constitutionally protected right to privacy. Ople vs Torres provides[20]:

XXX The right to privacy is a fundamental right guaranteed by the Constitution. Therefore, it is the burden of government to show that A.O. 308 is justified by some compelling state interest and that it is narrowly drawn. The government failed to discharge this burden. While it is debatable whether the interests of Administrative Order No. 308 are compelling enough to warrant the issuance of A.O. 308, it is not arguable that the broadness, the vagueness, the overbreadth of A.O. 308, if implemented, will put our people’s right to privacy in clear and present danger.

The heart of A.O. 308 lies in its Section 4 which provides for a Population Reference Number (PRN) as a “common reference number to establish a linkage among concerned agencies” through the use of “Biometrics Technology” and “computer application designs.”  A.O. 308 does not state what specific biological characteristics and what particular biometrics technology shall be used. Moreover, A.O. 308 does not state whether encoding of data is limited to biological information alone for identification purposes. The Solicitor General’s claim that the adoption of the Identification Reference System will contribute to the “generation of population data for development planning” is an admission that the PRN will not be used solely for identification but for the generation of other data with remote relation to the avowed purposes of A.O. 308. The computer linkage gives other government agencies access to the information, but there are no controls to guard against leakage of information. When the access code of the control programs of the particular computer system is broken, an intruder, without fear of sanction or penalty, can make use of the data for whatever purpose, or worse, manipulate the data stored within the system.

A.O. 308 falls short of assuring that personal information which will be gathered about our people will only be processed for unequivocally specified purposes. The lack of proper safeguards in this regard of A.O. 308 may interfere with the individual’s liberty of abode and travel by enabling authorities to track down his movement; it may also enable unscrupulous persons to access confidential information and circumvent the right against self-incrimination; it may pave the way for “fishing expeditions” by government authorities and evade the right against unreasonable searches and seizures. The possibilities of abuse and misuse of the PRN, biometrics and computer technology are accentuated when we consider that the individual lacks control over what can be read or placed on his ID, much less verify the correctness of the data encoded. They threaten the very abuses that the Bill of Rights seeks to prevent. XXX

Given the above contentions, the National Identification System espoused in Administrative Order No. 308 does not guarantee the people’s safety and welfare, enough for it to be struck down even at its infancy, in the interest of the Filipino people. The well-being of the individual will always be paramount at all times. In the words of Morfe v. Mutuc, “In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.” And as Ople vs Torres closes its decision it said, “XXX the right to privacy was not engraved in our Constitution for flattery.”

Meanwhile, a new law, the Republic Act No.10173 or the Data Privacy Act of 2012 was enforced to fill “a void in the Philippine legal system. Prior to the promulgation of the Act, there was no Philippine law dealing specifically with personal data privacy. While the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy, they deal with the protection of personal information in only a general manner.”[21]

Let us look into the sufficiency of this law to answer the questions previously raised as to whether this serves as a mechanism for the introduction of the National Identification System. Having discussed the arguments justifying the unconstitutionality of Administrative Order No. 308, will the Data Privacy Act of 2012 provide the protections on the privacy of the individual found lacking in Administrative Order No. 308?

“If I can’t trust the president of the United States, who can I trust?” – Superman

DATA PRIVACY ACT OF 2012 AND ITS IMPLICATIONS IN RELATION TO THE NATIONAL IDENTIFICATION SYSTEM

Privacy

Privacy in this context refers to the constraints on the collection, use and release of personal information, as well as the imposition of measures to protect such information. This evolution of meaning was brought about by the increasing requirements for identity confirmation and for transactions of almost any kind to require personal identification.[22]

Protecting privacy in the context of identification systems means protecting the individual’s rights to control how personal information is collected and promulgated. This includes protection against identity theft, or the use of an individual’s personal information for fraudulent purposes. Information security is a critical component in protecting privacy, and this entails protecting the confidentiality, integrity, and availability of information that identifies or otherwise describes an individual.[23]

Background

            As earlier mentioned, the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy only in a general manner. The Data Privacy Act of 2012 (the Act) is the first data privacy law adopted in the Philippines. It is intended to protect the integrity and security of personal data in both the private and public sectors.[24]

Specifically, Sen. Edgardo Angara states that this Act is meant to protect individuals whose sensitive information is being sent electronically, stressing that data privacy has become a major concern because of the growth of the business process outsourcing (BPO) sector in the country.[25] Sen. Angara, chair of the Senate Committee on Science and Technology (S&T), emphasized that the country's data privacy policy should protect the personal information of users without bogging down the ease of access companies need to efficiently operate, as in what happened in India where their data privacy rules caused an uproar in the BPO industry. While this Act is a measure providing adequate controls that would protect the public from abuse, the aim also is not to constrain the rapid growth of the IT-BPO sector. The framework promotes a flexible approach to data privacy minus needless barriers to information flows.[26]  Apparently, by these statements, the purpose of this Act is geared towards maintaining a competitive market and boost investments in its information technology-business process outsourcing (IT-BPO) sector and support a healthy information and communications technology (ICT) industry. [27] On the other hand, by whatever “flexible approach” means remains to be qualified.

