Philippine privacy regime fails to live up to expectations

14 Oct 2020 12:55 am by Jet Damazo-Santos

Philippine flag

Shortly after the Philippine privacy regulator issued yet another harsh warning this week against privacy violations — this time related to Covid-19 contact-tracing data — members of a private social-media group on data protection issues in the country began raising questions about whether these newly announced probes would lead to anything.

In its statement on Monday related to complaints against 11 establishments, including a mall and a European fast-fashion retailer, the National Privacy Commission, or NPC, warned that violators could be fined up to 5 million pesos (around $100,000) and jailed for up to six years under the Data Privacy Act.

The regulator’s warnings, however, are losing their ability to provoke fear.

That’s not a surprise. No one has been fined or jailed for violations of the 2012 law since the NPC was set up in March 2016. Doubts are deepening about enforcement of the law and what that means for the protection of data-privacy rights in the Philippines.

Of the thousands of complaints and data-breach notifications received by the commission over the past four years, only a handful have known outcomes — none of which have involved any serious consequences. Many cases are marked “resolved,” mostly through mediation, but no information has been released about them.

Consequently, questions are now being raised over whether proposed amendments to the privacy law are needed to enable the NPC to take serious action, or if a lack of political will is what is holding it back.

— Few known decisions —

In response to an information request from MLex, the commission provided data showing it has received 493 data-breach notifications and 2,338 formal complaints from the time it was established in March 2016 until the end of June this year. Some 75 other cases are sua sponte, or initiated by the NPC without any complaints.

But among all these cases, only a fraction of outcomes are known.

When fast food chain Wendy’s saw its website infiltrated in April 2018 and its entire database of over 82,000 records published online, the commission ordered it to submit relevant information, conduct a new privacy-impact assessment and notify the affected customers. Because the company failed to meet the 72-hour breach-notification requirements for data subjects, the commission asked it to explain why “further action should not be taken” against it.

Yet, no known action was taken against it, and nothing has been disclosed about why.

In May 2018, the NPC ordered the country’s largest fast-food company, Jollibee, to suspend its online delivery service site until it fixed a vulnerability that allowed a cybersecurity firm to infiltrate and access the data.

Later in 2018, the commission ordered social-media giant Facebook to provide identity theft and phishing insurance to its 755,973 Philippine-based users affected by the "View As" privacy breach or establish a dedicated help desk for them.

There are no reports on whether Facebook ever complied with that order. MLex asked the regulator for clarification on the status of the case, but a month after the request was made, a spokesperson said the investigation department was still looking for the files or records related to it.

The harshest known outcome of a privacy probe in the country has been against the Commission on Elections in what has been called the biggest government data breach in history. In January 2017, the NPC recommended the criminal prosecution of its chairman, Andres Bautista, for negligence that led to the hacking of its entire database of 55 million registered voters.

That still hasn't happened, and Bautista is now understood to have fled the country amid other election-related controversies.

— ‘Resolved’ cases —

For some of the other cases, the commission says a number have been “resolved,” but that it will not release information on them.

All four complaints received in 2016 have been resolved, as well as 72.9 percent of the 33 complaints filed in 2017, according to the regulator. That means nine complaints from 2017 are still pending.

For 2020, the commission said 58 percent of 237 formal complaints have so far been resolved.

Resolved here means that the commission has “ordered the case closed/terminated or those where approved resolution or decision has been sent to the parties.”

MLex understands that this means the cases were resolved through mediation, and could even involve monetary settlements or civil damages. But many of these settlements involve non-disclosure agreements, and the commission also isn’t keen on publicizing others.

“The commission also respectfully conveys that cases are resolved to uphold the principles enshrined in the Data Privacy Act of 2012 and to ensure that the rights of the data subject are promoted and protected. Consequently, resolutions of the commission shall not be classified as being in favor one of party,” it said in its response to MLex.

But for 2018 and 2019, when the volume of complaints surged to 219 and 1,845, respectively, because of a scam involving online-lending applications — the NPC’s most public and high-profile investigation — no statistics have been provided on how many have been resolved so far.

— Pending cases —

In its last updates about the case last year, the NPC said 16 individuals behind three online-lending firms may be prosecuted for unauthorized data processing and maliciously disclosing these to shame borrowers who defaulted on payments and that it had ordered the shutdown of 26 online lending apps whose operators failed to answer allegations filed by complainants.

In addition to this, among these pending cases could be one of the country’s biggest data breaches involving a company in 2019 — the exposure of the personal data of 900,000 clients of Philippine-based pawn shop and money transfer service provider Cebuana Lhuiller. In its only official statement about the case, the regulator said it was waiting for “further details as to scope and severity of the breach.”

Pending cases could also include the November 2018 Cathay Pacific data breach affecting 9.4 million customers — including over 100,000 Philippine subjects — for which the company was ordered to explain its failure to meet breach-notification deadlines.

