First of 2 parts
THE National Privacy Commission (NPC) made public last week its decision, dated December 28, 2016, which found Commission on Elections (COMELEC) Chairman Andres Bautista criminally liable for violating Republic Act 10173, or the Data Privacy Act of 2012.
The NPC recommended to the Department of Justice (DOJ) the prosecution of Bautista. The charges against Bautista stemmed from the massive data breach that occurred sometime in March 2016, which was later dubbed as “COMELeak.”
In my article “Hacking the AES,” published on April 26, 2016, in this newspaper, I mentioned that the COMELEC belittled the COMELeak and downplayed its consequences. Just to refresh the minds of our readers, I am reproducing below the relevant portions of that article.
“Let’s revisit the recent hacking done at the COMELEC website. On March 27, 2016, a group of hackers, purporting to be members of Anonymous Philippines, defaced the website of the COMELEC. They claimed that their hacking exposed the vulnerability of the entire electoral process, specifically the AES. The hackers downloaded several databases containing private data of millions of registered voters. The COMELEC belittled this event and downplayed its importance.”
“On April 21, 2016, agents of the National Bureau of Investigation (NBI) arrested 23-year old Paul Biteng, who allegedly easily owned up to the crime. He was charged with violating Sec. 4A-1 of the Cybercrime Prevention Act. Biteng claimed that he simply wanted the COMELEC to implement the security features of the VCM during the election.”
I ended the article by saying that, “The reality is that the government does not have an established and effective security mechanism to protect its computer systems and communications networks, including the AES, from determined hackers.”
The NPC decision concluded that Bautista “violated the provisions of Sections 11, 20, 21 and 22 in relation to Section 26.”
Section 11 of the law pertains to the general data privacy principles, which should be observed in the processing of personal information. Section 20 deals with the security of personal information that should be implemented through reasonable and appropriate organizational, physical and technical measures. Section 21 mandates that the information controller is accountable for any transfer of personal information and Section 22 attaches this responsibility and accountability to the heads of agencies in the government.
How about Section 26? It penalizes by imprisonment, ranging from one year to three years, and a fine of P500,000 to P2 million, any person, who due to negligence, provided unauthorized access to personal information.
Applying it to COMELeak, it is surmised that Bautista, as the head of agency (COMELEC), through negligence and without implementing reasonable and appropriate organizational, physical and technical measures, allowed Biteng and his colleagues to unlawfully access and download millions of voters’ personal information.
Well, I have no qualms about COMELEC being castigated, penalized, and made accountable for that COMELeak.
However, my insight tells me that there is something amiss here.
The Data Privacy Act of 2012 was approved on August 15, 2012. The Implementing Rules and Regulations (IRR) of the same Act was belatedly promulgated on August 24, 2016 (and which could only have taken effect 15 days after its publication in the Official Gazette).
Raymund Liboro was appointed Commissioner of the NPC on March 2016. Meanwhile Damian Mapa was designated Deputy Commissioner on February 2016 and so was Ivy Patdu.
Can a law, without a corresponding IRR at that time, be considered in effect and in full force? More so, can an IRR be made retroactive and can it cover events and alleged crimes that happened before its implementation? My answer to both is in the negative.
Implementation of the law is indisputably an Executive function. To implement the law, the Executive must necessarily adopt implementing rules to guide executive officials on how to implement the law, as well as to guide the public on how to comply with the law. These guidelines, known as implementing rules and regulations, can only emanate from the Executive because the Executive is vested with the power to implement the law. Implementing rules and regulations are the means and methods on how the Executive will execute the law after the Legislature has enacted the law. (Abakada et. al. v Purisima et. al. G.R. No. 166715)
Obviously, the IRR give instructions to executive officials on how the law should be executed by them and complied with by the public. How can an agency comply with the requirements of the law if the IRR is non-existent?
Another question that strikes me is this-–Can an omission on the part of the quasi-judicial adjudicatory and regulatory body exculpate the liability of an alleged violator? Simply put, can a non-performance of NPC’s mandated role negate the criminal liability of Bautista? My answer to this is in the affirmative.
Let us go back to Section 22 of the law. It states,
“SEC 22. Responsibility of Heads of Agencies. – All sensitive personal information maintained by the government, its agencies and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, and as recommended by the Commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein while the Commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards.”
There is no doubt that it is the responsibility of the heads of agencies to secure all sensitive information maintained by the government, its agencies and instrumentalities. How should the sensitive information be secured? It must be secured with the use of the most appropriate standard recognized by the information and communications technology (ICT) industry, and as recommended by the Commission.
The appropriate standard recognized by the ICT industry is coupled with the recommendation of the NPC. The law uses the word “and.” Thus, it is mandatory for the NPC to make a recommendation to the agency. The agency cannot just use any standard recognized by the ICT industry–it must, in fact, be recommended by the NPC.
Following Black’s Construction and Interpretation of Laws, the provision in Section 22 must “be read literally because its language is plain and free from ambiguity, and expresses a single, definite, and sensible meaning.
Such meaning is conclusively presumed to be the meaning that the Legislature has intended to convey. Even where the courts should be convinced that the Legislature really intended some other meaning, and even where the literal interpretation should defeat the very purposes of the enactment, the explicit declaration of the Legislature is still the law, from which the courts must not depart. When the law speaks in clear and categorical language, there is no reason for interpretation or construction, but only for application.”
Going back to the COMELEC’s system security, the question now is whether or not the NPC had made its recommendations on what ICT standard should be used by that government instrumentality.
COMELEC’s system was hacked on March 27, 2016. When did the NPC give its recommendation to the COMELEC, if any? Was it prior to March 2016? If it was given after March 2016 or none at all, then Bautista has an escape route. He can always claim in defense that all sensitive personal information maintained by the COMELEC was secured, as far as practicable, with the use of the most appropriate standard recognized by the ICT industry. However, such measure failed because the standard recognized by the ICT industry was not recommended by the NPC!
The present predicament that NPC dug for itself is made worse by its own IRR, particularly Section 30 under Rule VII. To wit –
“Rule VII. Security of sensitive personal information in government“
“Section 30. Responsibility of Heads of Agencies. All sensitive personal information maintained by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, subject to these Rules and other issuances of the Commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein. The Commission shall monitor government agency compliance and may recommend the necessary action in order to satisfy the minimum standards.”
Clearly, all sensitive personal information shall be secured with the use of the most appropriate standard recognized by the ICT industry and these should be subject to the IRR and other issuances of the NPC.
However, as I pointed out earlier, the NPC promulgated the IRR only on August 24, 2016. How could the COMELEC implement its data security aspect on or about March 2016 when there was no IRR to guide it in the first place?
Probably, the NPC officials are trigger-happy and they want to make a “precedent case.” Unfortunately, COMELeak cannot be that one.
Again, my insight tells me that this haphazard decision issued by the NPC will boomerang on them.
Howard Newton’s quote is in order. “People forget how fast you did a job – but they remember how well you did it.”