Application

Application of the Act is broad enough to apply to processing of all types of personal information of an individual (data subject). This includes the collection, use and release of personal information. Personal information is defined here as that which makes apparent the identity of an individual or can be reasonably ascertained by the entity holding the information or when put together with other information, will directly and certainly identify an individual. Sensitive personal information is likewise covered by this Act which is information that does not necessarily either establish or verify the identity of an individual. This includes race, ethnicity, religious or political affiliations, genetic or sexual life of a person, criminal record, social security numbers, and tax returns, among others. Stringent requirements are applied in the processing of sensitive personal information. Information is processed by information controllers and processors through the Filing System or Information and Communications System. Administration, implementation, monitoring and ensuring compliance of this law is assigned to the National Privacy Commission (NPC) which was created for the purpose.

If this would be the framework for a national identification system, up to what extent of information is necessary for “identifying and verifying the identities of citizens who are availing of government services or making public transactions?”[28] History shows that group classification in the identification system is dangerous information in the wrong hands. This is not merely speaking of potential dangers but lessons learned from actual events that measure our humanity.

General Principles

            The General Data Privacy Principles stipulate that personal information must be collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection; and later processed in a way compatible with such declared purposes only. Immediately, there is a gap as to what comprises a specified and legitimate purpose “before or as soon as reasonably practicable after collection.” There exists a period open to what may possibly be determined and declared between “before or as soon as reasonably practicable after collection.” A specific and legitimate purpose surely cannot be open to what may transpire during this interim? Is this what Senator Angara refers to as a “flexible approach to data privacy minus needless barriers to information flows?”

The Act states that personal information is to be retained only for as long as necessary for the stated purpose. However, personal information collected for “other purposes” may lie processed for historical, statistical, or scientific purposes, and in cases “laid down by law” may be stored for longer periods, given the adequate safeguards. To be precise, the general principles laid down several purposes[29] for the processing of personal information, a number of which is vague and too broad to pin down as to raise the concern on the determination of what the “other purposes” are. And for that matter, the provisions likewise stipulate that personal information be adequate and not excessive in relation to the purposes for which they are collected and processed. In relation to that, what is the measure for adequate and not excessive as to the “other purposes?” Again, there exists a vacuum to the extent of application of the law. “Flexible approach” perhaps?

Conditions for the Lawful Processing of Personal Information

            It is important to note that the criteria for lawful processing of sensitive personal information are more stringent than that of personal information, where Section 13 provides that processing of sensitive personal information is generally prohibited. However, processing is considered lawful even without the consent of the individual if it complies with the exceptions provided by the law. This means that once the information leaves the data subject, even without the consent, its processing becomes subject to the conditions laid by law, which conditions are subject to the needs of the Controller or the government,[30] and only upon the regulation of the NPC.

Notification Requirement

            The rights of the data subject include being informed whether personal information pertaining to him/her shall be, are being or have been processed. The data subject must be furnished with the particular information to be processed before the entry of personal information into the processing system of the personal information controller, or at the next practical opportunity.

Again, there is room allowing an interval by which the individual must have been notified. To be clear, this set of information which requires notification upon the data subject includes disclosure of personal information to “possible recipients or classes of recipients” meaning third parties. This is information personal to the data subject and it is unacceptable that such information be out in the open without the individual’s knowledge until “the next practical opportunity.” If this law were to be made a mechanism for the national identification system, then there is a clear breach in confidentiality and security in this area. “A critical component of protecting privacy is information security – protecting the confidentiality, integrity, and availability of information that identifies or otherwise describes an individual. To be considered privacy enabled, an identification system must be designed to satisfy these parameters.”[31]

Then again, if this were to be for an identification system personal to the needs of the individual, who exactly comprise “possible recipients or classes of recipients?” Being personal for that matter, what are the instances by which there is a need to provide third parties with information personal to an individual and why?

Rights of Data Subjects

            Among the rights[32] stated in the Act is for the data subject to “dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately XXX Provided, that the third parties who have previously received such processed personal information shall be informed of its inaccuracy and its rectification upon reasonable request of the data subject.”[33] Further, the data subject may “suspend, withdraw or order the blocking, removal or destruction of his personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes XXX In this case, the personal information controller may notify third parties who have previously received such processed personal information.”

