Global Information Technology & Communications
The emerging trend in the past couple of years in Information Technology law appears to be in data protection and security, and the Asia Pacific region is no exception. Laws in this region are fast evolving, and existing rules and laws governing privacy and data protection are constantly being updated. In Vietnam, the government issued three decrees providing guidance on sanctions for violations in the IT/C sector, as well as a decree on digital signatures and digital signature authentication services. Singapore's Personal Data Protection Commission also issued a closing note for public consultation on proposed business operations of the Do Not Call registry. These laws will certainly have an impact on technology companies that operate in the region. The Philippines also recently passed a law on data privacy, to address among others, concerns of the business process outsourcing industry of which the Philippines is a major player.
Data Privacy Act
The Data Privacy Act, which took effect on 8 September 2012, applies to the processing of “all types of personal information and to any natural and juridical person involved in personal information processing” including personal information controllers and processors who, although not found in the Philippines, use equipment or have offices or branches that are located in the country. It must be noted, however, that the Data Privacy Act expressly excludes from its coverage the processing of personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions which is being processed in the Philippines.
The Data Privacy Act calls for the establishment of a new government agency, the National Privacy Commission ("NPC") which is tasked to be the key regulatory authority for matters relating to data privacy. The NPC is the agency authorized to receive complaints, institute investigations, adjudicate, issue cease and desist orders, impose temporary bans on the processing of personal information, compel and monitor compliance, and generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection. Yet, as of this writing, the NPC has yet to be established, and the rules and regulations of the law have yet to be issued. Clients are advised to monitor developments in this area of practice, as the establishment of the NPC may create additional regulatory compliance requirements under the Data Privacy Act.
The law is a welcome development to IT industry operators in the country, especially players in the country’s booming business process outsourcing industry. Recent reports put Manila as the world’s No. 2 outsourcing destination, next only to Bangalore, India. In this light, the Data Privacy Act can be seen as an additional pillar in the country’s IT legal framework and should only strengthen the confidence of industry players.
In September 2012, the Philippines also passed a law dealing with “cybercrimes”. The law, entitled the Cybercrime Prevention Act of 2012 ("Cybercrime Act"), specifically lists thirteen (13) offenses, which include illegal access to a computer system, illegal interception of computer data, data and system interference, misuse of devices, cyber-squatting, computer-related forgery, fraud and identity-theft, cybersex, child pornography, unsolicited commercial communications and libel. Aiding, abetting or attempting to commit any of the listed cybercrime offenses are also criminalized.
In addition to the Data Privacy Act, the Cybercrime Act was intended to update the country’s laws to help address the rise of cybercrime in the country. Recently in fact, the Philippine National Police puts “cyber pornography” as the country’s No. 1 crime, even above illegal drug trade. The Philippine Department of Justice also estimates that about 87% of Filipinos who are online have, in one way or the other, been victims of cybercrimes.
Days after its passage however, and in response to a total of fifteen (15) petitions filed questioning the constitutionality of the law, the Supreme Court of the Philippines issued a 120-day temporary restraining order ("TRO") against the application of the law. The TRO has since been extended indefinitely last February 2013.
The law faced heavy criticism chiefly for including “online libel” as a cybercrime and critics of the law believe this inclusion to be contrary to free speech. The opposition gathered widespread support, and being the “Social Media Capital of the World”, Filipinos rather ironically took to social media to register their disapproval to what has been called the “Cyber Martial Law”. Other provisions which were questioned by the petitions before the Supreme Court were the increase in penalty of all crimes punished by the Revised Penal Code of the Philippines when committed by the “use of information and communications technologies”, and the grant of power to the Department of Justice to “take-down” websites without trial.
On 18 February 2014, a little over a year after oral arguments on the petitions were heard by the High Court, a ruling was finally issued in which the court upheld the constitutionality of a key provision in the Cybercrime Act that criminalizes online libel. While the High Court struck down the provision of the law that gives the state the power to take down online content without a court warrant, it ruled that the provision on online libel that penalizes authors of libelous online content is constitutional. However, it clarified that online libel is unconstitutional insofar as it penalizes those who simply receive the post and react to it. The Court further clarified that recipients who react to a potentially defamatory post will likely not fall under the coverage of the law, provided that the utterance made in reaction to the original post would not itself be defamatory.
The Court also declared the following sections as unconstitutional: Sections 4(c)(3), which penalizes the posting of unsolicited commercial communications (or spam); Section 12, which authorizes the collection or recording of traffic data in real time; Section 19, which authorizes the DOJ to restrict or block access to suspected computer data; Section 5 as far as it penalizes aiding or abetting and attempt in the commission of child pornography (which is covered specifically by the Anti-Child Pornography Act of 2009), unsolicited commercial communications and online libel; and Section 7 which allows for liability under other laws, but only in as far as it authorizes the prosecution of libel and child pornography both under the Cybercrime Act and the Revised Penal Code and the Anti-Child Pornography Act respectively.
The decision is a particularly welcome development in so far as it validates the provisions of the Cybercrime Act which penalizes illegal access to computer systems, illegal interception and interference of computer data and systems and misuse of devices. The distinction between these acts is an expansion of what otherwise would be generally covered under the crime of “hacking” under an older law – the Electronic Commerce Act of 2000. Victims of such offenses would now have a wider latitude of legal options in charging perpetrators under the Cybercrime Act, and offenders will be subject to heavier penalties.
As of 5 March 2014, several motions have already been filed requesting the Supreme Court to reconsider its decision of 18 February 2014. Until the Supreme Court rules otherwise, the decision lifts the restraining order against the Cybercrime Act, and clients are reminded that the said law is now in force and effect in the Philippines.
Bienvenido Marquez Anthony Chadd Concepcion
Quisumbing Torres, Manila Quisumbing Torres, Manila
Associated with Baker & McKenzie Associated with Baker & McKenzie