Privacy, the right to be let alone,
according to Justice Brandeis[i] is
the most comprehensive of rights and the right most valued by civilized men. It
is one of the rights that an individual would not easily concede. In the 2014
case of Disini v. Secretary of Justice,[ii]
the Supreme Court cited the case of Whalen
v. Roe wherein the United States Supreme Court classified privacy into two
categories: decisional privacy and informational privacy. Decisional privacy
involves the right to independence in making certain important decisions, while
informational privacy refers to the interest in avoiding disclosure of personal
matters. It is the scope of the latter right—the right to informational
privacy—under the Philippine law and jurisprudence which the author tries to
determine.
The same US case further explained
that informational privacy has two aspects: the right not to have private
information disclosed, and the right to live freely without surveillance and
intrusion. In determining whether or not a matter is entitled to the right
to privacy, the Court has laid down a two-fold test. The first is a subjective
test, where one claiming the right must have an actual or legitimate expectation
of privacy over a certain matter. The second is an objective test, where his or
her expectation of privacy must be one society is prepared to accept as
objectively reasonable.
However, this right is not absolute
as held by the Supreme Court in Standard
Chartered Bank v. Senate Committee on Banks.[iii]
Said the Court, while it is true that Section 21, Article VI of the
Constitution, guarantees respect for the rights of persons affected by the
legislative investigation, not every invocation of the right to privacy should
be allowed to thwart a legitimate congressional inquiry. So in Sabio v. Gordon,[iv]
the Court held that the right of the people to access information on matters of
public concern generally prevails over the right to privacy of ordinary financial
transactions. In that case, It declared that the right to privacy is not
absolute where there is an overriding compelling state interest. The question now is up
to what extent a person has actual or legitimate expectation of privacy in a
digital world and its recognition by the public as shown by the express
provision of the law. Given the fact that there are various laws that
cover the privacy rights in our country, the answer would depend on the
circumstances of a given case.
Application of Philippine Laws and Jurisprudence on
Privacy in the Digital World
The Bill of Rights of the 1987 Constitution of the Philippines has only
one provision which expressly mentioned and recognized the right to privacy,
that is Section 3 which states the privacy of communication and correspondence
shall be inviolable except upon lawful order of the court, or when public
safety or order requires otherwise, as prescribed by law. Though there is only
one express provision, Justice
Douglas in the case of Griswold v. Connecticut[v]
stated that the various
guarantees create a zone of privacy. A zone of privacy is an area or aspect of life that is held to
be protected from intrusion by a specific constitutional guarantee or is the object
of an expectation of privacy. And in the case of Morfe v. Mutuc[vi]
the Supreme Court admitted that it is so likewise in our jurisdiction. The
right to privacy as such is accorded recognition independent of its
identification with liberty; in itself, it is fully deserving of constitutional
protection. In fact, in the case of Ople v.
Torres[vii], the Court ruled that
there are other facets of the right to privacy which are protected in the
various provisions of the Bill of Rights, viz:
Sec. 1. No person shall be deprived of life,
liberty, or property without due process of law, nor shall any person be denied
the equal protection of the laws.
Sec. 2. The right of the people to be secure in
their persons, houses, papers, and effects against unreasonable searches and
seizures of whatever nature and for any purpose shall be inviolable, and no
search warrant or warrant of arrest shall issue except upon probable cause to
be determined personally by the judge after examination under oath or affirmation
of the complainant and the witnesses he may produce, and particularly
describing the place to be searched and the persons or things to be seized.
Sec. 6. The liberty of abode and of changing the
same within the limits prescribed by law shall not be impaired except upon
lawful order of the court. Neither shall the right to travel be impaired except
in the interest of national security, public safety, or public health, as may
be provided by law.
Sec. 8. The right of the people, including those
employed in the public and private sectors, to form unions, associations, or
societies for purposes not contrary to law shall not be abridged.
Sec. 17. No person shall be compelled to be a witness against himself.
These guarantees are fundamental and
laws must adhere to its mandate. In the Disini
case, the constitutionality of the R.A. 10175 otherwise known as Cybercrime Prevention Act of 2012 was
questioned for the alleged contravention to the constitutional guarantees.
However, the Court upheld the law and declared only 3 parts of it as being
unconstitutional. In the said law, the access, without right, to the whole or
part of a computer system is punishable for it constitutes illegal access.