These provisions show that it is not within the powers of the law to mandatorily impose upon the controller to protect the integrity of the personal information of the data subject. In the former it states that inaccuracies will be corrected “upon reasonable request of the data subject.” However, it cannot be presumed that these data subjects are informed of their rights in the first place, where there is even a provision in this law wherein data subjects are notified only at the next practical opportunity of who these third persons are. This Act is hard enough to comprehend as it is for these data subjects to understand the implications of this provision.

In the latter, it is discretionary for the controller to notify these third parties of any wrongful information which is damaging to the person of the data subject. The rules on statutory construction provide that the use of the word “may” in a statute will be interpreted in the permissive or discretionary sense. How is it justifiable that one’s character which is wrongfully recorded and presented to third persons remain uncorrected upon the discretion of the controller? Will the next provision pertaining to indemnification of damages provide enough redress to the wrong done upon one’s personal character? And we have not even addressed technological and digital security issues yet as when electronic information leaks beyond the custody of the controller and third party.

Transfer of Personal Information, Subcontracting, and Accountability

            Section 14 provides for the subcontracting of personal information upon ensuring proper safeguards to protect the confidentiality of the personal information processed and prevent its use for unauthorized purposes.  Section 21 provides for the accountability of the controller having the custody and control of the personal information to be transferred to a third party for processing, whether domestically or internationally.

            The digital world is constantly improving. Subjecting personal information, and possibly sensitive personal information, to various transfers through electronic means leave behind data in the digital systems where these transits take place. During these digital times, there is no foolproof safeguard in ensuring the protection of one’s identity in the digital world. It can even be said that in this context, passing the accountability to the controller is unqualified when there are technological breakthroughs that could break into the system, which is beyond the controller’s control.

            The use of “contractual or other reasonable means” to provide a “comparable level of protection” while the information are being processed by a third party do not provide adequate protection with regard to personal and sensitive personal information. In connection to the national identification system, an individual’s personal information should not even be a proper object or subject matter of a contract. It is against public policy to subject a person to a high probability of exposure of his personal identity on the basis of these transfers where there is a likelihood of identity theft in the transitions. Moreover, privacy in the context of a national identification system should not be subject to a ”comparable level of protection.” Comparable to what, by all means. There is a need for accuracy and precision in providing for information security. These jargons in the Act do not provide sufficient protective measures for the transfer of personal data.

Sanctions

            It is commendable that this law provided for stiff sanctions in cases of violations. However, it has been said that prevention is better than cure. In the implementation of a national identification system, these penalties are not enough to deter violators. This law cannot possibly prevent spillovers beyond the custody of the controller or the third parties. What happens then when a non-party gets hold of these information? What happens when a violator is someone who is not even aware that s/he is processing personal information in social media?

The law is too broad and vague that it can be made to apply even to innocent actions of people in the internet, particularly in social media. It can be applicable to anyone who processes private information. This includes people who access social networks.

CONCLUSION

The Data Privacy Act of 2012 is not a sufficient mechanism for the introduction of a National Identification System, in relation to the constitutionality issues raised in Ople vs. Torres. The law does not provide adequate protection to the right to privacy

And as to its framework, there still exists a void as to the purpose for which this law is made to apply. Obviously, we do not want a “flexible approach” as coined by Sen. Angara, when it comes to the handling of personal information in our identification system. This “flexibility” can be gleaned from Sections 4, and 11. And in Section 12 where even without the consent of the data subject, if otherwise not prohibited by law, and when at least one of the conditions exists, processing of personal information is lawful. A framework that considers the interests of the BPO sector almost at par with that of the individual cannot be a sufficient measure to lay the grounds for a national identification system, or to justify what is lawful. 

It must be stressed that Section 12 likewise provides that processing is necessary to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; and in Section 13 where one of the exceptions to the prohibition of processing of sensitive information is when the same is provided for by existing laws and regulations where the consent of the data subject is not required by law or regulation permitting the same.  While the Committee stresses on the protection of personal information and stringently so for sensitive personal information, the individual’s right to privacy is compromised in times of national emergency and in the name of public order and safety, or when there is a law made applicable for this. Again, this brings us to past lessons when a less tolerant government gains access to personal data in the name of police power, or sensitive personal data for that matter, for their manipulation. Here lies the basis for violating the individual’s fundamental right to privacy, and even the right to travel and liberty of abode; the right against self- incrimination; the right to dissent; and possibly the right against unreasonable searches without probable cause.

