YOU don’t watch what you are eating and change your lifestyle until your doctor tells you that you have hypertension. The eCommerce Act (Republic Act 8792) would probably have not been enacted if then President Erap’s website wasn’t defaced or, as some say, if Onel de Guzman’s ‘Love Bug’ virus hadn’t infected a ton of computers. I tell my son that if I die as collateral damage from all these killings I would come back and haunt him no end just to say, ‘I told you so!’ and repeatedly ask him what it is about ‘Thou shalt not kill’ that he doesn’t understand. Sorry (not sorry), I digressed. Point is, we don’t act on anything unless it affects us directly. We nonchalantly go along our merry way and without regard for the consequences, approve or dismiss things as we see fit, that is, as long as it benefits or doesn’t harm us (yet).
It perplexes me no end the seeming disregard that most of our countrymen regard the issue of privacy. Is it our merry and trusting nature or just plain ignorance? In other countries, people guard their personal information as if their very lives depend on it and would fight tooth and nail to keep their personal space intact. Most especially in today’s ‘Internet Age’ that is slowly eroding away every inch of our private lives, we continue to put almost everything in the Internet.
In our early days of the now defunct ITECC (Information Technology and eCommerce Council)—a public and private sector collaboration under then President Erap and then Gloria—I had the honor to be appointed as co-chair of the subcommittee on privacy and information security under the stewardship of the legal and regulatory chairman, the late Claro ‘Lalen’ Parlade, a very bright and promising lawyer who later became Google Asia’s privacy counsel. Out of that committee came two very important bills that we now know today as RA 10173 and RA 10175 – The Data Privacy Act and the Anti-Cybercrime Law. After almost two decades, several houses of Congress, committee hearings and countless revisions, they were finally enacted under President Noynoy. You wouldn’t believe all the changes that happened; different interests, different agendas have almost changed the complexion and intent of these bills. As a lawyer friend would soon tell me–“There are two things in this world that you wouldn’t want to see: 1) how sausages are made; and 2) how laws are made.” I don’t know where he got it from but it is very damn close to reality.
Fortunately, there are still very good benefits from these laws that can serve our best interest. The anti-cybercrime bill got its share of the spotlight as the citizenry got a whiff of some of the very questionable provisions, and was off to a very rocky start. At one point, we even thought it would get repealed totally but today after the Bangladesh Bank scam, the COMELEC hack and other notable security incidents, several cases have already been filed which will test the mettle of the law and how it would fare in the future.
In complete contrast, the Data Privacy Act was enacted ahead of the Anti-Cybercrime Law but with very little fanfare. Maybe because it was not as “sexy” as hacking or maybe we just didn’t see it as important. That it has taken a very sharp turn, however, is because I guess, as always, we all need a jolt to shock us all into our senses. Now, more than the actual hacking of the COMELEC system, a bigger and more impactful rude awakening has hit the public with regard to privacy. The National Privacy Commission (NPC) which was supposed to be constituted shortly after the approval of the law and was mandated to create the Implementing Rules and Regulations (IRR) of the act took a really long time to be organized. Thankfully and eventually, it did get to be completed and a full set of commissioners put in place, and for its first act as a quasi-judicial body rendered its findings on the issue of the ‘COMELeak’. The results really came strong and hard on the Commission on Elections. Violations of the law regarding data privacy principles, security of personal information, principal of accountability, responsibility of the heads of agencies and the accessing of personal and sensitive information due to negligence were found to be present and no less than the COMELEC chairman was ruled to be culpable. Since it is a combination of several acts, the law prescribes the penalty of imprisonment of three to six years and a monetary fine of P1 million to P5 million. The findings and recommendations as the law prescribes were all turned over to the Department of Justice for proper handling and filing.
Besides the hefty fines and severe penalties, the National Privacy Commission also ordered the COMELEC Chairman to correct the poll body’s mistakes and implement several provisions of the law within two to three months. These consist in: the appointment of a data protection officer, conducting a privacy impact assessment, creation of a privacy management program and a breach management procedure.
The net effect? A lot of calls and questions from very concerned government and private organizations on how they can avoid the same thing happening to them. Sadly, but true, there is nothing like fear to motivate awareness.