Wednesday, May 7, 2014

Situational Gray Areas for Republic Act 10173 or Data Privacy Act


We have come a long way in information and technology in this new era and it has become a pivotal part of human interaction, information dissemination and economic growth. Our world now revolves with a different kind of evolution. An evolution a hundred times faster than the evolution of living matters on our planet---it is the evolution of technology.


Technology comes with almost every facet of life and how we live with it. It goes hand-and-hand with information, economy, science, business, news and many many more. If in the 1980s, information and technology through the use of the internet is a new concept in which very few were willing to accept, in this new era, the internet has become the quintessential form of communication and a medium for growth and development. It has made our world smaller and every information is now readily available through a click of a button. For most, this is an advantage because of the efficiency and convenience of getting what needs to be known anytime, all the time, and most importantly, it serves as a window to a lot more possible innovations people only dreamt of in the early days. Because of the internet and the ever-evolving technology, the future may be bright and promising.


However, with the growth of technology and the internet now a mainstream of communication, there are also grey areas and downfall that result from its readiness. It became readily available to everyone who wants it without initial regulation and limitations. As we learn to live and thrive with it, we also learned the ugly backlash it can cause. The sad part it, as issues and legal matters are raised and addressed, resolutions are provided but the long term damage has already been done.

The Republic Act 10173 or the Data Privacy Act is one of the initiatives and resolutions made to address the said issues. This act aims to protect individuals and their personal information in information and communications systems in the government and the private sector, creating for the purpose a national privacy commission and for other purposes. The goal of this act is to secure and protect personal information so that in the event such information will be acquired, it will be in a way that will not violate any human right such as privacy.


The main concept behind the Republic Act 10173 is to protect the fundamental human right to privacy while ensuring free flow of information to promote innovation and growth. As all laws are, growth and development are encouraged but there should always be a limit.


Yes, there are grey areas in the Data Privacy Act. Some of them might have been actual situations that have already happened without our knowledge. In my line of work, I can also apply RA 10173 and think of relevant grey areas that I have already encountered.


I work as a full time recruiter in an international US-based BPO in Makati. Part of our job is to interview and hire applicants qualified to do the job that our clients require. On a daily basis, I interview about 20-30 candidates and most of them are referrals or endorsements from vendors and headhunters. One of the schemes that Sourcing and Marketing have come up with is the referral program and the predatory project where we “source” potential hires by asking for names and contact numbers from the ones we were able to hire. Based on historical data, most of the passers would “refer” about 2-3 of their friends for our recruitment process. Perhaps they feel that they are compelled to provide these information as a consolation for the job offer extended to them or they feel that it is a requirement in the recruitment process. Either way, sourcing gets it way by getting theses leads and we, in turn, call these leads and invite them for a 1-day recruitment process with the promise of an instant job, provided they pass the assessments and interviews.


90% of the leads I contact would turn out not interested or unreachable. 10% in a good day, would be converted to trainees in a week or two. In a business and recruitment standpoint, the more leads, the higher possibility of hiring people for our training programs. There is always that fine line that maybe, just maybe we can consolidate more and deliver more. Ultimately, to meet our targets, serve our clients and make them happy. That’s what business is all about as long as we are not breaking any law or violating any right.


However, in a randomly-referred-person standpoint, it is annoying, unsolicited and at most, a waste of time. If I were to put myself into the shoes of that person, considering I’m not looking for a job or not interested in pursuing other career paths, I might feel a bit irritated if my number would randomly be given to headhunters or recruitment firms, consistently inviting for me to apply for a job. I wonder, am I violating this person’s right if I call and invite him or her without that person knowing how I got the contact details? Or even if I disclose how I got the contact numbers, say from their friends, would that be ok and these people won’t mind? Or they would mind and might get upset because they didn’t want their numbers given to random people to begin with? The bottomline is, am I violating the RA 10173 or Data Privacy Act?


For me, this situation is very similar to receiving unsolicited commercial communications through email, online, text or any means, known commonly as “spam”. It’s the same as receiving an ad about a medicine or health supplement that would make people feel better or a discount to resort or spa. The only difference is, it is an unsolicited offer of employment. The recipient may like it or might not like it. The reader may take advantage of it or might not. Can that recipient complain that he doesn’t want those ads or spam just as much as he doesn’t want receiving calls from headhunters? Can that person complain that his right to privacy was violated?


In the case of Jose Jesus Disini Jr., Et al. VS The Secretary of Justice, regarding the Cybercrime Act, the Court declared several provisions of the RA 10175 (Cybercrime Act) as unconstitutional either wholly or contextually. One of these provisions is Sec 4 (c) (3) or Unsolicited Commercial Communications, where the Court ruled that “unsolicited commercial communications, also known as spam is entitled to protection under freedom of expression.


The prohibition of the transmission of unsolicited ads or spam would deny the person the right to read his emails, even unsolicited commercial ads that are sent to him. The Court further explained that “Commercial speech is a separate category of speech which is not accorded the same level of protection as that given to other constitutionally guaranteed forms of expression but is nonetheless entitled to protection. The State cannot rob him of this right without violating the constitutionally guaranteed freedom of expression.” Hence, unsolicited advertisements are considered legitimate forms of expression.

This is the reason why sourcing potential leads or candidates has been one of the effective tools in the recruitment industry. The easiest way to generate a pool of applicants with the same quality is by getting referrals from the ones we have already hired. This strategy has always been used and will be used moving forward as the Court itself has already declared that it is allowed.