Access refers to the instruction, communication with, storing data in,
retrieving data from, or otherwise making use of any resources of a computer
system or communication network. Computer system refers to any device or group
of interconnected or related devices, one or more of which, pursuant to a
program, performs automated processing of data. It covers any type of device
with data processing capabilities including, but not limited to, computers and
mobile phones. The device consisting of hardware and software may include
input, output and storage components which may stand alone or be connected in a
network or other similar devices. It also includes computer data storage
devices or media. A person must respect the privacy of an individual to his
computer system and/or data by not accessing it without prior consent or any
right to do so; otherwise, he will be guilty of illegal access. How about a
person who accessed, for whatever reason, the file or data in a laptop that he
stole, will he also be guilty of illegal access? Let us say that he viewed all
the files therein and had some of them copied for his own use and then sold the
laptop to a third person. Here, his main intention is to have the laptop so he
can sell it. In the case of Disini, the argument of the petitioners in
assailing its constitutionality is that this particular provision of the law
would prejudice the work of ethical hackers or professionals who employ tools
and techniques used by criminal hackers but would neither damage the target
systems nor steal information. Ethical hackers evaluate the target system’s
security and report back to the owners the vulnerabilities they found in it and
give instructions for how these can be remedied.[viii]
Clearly the illegal access as the petitioners and the Court has in mind would
be the access via the computer network using tools and techniques and the hacker's
own computer or device to access another person's computer system. It may also
include, as in the movies, the access to the computer itself by using some kind
of a USB flash drive that can extract data from the system. It can be said that
the intention is to have the possession of or access to the data itself, it was
never about the computer or hardware or device containing the data. But it in
the above scenario, the writer, in his own opinion, should make the thief also
liable for illegal access.
Access is
defined by the law as otherwise making use of any resources of a computer
system or communication network. Let us say that among the files is a movie,
watching that movie alone can be considered as making use of the file. What
else would be the purpose of a movie other than watching it? So what if it is a
private video of the owner, of course he would not have others watch it
indiscriminately. On the other hand, computer system was also therein defined,
the second sentence defining computer system states that it covers any type of
device including, but not limited to, computers and mobile phones. So as the
writer understands it, a computer is part or included or within the meaning of
computer system. Then all the elements are present. The thief who viewed or
watched the file in a laptop of another person that he stole should also be
guilty of illegal access. His subsequent acts, which may fall under the
prohibited acts of other statutes, is another matter. One thing is for certain,
the thief will be held liable under the Revised Penal Code, as amended, and his
liability under R.A. 10175 for illegal access is yet to be decided by the Court.
The above illustration and interpretation is just a product of the writer's
imagination, it may not be accurate and certainly not authoritative.
Another prohibited act would be the data
interception made by technical means without right. Interception refers to the listening
to, recording, monitoring or surveillance of the content of communications,
including procuring of the content of data, either directly, through access and
use of a computer system or indirectly, through the use of electronic
eavesdropping or tapping devices, at the same time that the communication is
occurring. This provision embodies the constitutional guarantee to privacy of
communication and correspondence. It is akin to the Anti Wire-Tapping law (R.A. 4200) which applies to any person, not being authorized by all the parties to any private
communication or spoken word, to tap any wire or cable, or by using any other
device or arrangement, to secretly overhear, intercept, or record such
communication or spoken word by using a device commonly known as a dictaphone
or dictagraph or detectaphone or walkie-talkie or tape recorder, or however
otherwise described. The privacy of the communication and correspondence is so
sacred that evidence obtained in violation of its section is inadmissible for
any purpose in any proceeding.[ix]
While the illegal access
and interception of data are proscribed in the cybercrime law, the Data
Privacy Act of 2012 or R.A. 10173 focuses on the protection of an
individual's personal information in information and communications systems in
the government and the private sector. In this Act the state recognizes its inherent
obligation to ensure that personal information in information and
communications systems are secured and protected so it affords protection to
the fundamental human right of privacy and of communication while ensuring free
flow of information to promote innovation and growth as information and
communication technology plays a vital role in the nation building. This protection makes a person or persons, the personal information controller or personal
information processor, or any of its officials, employees or agents liable for
unauthorized processing of personal information and sensitive personal information,
accessing personal information and sensitive personal information due to negligence,
improper disposal of personal information and sensitive personal information,
processing of personal information and sensitive personal information for
unauthorized purposes, unauthorized access or intentional breach, concealment
of security breaches involving sensitive personal information, malicious disclosure, unauthorized disclosure,
and any combination thereof. Personal information refers to any information
which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information, or when put
together with other information would directly and certainly identify an
individual. Personal information controller refers to a person or organization