The commission order reminded the company that non-disclosure can give rise to criminal
liability, with Privacy Commissioner Raymund Enriquez Liboro saying it would work closely with counterparts in other jurisdictions to investigate the case. Hong Kong has since issued an enforcement notice while the UK's data protection authority fined the company 500,000 pounds ($639,000).

— Negative perception —

All of these examples lead to a growing perception that companies can get away with being negligent in their data-protection practices in the Philippines — an ironic development given that the country has one of the most stringent data-privacy laws in the Asia-Pacific region.

The country is in fact home to tens of thousands of data-protection officers, or DPOs, in line with the law’s requirement and the commission’s active awareness campaign and frequent workshops and briefing events.

The Philippines also co-leads an initiative with Singapore to harmonize the legal and regulatory data-protection landscapes in the Association of Southeast Asian Nations, or Asean. Liboro was even named head of the Global Privacy Assembly’s Covid-19 Taskforce, which indicates the prominence of the country’s regulator.

“If you are a regular average Filipino who knows little about data privacy, the press releases from the NPC create the impression that the NPC is doing a good job and is very active,” Ali Flores, an active member of a private Facebook group on Philippine data-privacy issues, told MLex.

“But if you are into the data-privacy line of work, such as a data protection officer, the lack of transparency or the lack of publicly available information on enforcement makes it seem that companies can get away with any data privacy-related violations,” Flores said.

He added that the lack of transparency on enforcement efforts also creates an impression among would-be complainants that their data privacy-related complaint will fall on deaf ears.

Jam Jacob, a former NPC director and currently the data-protection officer of the Ateneo de Manila University, also told MLex it’s now getting harder to convince other organizations why they have to take data protection seriously in the country.

“When they ask me what will happen to them if they don’t comply, all I can say is that they can face criminal charges,” he told MLex. “But then, they ask if anyone has been prosecuted or jailed. And I have to tell them that, as far as I know, there’s none.”

— Weak enforcement —

Is it just an issue of transparency? Or is the lack of transparency because there’s actually not a lot to report?

“If monetary settlements or civil damages have already been awarded, why is the NPC not publishing such decisions for awareness?” Flores asked, citing the practices of regulators in Singapore and New Zealand. “If privacy of the complainant or respondent is an issue, the NPC can pseudonymize if needed.”

In the NPC’s response to MLex, it gave a blanket statement: “Of the above-mentioned complaints received, please be informed that the commission is addressing and/or resolving all the privacy concerns (queries), breach, and sua sponte.”

But current and former NPC officials and staff have admitted that many cases do progress slowly, largely because of the limited resources they have to deal with the volume of complaints they receive.

The fact that the investigation division could not provide a quick response to a question from MLex on the status of high-profile cases involving Facebook perhaps indicates the state of probes in the commission. There are also anecdotes of complaints and queries filed over a year ago that still have no response until today.

On the question of fines, another reason the NPC has never issued any them is that — more than four years after it was established — it has yet to release a circular outlining a schedule of fines.

The reason as to why is not so simple.

— A fine question —

While the data-privacy law outlines the criminal penalties that courts can impose on violators, it does not expressly state that the commission can impose administrative fines.

Provisions on the issuance of administrative fines appear in the law’s implementing rules and regulations, but not in the actual law.

“Back then, our agreement was that when we read the law, the power or authority to impose administrative sanctions was implicit,” Jacob, who was part of the team that drafted the law’s implementing regulations, explained.

“The agreement was to release a schedule of fines to inform entities and organizations what to expect, but that hasn't been released,” Jacob said.

Roren Chin, an NPC press officer, told MLex they expect to release a circular about the proposed schedule of fines by “the end of the year” — the same phrase Liboro used early last year, when he said enforcement would take a central role for the regulator in 2019.

But MLex understands that this is a legal question currently being studied by the commission.

A proposed amendment to the law filed in the House of Representatives seeks to address this question by adding a provision that specifically authorizes the NPC to impose administrative fines of up to 5 million pesos (around $100,000) per violation. The bill, though, is still in committee-level deliberations and could likely take a long time before it gets passed into law.

Further complicating matters is the fact that Liboro, who was appointed chairman of the commission in March 2016 to a three-year term and is eligible to be reappointed for another three-year term, has not yet been formally reappointed.

The government’s silence on Liboro’s reappointment could even be an indication of how little priority it gives data-protection matters.

The Philippines’ data-privacy regime, therefore, appears to be in several waiting games: A wait for the chairman’s position to be confirmed, a wait for cases to be resolved and clarity on the ability to issue fines, and a wait for legal amendments to sort all this out.

Until then, threats of consequences for violations under the harshest data-privacy law in the region will likely continue to have little impact.

Related Articles