Liable or Not Liable: In the Light of the Data Privacy Act

“The right to be let alone is indeed the beginning of all freedom. As a matter of fact, this right is the most comprehensive of rights and the right most valued by civilized men”

This principle might have been guided the policymakers who crafted and enacted the Data Privacy Act of 2012 (“The Act”). It is also worth-mentioning that since the landmark case of Morfe vs. Mutuc[i] in 1968, the Judiciary have long been aware that “all the forces of a technological age — industrialization, urbanization, and organization — operate to narrow the area of privacy and facilitate intrusion into it”.

With the rapid technological developments and globalization, the scale of data sharing and collecting has increased spectacularly. Technology allows both private companies and even public authorities to make use of personal information an unprecedented scale in order to pursue their activities. Technology has transformed both the economy and social life.  This poses a challenge to further facilitate the free flow of data within the country and the transfer to third countries, while ensuring a high level of the protection of personal data. [ii]

It is also beyond question that one of the raison d’être of the Act is boosting the competitiveness of the country’s information technology and business process outsourcing (IT-BPO) industry as it enhances trust and confidence in electronic commerce and transactions.  Corollary to this, as Senator Edgardo Angara, one of the sponsors of the Senate Bill No. 2965 (now RA 10173), have said, “not constraining the rapid growth of the IT-BPO sector, our sunshine industry”.[iii]

Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, came into law when it was signed by President Benigno Aquino, III on August 15, 2012 and took effect on September 8, 2012, 15 days after its publication. The intention of the law is explicitly provided in its Declaration of Policy under its Section 2.[iv]

Zones of privacy are recognized and protected by the Constitution[v] and statutes of the Philippines. The Civil Code provides that “every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another. It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, and recognizes the privacy of letters and other private communications. The Revised Penal Code makes a crime the violation of secrets by an officer, the revelation of trade and industrial secrets, and trespass to dwelling. Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposits Act and the Intellectual Property Code. The Rules of Court on privileged communication likewise recognize the privacy of certain information[vi]. Although the protection of a person’s right to privacy has been embedded in these laws, The Act is said to be the first data privacy law as the same specifically deals with the protection of a person’s personal information.[vii]

To resolve the question of whether or not a person (A) who gave the mobile number of another person (B) without the latter’s consent to a third person (C) violated the Data Privacy Act of 2012 (“The Issue”), an incisive analysis of the Act shall be required .

The Issue may be dissected on the following:

  1. Whether or not a person’s mobile number is within the definition of personal, sensitive, or privileged information.
  1. Whether or not the person (A), giving the mobile number is considered as information processor, controller or mere processor or user of personal information for personal, family or household purposes.
  1. Whether or not processing of information includes disclosure of information.
  1. Whether or not the mere giving of the mobile number of a person (A) without his consent is a violation of The Act.

I.     A person’s mobile number is considered personal information. However, it is neither sensitive nor privileged.

Personal information as defined by Section 3(g) of The Act is “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained  by  the  entity  holding  the  information, or  when  put  together  with  other information would directly and certainly identify an individual”. This includes residential address, place of birth, amount of salary, among others.[viii]  The Act further describes under its Section 3(l) sensitive information as personal information on a person’s marital status, age, religious affiliation, health, education, and tax returns. It also includes information issued by government agencies peculiar to an individual such as tax identification and social security numbers, and licenses or their denial, suspension or revocation. Information  established  by  an  executive  order  or  an  act  of  Congress  to  be  kept classified are also covered. Privileged information under its Section 3(k) on the other hand refers to any and all forms of data which under the Rides of Court and other pertinent laws constitute privileged communication.

In the case of US vs. Bustos[ix], a privileged communication is a communication made bona fide upon any subject matter in which the party communicating has an interest, or in reference to which has a duty, is privileged, if made to a person having a corresponding interest or duty. The test whether or not a communication is privileged is provided in the case of People vs. Hogan[x]  said communication must be by, and to, one who has the right, duty, or interest in the subject. Moreover, the Rules of Evidence enumerates the privileged communications. These include marital communications, communications arising from attorney-client, physician-patient, and priest-penitent relationships as well as state secrets[xi].

It is significant to note the information which are not classified as personal information. These are information that relates to the positions or functions of an incumbent or former government officer or employee, and information on government contractors or service providers on the performance of such services. The Act likewise does not apply to information used for journalistic, artistic, literary or research purposes and those necessary to carry out the official functions of monetary authorities and law enforcement and regulatory agencies in pursuit of their legal mandate[xii].