who controls the collection, holding, processing or use of personal
information, including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal information
on his or her behalf. Personal information processor refers to any natural or
juridical person qualified to act as such under the said Act to whom a personal
information controller may outsource the processing of personal data pertaining
to a data subject. This Act also provided for the criteria wherein the
processing of personal information is lawful. The criteria are met when any of
the following conditions exists:
·
The data subject or the individual whose personal
information is processed has given his or her consent;
·
The processing of personal information is necessary
and is related to the fulfillment of a contract with the data subject or in
order to take steps at the request of the data subject prior to entering into a
contract;
·
The processing is necessary for compliance with a
legal obligation to which the personal information controller is subject;
·
The processing is necessary to protect vitally
important interests of the data subject, including life and health;
·
The processing is necessary in order to respond to
national emergency, to comply with the requirements of public order and safety,
or to fulfill functions of public authority which necessarily includes the
processing of personal data for the fulfillment of its mandate; or
·
The processing is necessary for the purposes of the
legitimate interests pursued by the personal information controller or by a
third party or parties to whom the data is disclosed, except where such
interests are overridden by fundamental rights and freedoms of the data subject
which require protection under the Philippine Constitution.[x]
Those are for the rights to privacy
of data system, communication and personal information. Few years ago, a number
of videos depicting the nude body of celebrities in their most intimate moment
in bed were non-consensually released or uploaded in the internet which caused
its instant infamy. This so called celebrity sex video scandals paved the way
to the birth of R.A. 9995 otherwise known as the Anti-Photo and Video Voyeurism Act of 2009. In this said piece of
legislation, the taking of photo or video coverage of a person or group of
persons performing sexual act or any similar activity or capturing an image of
the private area of a person such as the naked or undergarment clad genitals, pubic
area, buttocks or female breast without the consent of the person involved and
under circumstances in which the person has a reasonable expectation of privacy
is declared prohibited and unlawful. This means that the mere act of taking a
photo or video without the consent of one or all of the persons in the said photo
or video is prohibited by law and such person taking the same may be held
liable under this Act. To be held liable, consent is a material element in the
taking of photo or video. There should also be the circumstance where a person
has a reasonable expectation of privacy. Therefore, if the photo or video was
taken or captured in a place where reasonable expectation of privacy cannot be
had, the defendant may have this as his defense. A very obvious example would
be a sex act in the public place caught by a CCTV camera installed in such
public place for surveillance and security purposes. Under circumstances in
which a person has a reasonable expectation of privacy means that he or she believes
that he/she could disrobe in private, without being concerned that an image or
a private area of the person was being captured; or circumstances in which a
reasonable person would believe that a private area of the person would not be
visible to the public, regardless of whether that person is in a public or
private place.
That is not the only punishable deed
enumerated in the said law. Let us say for example that a person's house was
robbed and among the loots is his laptop which has a video of him and his
partner having sexual intercourse. The video was taken with the consent of the
partner. The robber then sold it to a third party and the latter showed it to
his friends, allowed them to have a copy of it, and one of his friends uploaded
it to one of the adult sites in the internet. By the passage of RA 9995, other
than the criminal prosecution that the burglar shall face under the Revised
Penal Code, as amended, all of them can be held liable for the violation of the
said statute. The said Act punishes also those who will copy or reproduce, or
cause it to be copied or reproduced and those who will sell or distribute, or
cause it to be sold or distributed. Another is the act of uploading it which
will fall under the last prohibited act of the said law which is the publishing
or broadcasting, or causing it to be published or broadcasted, or showing or
exhibiting the photo or video coverage or recordings of such sexual act or any
similar activity through VCD/DVD, internet, cellular phones and other similar
means or device. In these cases, prior consent of the actors in the
making or taking of the photo or video is immaterial and makes the person who
copied or reproduced, sold or distributed, and published or broadcasted, or
showed or exhibited the photo or video liable even if the taking or making of
such photo or video had the consent of the person or persons involved. Making all persons
involved from the making of the photo or video to its upload will face criminal
prosecution.
In our world today, people, most if
not all, own an account in one of the online social networking sites. In these
online social networking sites, up to what extent does one have the expectation
of his right to privacy when such sites allow the sharing of myriad of
information or could he even expect the protection of such right? The Supreme
Court happened to rule on this matter regarding one of the online social
networking sites, www.facebook.com, in the 2014 case of Vivares v. St. Theresa's College.[xi]
In this case, STC did not allow its students to graduate for committing acts
proscribed by the school's student handbook. The said case arose when one of
the students uploaded digital photos which showing her female classmates clad
only in their undergarments. The photo was taken while they were changing into
their swimsuit for a beach party they were about to attend. A computer
teacher at STC’s high school department, learned from her students that some
seniors at STC posted pictures online, depicting themselves from the waist up,
dressed only in brassieres.