This holds the same as consolidating a database of applicants who have applied in our company since 2000 and inviting them again through text or call. If this database is to be used by a different recruitment firm, the same jurisprudence will still apply. These names and contact numbers were acquired either through previous applications or referrals from friends and relatives. I believe how we do it in our company requires somehow a consent, either from the applicant himself or herself through previous applications or from their friends or relatives.


Another grey area in RA 10173 is the use of personal information of an individual in literary or artistic works. A perfect example is an unauthorized biography, stated by our professor in Technology and the Law, Atty. Berne Guerrero. Another example that I can think of is using the personal information of artists or celebrities in blogs or articles, whether true or not.

Artists and celebrities are private citizens unlike public officers or employees of government institutions that relate to the positions of functions of the individuals are exempted from the provisions of RA 10173, specifically Sec 4 (a) (1-4). Because of their line of work, they are forced to be under the limelight of entertainment and fame but unfortunately, to criticism and ridicule as well. They are considered public figures even if they don’t serve the government merely because of their exposure to the public. Their profession sometimes requires sacrificing at some point, their right to privacy the extent of their personal lives and family. Like what most would say, it is a price that comes with fame and fortune.


With the technology that we have today where a video taken seconds ago can reach different countries and continents in a matter of minutes, privacy is a rare commodity. And to these celebrities and artists, their personal information such as mobile number, address, family relatives, pictures, etc. are equivalent to money for some people because they can actually earn a living buy getting these information and using them in articles and blogs or tabloids. This is why they are more vulnerable to public criticism because their personal information is something the public would be interested to read or see.


It is indeed a violation of their privacy which is why these artists and celebrities are extra careful in keeping their private lives private, and as much as possible share very little to the public. In the US, celebrities are more aggressive in fighting for their right to privacy. Recently, Halle Berry spearheaded a proposal to create a bill to fight off paparazzis from harassing and taking pictures of celebrities’ children just to sell to tabloids and magazines. This has become the plea of most of the celebrities in the US because their children are being put to risk for the so called “money shot” from paparazzis. These money shots can even cost hundreds or thousands depending on who the celebrities are and how controversial the scoop is. It is an ugly side of show business. Entertainment sources like TMZ and ET are examples of these papparazi-driven shows. The bill has been approved and now observed as a law in some states in the US.


Here in the Philippines, it’s a totally different story though. Although the media is not that aggressive and dangerous when covering stories about celebrities, celebrities are still wary of sharing their personal information online. Through the use of social media sites and with their consent, they can post updates about themselves on Twitter or Facebook for their fans and followers.


Another example of a grey area is acquiring contact numbers from private individuals from raffles, mall  activities or other events that require getting their contact details. If these contact details were used for personal purposes or for means of earning money, then it is a violation of the Data Privacy Act.

If the purpose of writing down personal information like contact details for a game of chance or raffle and would end up being used by a mall employee to start a conversation with the intention of getting to know the individual on a personal level, then it violates the right to privacy of RA 10173. Even if the individual gave the consent to indicate personal details, if it was used other than the purpose it was given for, it is a violation.


Filling up forms online can also be tricky as it is considered a vast universe of data exchanges. A person may believe that he is filling up a form for a specific purpose but would end up being used for different schemes online. This is why putting vital financial information online can be risky and might lead to loss because the internet is still not a safe place to secure these critical information. Fraud has been the recent concern in shopping malls in the US because of identity or credit card fraud. Some of the credit cards were used for unauthorized purchases and it led to huge company and retail losses.


At this time, people may think that because of the Information Techonology industry and the improvement in safety and security in online transactions, it is already safe to disclose private information. But the sad reality is, it will never be safe because thieves and criminals will always find a way to beat the technology and earn money the easy way. We cannot be complacent with the technology and the promise of secure transaction if we are required to give away our bank account or credit card number or cellphone number. We always have to be on our toes and think ahead to ensure that we are not going to be the next victims.


It is good that our legislators are starting to tap the unexplored world of internet surfing and the impact of online transactions on a personal level. They are starting to restrict and regulate some matters that are basically lawless and unlimited before. Everybody is free to do and say whatever they want, whenever they want. Freedom is good but up to an extent. When freedom is overused, then there is still chaos.. even on the internet. They can only do so much in protecting each and every one’s right. We also have to do our part to protect our own.


The best takeaway from this, is to be very careful in giving out personal information in any form. If we are asked for our personal numbers for a mall raffle, I suggest give out an email address instead. Or a landline number instead of a mobile number. Anything that will help us regulate and minimize being susceptible to privacy violations and unsolicited ads.   


I try my best not to give out my mobile number if it not really needed especially if I know that it can be accessed by other people. I also try to restrict my activities online by using fewer social media accounts online and my making sure they are all on private setting and cannot be accessed by anybody.


It also helps if we learn how to customize privacy settings and keep everything intact. At the end of the day, it is for our own protection. Learning not to be all too trusting and cautious of what people’s intentions are will also avoid falling into traps of people waiting to take advantage of the weak and the ignorant.


The Data Privacy Act is there as a guide for all of us consumers. It is our obligation to know our law and follow it. Securing and protecting our personal information also start with us if we are mindful and we apply it in our day-to-day lives. Not just to ourselves of course but to help out others not to be victims. It is very easy to be lured by the temptations online, thinking that no one is watching or it is safe to put everything out on the internet. But sooner or later, technology is going to catch up and bite us before we know it. We have to serve the public as well by informing them and educating them so they can also protect themselves and their loved ones.