The Act stratifies personal information into ordinary, sensitive and privileged. The acts penalized and the gravity of the penalty imposed by The Act depend upon what kind of information is involved. Given the above definitions and enumerations, the author is of the humble view that a person’s mobile number is considered personal information. The Act defined personal information open-endedly, without limiting it to the specifics. Personal information can be recorded or not, as in this instance, a mobile number may be registered in the service provider’s database, if it is a postpaid number or may not be recorded as in the case where it is a prepaid number. It can be inferred from the language of the Act that for an information to fall within the definition, it is sufficient that said information can be linked or associated to the owner of the same by the entity holding the information.

Apparently, a person’s mobile number is not sensitive information as defined by the Act as the same specifically enumerates which information falls within the term. Likewise, it is not privileged personal information as defined by the laws and jurisprudence.

 II. A person may be an information controller, information processor or mere collector, holder, processor or user of personal information for personal, family or household purposes.

Section 4 of The Act defines the scope where the same may be applicable. Clearly, it applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those  personal  information  controllers  and  processors  who,  although  not  found  or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.

Section 3(h) of the Act defines personal  information  controller as  a  person  or  organization  who  controls  the collection,  holding,  processing  or  use  of  personal information,  including  a  person  or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes a person or organization that performs such functions as instructed by another person or organization[xiii]. On the same vein, a mere collector, holder, or processor of personal information in connection with the individual’s personal, family or household affairs[xiv] is also excluded by the term. Personal information processor, on the other hand, refers to any natural or juridical person whom a personal information controller may outsource the processing of personal data pertaining to a data subject[xv].

The scope of the Act thus being settled, it can be concluded that only the personal information controller and personal information processor who performs all the functions of collecting, holding, processing or using personal information on behalf of another can be held liable for violation of the Act and not the subcontractor or the personal information processor that performs these functions independently on instructions given by the former, or a mere collector, holder, or processor of said information in connection with the individual’s personal, family or household affairs.

Hence, A may be held liable for violation of this Act if he or such entity is a personal information controller or a personal information processor who performs all the functions of collecting, holding, processing or using personal information on behalf of another. Conversely, if A is a mere person or organization who was  instructed  to do such functions by a personal information controller or processor or a mere user, holder, or processor in connection with the individual’s personal, family or household affairs, A will be exculpated.

 III. Processing of information includes disclosure thereof.

Under the Act, when personal information is processed, the personal information was being collected, recorded, organized, stored, updated, modified, retrieved, consulted, used, consolidated, blocked, erased, destroyed, or other operations or set operations to that effect.[xvi]

The Act enumerates instances when there is processing of personal information. Like the definition of personal information, “processing” is defined therein in wide terms. This is clearly deduced from its phrases “ANY operation or ANY set of operations performed upon personal information” and “but not limited to”.

According to Sen. Angara, the Act was based heavily from Directive 95/46/EC of the European Parliament and Council and is at par with the Asia Pacific Economic Cooperation (APEC) Information Privacy Framework standards.[xvii] It is well-settled that in order to ascertain the meaning or intention of a piece of legislation; resort may be had to a similar legislation in a foreign country, which was used as reference in passing the law in question.  Under Section 2(a) of the Data Protection Directive of the European Parliament (Officially Directive 95/46/EC), processing means “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. It is noticeable that disclosure of information is necessarily included in the term “processing”.

Given these, it can be reasonably gathered that disclosure of personal information is a means of processing the same.

IV. Mere disclosing of personal information is not violative of this Act.

The Act penalizes Unauthorized Processing  of  Personal  Information  and  Sensitive  Personal Information[xviii], Accessing  Personal  Information  and  Sensitive  Personal  Information  Due  to Negligence[xix], Improper Disposal of Personal Information and Sensitive Personal Information[xx], Processing  of  Personal  Information  and  Sensitive  Personal  Information  for Unauthorized  Purposes[xxi]. Unauthorized  Access  or  Intentional  Breach[xxii], Concealment  of  Security  Breaches  Involving  Sensitive  Personal  Information[xxiii], Malicious  Disclosure[xxiv], Unauthorized  Disclosure[xxv] and any combination of the aforementioned acts[xxvi].

The Act castigates two kinds of disclosure—Malicious Disclosure and Unauthorized Disclosure. Section 31 thereof punishes malicious disclosure. This is when any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her is liable under the Act.

