Philippine Government Issues Implementing Rules under Cybercrime Law – Part II In Part I of this series, we introduced the Philippine Government’s Implementing Rules of the Cybercrime Law and outlined certain requirements that now apply to “service providers”, as that term is defined under the Cybercrime Law. Click here to view Part I of the series. Below we examine some additional provisions of the Implementing Rules. Service Providers' Exemption from Liability The Implementing Rules carve out an exemption from liability for service providers in the offense of "illegal interception." Under the exemption, service providers, their officers, employees, and agents cannot be held liable for interception, disclosure, and use of communication transmitted through their facilities, when such activities transpire in the normal course of the performance of the lawful objectives of the service provider. Also, service providers, their officers, employees, and agents who provide access to computer data cannot be held liable for giving such access when the service provider: • has a contractual duty to provide such access; • has no knowledge that the computer data shall be used for an unlawful activity; and • has no financial benefit directly attributable to the unlawful activity. The exemption does not affect any other obligation that a service provider may have under contract, any applicable licensing or regulatory regime, or law. Cybercrimes and Corresponding Penalties The Implementing Rules clearly enumerate the criminal offenses punishable under the Cybercrime Law and their corresponding penalties. When cybercimes are knowingly committed on behalf of, or for the benefit of a juridical person, the organization shall be liable to pay a fine of up to PHP 10 million (approximately USD 216,000). This civil corporate liability is in addition to the liability of the individual who so acted and occupies a leading position within the organization based on a power of representation of the organization, or an authority to take decisions on behalf of the organization, or an authority to exercise control within the organization. The following is a table outlining the cybercrimes set forth in the Implementing Rules and their corresponding penalties: Cybercrimes Penalty A. Offenses against the confidentiality, integrity, and availability of computer data and systems 1. Illegal Access Imprisonment of prision mayor (up to 12 years) and/or a fine of at least PHP 200,000 (approximately USD 4,300) and up to the maximum amount of the damages incurred 2. Illegal Interception 3. Data Interference 4. System Interference 5. Misuse of Devices Imprisonment of prision mayor (up to 12 years) and/or a fine of at least PHP 500,000 (approximately USD 10,800) B. Computer-Related Offenses 1. Computer-Related Forgery Imprisonment of prision mayor (up 12 years) and/or a fine of at least PHP 200,000 (approximately USD 4,300) 2. Computer-Related Fraud 3. Computer-Related Identity Theft C. Content-Related Offense Child Pornography (under the Anti-Child Pornography Act of 2009) Imprisonment of reclusion temporal (up to 20 years) and/or a fine of up to PHP 2 million (approximately PHP 43,000) in accordance with the Anti-Child Pornography Act of 2009 D. Other Cybercrimes 1. Cyber-squatting Imprisonment of prision mayor (up to 12 years) and/or a fine of at least PHP 200,000 (approximately USD 4,300). If committed against critical infrastructure, the fine is at least PHP 500,000 (approximately USD 10,800). 2. Cybersex Imprisonment of prision mayor (up to 12 years) and/or a fine of at least PHP 200,000 (approximately USD 4,300 3. Libel Imprisonment of at least prision correccional in its minimum period (at least 2 years) and/or fine of at least PHP 6,000 (approximately USD 130) 4. Other Offenses a. Aiding or Abetting in the Commission of Cybercrime Imprisonment of one degree lower than the penalty provided for the cybercrime committed and/or a fine of at least PHP 100,000 (USD 2,150) b. Attempt to Commit Cybercrime Excluded Certain Cybercrimes The Implementing Rules exclude at least three provisions of the original Cybercrime Law that the Supreme Court nullified on Constitutional grounds in a 2014 landmark ruling. In particular, the Supreme Court nullified: • a provision that penalizes posting of unsolicited commercial communications or "spam;" • a provision that authorizes the collection or recording of traffic data in real-time; and • a provision that authorizes the Department of Justice to restrict or block access to suspected Computer Data. In the same ruling, the Supreme Court declared that: (a) persons who receive a defamatory online post and react to it cannot be held liable for online libel; and (b) persons guilty of online libel and online child pornography cannot be held liable under both the Cybercrime Law and certain other Philippine laws on similar matters on account of double jeopardy. For more information, please contact Divina Ilas-Panganiban, Bienvenido Marquez or Matthew Tristan Delgado.