Using STC’s computers, these students logged in
to their respective personal Facebook accounts and showed to their teacher
photos of the identified students. These same students claimed that there were
times when access to or the availability of the identified students’ photos was
not confined to the girls’ Facebook friends, but were, in fact,
viewable by any Facebook user. The petitioners, parents of the students,
alleged that the photos accessed belong to the girls and, thus, cannot be used
and reproduced without their consent and the teacher violated their rights by
saving digital copies of the photos and by subsequently showing them to STC’s
officials. Thus, the Facebook accounts of petitioners’ children were intruded
upon. Was there really intrusion? Do the students really have the right to
informational privacy in online social networking sites (OSNs)?
The court ruled that having an expectation of informational privacy is
not necessarily incompatible with engaging in cyberspace activities, including
those that occur in OSNs. The Court recognized that Facebook is armed with
different privacy tools designed to regulate the accessibility of a user’s
profile as well as information uploaded by the user. It is through the availability of said
privacy tools that many OSN users are said to have a subjective expectation
that only those to whom they grant access to their profile will view the
information they post or upload thereto. This, however, does not mean
that any Facebook user automatically has a protected expectation of privacy in
all of his or her Facebook activities. Nevertheless these photos were admitted
in evidence and the Court ruled that STC did not violate the student's right to
informational privacy. The Court ruled that the students shared it to all their
friends on Facebook and not to a selected few which would have given rise to
the expectation of privacy. Before one can have an expectation of privacy in
his or her OSN activity, it is
first necessary that said user manifest
the intention to keep certain posts private, through the employment of
measures to prevent access thereto or to limit its visibility. And
this intention can materialize in cyberspace through the utilization of the OSN’s privacy tools. In
other words, utilization of these privacy tools is the manifestation, in cyber
world, of the user’s invocation of his or her right to informational privacy.
In cases of breach of right to
privacy in life, liberty or security, one may avail the Writ of Habeas Data. To be precise, this writ is a remedy available to any person whose right
to privacy in life, liberty or security is violated or threatened by an
unlawful act or omission of a public official or employee, or of a private
individual or entity engaged in the gathering, collecting or storing of data or
information regarding the person, family, home and correspondence of the
aggrieved party.[xii]
This same writ was prayed for in the Vivares
case. In that case, the respondent argued that the
remedy cannot be issued against them because they are neither a private individual nor an entity engaged in the
gathering, collecting or storing of data or information regarding the person,
family, home and correspondence of the aggrieved party. However,
the Court ruled that while the contention is valid to a point, it is,
nonetheless, erroneous. It is because such individual or entity need not be in the
business of collecting or storing data. To "engage” in something, as
further explained by the Court, is different from undertaking a business
endeavor. To “engage” means “to do or take part in something.” It does not
necessarily mean that the activity must be done in pursuit of a business. So
the mere act of a private person or entity in gathering, collecting or storing
said data or information about the aggrieved party or his or her family is
sufficient to make it fall within the ambit of the writ. Whether such
undertaking carries the element of regularity, as when one pursues a business,
and is in the nature of a personal endeavor, for any other reason or even for
no reason at all, is immaterial and such will not prevent the writ from getting
to said person or entity.
To agree with respondents’ above
argument, would mean unduly limiting the reach of the writ to a very small
group, i.e., private persons and entities whose business is data gathering and
storage, and in the process decreasing the effectiveness of the writ as an
instrument designed to protect a right which is easily violated in view of
rapid advancements in the information and communications technology––a right
which a great majority of the users of technology themselves are not capable of
protecting.[xiii]
Conclusion
In
conclusion, different Philippine laws, statutes and jurisprudence cover the
various expectations to the right of informational privacy from the fundamental
guarantees provided by the Constitution to various legislative enactments and
different judicial decisions. The Constitution provides for the inviolability
of privacy of communication and correspondence and bring into being the zones
of privacy. Legislative enactments protect one's privacy to his personal
information, data, computer system, communication and it even extend to photos and video
coverage taken without his or her consent and under circumstances in which he
or she has reasonable expectation of privacy. The Supreme Court enunciated in Vivares case that engaging in cyberspace
activities does not necessarily mean that a person should no longer expect
informational privacy.
No comments:
Post a Comment