In the issue at hand, A, a controller or processor, who had obtained the mobile number of B maliciously and with bad faith, unwarrantedly, without B’s consent, discloses the same to C may be liable under Section 31 of the Act to wit:[xxvii]

Consent of the data subject refers to any freely given, specific, informed indication of will, whereby  the  data  subject  agrees  to  the  collection  and  processing  of  personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

A reading from Section 32 of the Act reveals that mere disclosure of a personal information controller or processor or any of its officials, employees or agents, without the consent of the data subject is a violation of the same.

However, this is without exceptions. Personal information may be disclosed or processed even without the consent of the data subject. Section 12 provides processing of said information is permitted, if not otherwise prohibited by law, on the following instances:

  1. When it is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
  1. When it is necessary for compliance with a legal obligation to which the personal information controller is subject;
  1. When it is necessary to protect vitally important interests of the data subject, including life and health;
  2. When it is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
  1. When it is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution

Applying to the issue, if A discloses the mobile number of B to C on the instances mentioned, even without B’s consent, A may not be liable under the Act.

V. Conclusion

The main thrust of the Data Privacy Act of 2012 is to promote confidence in the country’s sunshine industry, the Information Technology and Business Process Outsourcing (IT-BPO) industry, without compromising the right to the citizen’s right to privacy and communication. It provides mandate to public and private institutions to safeguard the integrity, security and confidentiality of personal information collected and processed in the course of their operations. It draws demarcation lines on the different personal information as well as classifies the persons who may or may not be held liable. The Act also provides different gravity of penalty for each violation.

It is an elementary principle that to be held liable by every penal law, the act or acts committed by a person must squarely fall within the ambit of such law.  In order for a person to be held liable under the Act, the information must not be just any information but is personal information, sensitive personal information or privileged personal information. The person who committed by the acts prohibited must be personal information controller or a personal information processor, as defined by the Act, in order for him or such entity may be prosecuted. The prohibited acts and the elements constituting such prohibition are also detailed in Sections 25 to 33 thereof. The elements must all be present in order for a person to be held liable.

In the issue herein presented, on whether or not a person who gave the mobile number of another person without the latter’s consent to a third person violated the Data Privacy Act of 2012, the answer will not be in the absolute positive or negative. The same necessitates qualification and examination on the facts attending the circumstances, such as the person involved, the manner and situation in which the said personal information was given, among others.

To end this perspective, the author shares the view of Sen. Angara when he said, “We want to strike the right balance by ensuring that the proposed measure does not overreach its intentions to improve data privacy in the country. The policies that protect our information should not be the same policies that stop us from putting this information to good use.”

[i] 130 Phil. 415 ;22 SCRA 424

[ii] Proposal for a Regulation of the European Parliament and of the Council (2012). Retrieved last 04 July 2013 from

[iii] Senate Press Release (2011). Senate Committee Weighs-up Implications of Data Privacy Act. Retrieved last 04 July 2013 from

[iv] Sec. 2. It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.  The  State  recognizes  the  vital  role  of  information  and communications  technology  in  nation building  and  its  inherent  obligation  to  ensure  that personal information in information and communications systems in the government and in the private sector are secured and protected.

[v] Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.

Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.

x x x           x x x          x x x

Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health as may be provided by law.

x x x           x x x          x x x

Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.

Sec. 17. No person shall be compelled to be a witness against himself.

[vi] Gamboa vs. Chan. G.R. No. 193636 .24 July 2012

[vii] Rosell, L. and Tomarong-Cañabano, S. (2012), ANALYSIS: The Philippines’ Data Privacy Act Of 2012, World Data Protection Report. Retrieved last 30 June 2013 from .

[viii] Visto, C.S. (2012). The protection of personal information, Business World Online.  Retrieved last 1 July 2013 from information &id=64572

[ix] G.R. No. L-12592 ,March 8, 1918

[x] 20067-R, September 30, 1958

[xi] Silahis Marketing Corporation vs. Navarro, 11163-SP, February 26, 1981

[xii] Sec. 4

[xiii] Sec. 3 (h.1)

[xiv] Sec. 3(h.2)

[xv] Sec. 3(i)

[xvi] Sec. 3(j)

[xvii] Buenaventura (2012): Senate approves Data Privacy Act on Third Reading. Retrieved last 3 July 2013 from

[xviii] Sec. 25

[xix] Sec. 26

[xx] Sec. 27

[xxi] Sec. 28

[xxii] Sec. 29

[xxiii] Sec. 30

[xxiv] Sec. 31

[xxv] Sec. 32

[xxvi] Sec. 33