            In sum, there still remains no sufficient mechanism for a national identification system in the Philippines in the context of protection of a person’s privacy. The Data Privacy Act of 2012, being the first data privacy law adopted, does not address the constitutional issue on the right to privacy as raised in Ople vs. Torres.

“We cannot solve our problems with the same thinking we used when we created them.”

– Albert Einstein.

Disclaimer:      This paper is not intended to be and should not be taken as legal advice.

---

[1]  Haya El Nasser (March 30, 2007). "Papers show Census role in WWII camps". USA Today, http://usatoday30.usatoday.com/news/nation/2007-03-30-census-role_N.htm

[2] JR Minkel (March 30, 2007). Confirmed: The U.S. Census Bureau Gave Up Names of Japanese-Americans in WW II. Scientific American, http://www.scientificamerican.com/article.cfm?id=confirmed-the-us-census-b&sc=I100322,

[3] Prosecutor vs. Jean-Paul Akayesu, (Case No. ICTR-96-4-T), Judgement, 2 September 1998, paragraph 123. The comparison between the Nazi and Rwandan ID cards and a call for further research on this topic was made by Henry R. Huttenbach in an article entitled "The letter of the Law and the Mark of Cain: When "J" was and "T" is lethal," Genocide Forum, year 1 (1994), no. 5, http://www.preventgenocide.org/prevent/removing-facilitating-factors/IDcards/index.htm#2

[4] Transcript of the trial of Adolf Eichmann, Session 36 (11 May 1961), Testimony of Henrietta Samuel, http://www.preventgenocide.org/prevent/removing-facilitating-factors/IDcards/index.htm#2

[5] Jose Manuel S. Mamauag (February 14, 2008), Legal Opinion: ID System in Sulu, an Experimental Implementation of National ID System?, Commission on Human Rights-IX

[6] KASAMA Vol. 11 No. 1 (January-February-March 1997), Ramos Orders I.D. Cards, Solidarity Philippines Australia Network

[7] Ople vs Torres, G.R. No. 127685, July 23, 1998

[8] Senate Economic Planning Office (December 2005) PI-07-05, National Identification System: Do We Need One?, Policy Insights, http://www.senate.gov.ph/publications/PI%202005-12%20-%20National%20Identification%20System%20-%20Do%20We%20Need%20One.pdf

[9] Electronic Frontier Foundation, Mandatory National IDs and Biometric Databases, https://www.eff.org/issues/national-ids

[10] Smart Card Alliance (February 2003), Privacy and Secure Identification Systems: The Role of Smart Clouds as a Privacy-Enabling Technology,  http://www.smartcardalliance.org/resources/lib/Privacy_White_Paper.pdf

[11] Senate Economic Planning Office (December 2005) PI-07-05, supra

[12] Electronic Frontier Foundation, Mandatory National IDs and Biometric Databases, supra

[13] Electronic Frontier Foundation, National Identification Systems, http://w2.eff.org/Privacy/Surveillance/?f=nationalidsystem-resources.html

[14] Ople vs. Torres, citing several sources, supra

[15] Electronic Frontier Foundation, Mandatory National IDs and Biometric Databases, supra

[16] Electronic Frontier Foundation, National Identification Systems, supra

[17] Alexander Yano (May 24, 2012), The proposed national ID system, The Manila Times.net, http://www.manilatimes.net/index.php/opinion/columnist1/23504-..

[18] Administrative Order No. 308

[19] Ople vs. Torres, supra

[20] Ibid

[21] Laxmi Rosell, Sheilah Marie Tomarong-Cañabano (September 14, 2012), ANALYSIS: The Philippines’ Data Privacy Act Of 2012, World Data Protection Report, Global Law Watch, http://www.globallawwatch.com/2012/09/analysis-the-philippines-data-privacy-act-of-2012/

[22] Smart Card Alliance, supra

[23] Ibid

[24] Laxmi Rossel, supra

[25] David Dizon, ABS-CBNnews.com (June 2, 2012), Angara: Data Privacy Act targets leaks, ABS-CBNnews.com, http://www.abs-cbnnews.com/nation/06/01/12/angara-data-privacy-act-targets-leaks

[26] Press Release (July 20, 2011), Senate of the Philippines, http://www.senate.gov.ph/press_release/2011/0720_angara1.asp

[27] Laxmi Rossel, supra

[28] Senate Economic Planning Office, supra

[29] Section 11, Republic Act No. 10173

[30] Section 12 & 13, Republic Act No. 10173

[31] Smart Card Alliance, supra

[32] Section 16, Republic Act No. 10173

[33] Ibid