Professional Documents
Culture Documents
10173]
CHAPTER I
GENERAL PROVISIONS
SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”.
SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall
have the respective meanings hereafter set forth:
(a) Commission shall refer to the National Privacy Commission created by virtue of
this Act.
(b) Consent of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and
processing of personal information about and/or relating to him or her. Consent
shall be evidenced by written, electronic or recorded means. It may also be given
on behalf of the data subject by an agent specifically authorized by the data
subject to do so.
(e) Filing system refers to any act of information relating to natural or juridical
persons to the extent that, although the information is not processed by equipment
operating automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular person is
readily accessible.
(i) Personal information processor refers to any natural or juridical person qualified
to act as such under this Act to whom a personal information controller may
outsource the processing of personal data pertaining to a data subject.
(j) Processing refers to any operation or any set of operations performed upon
personal information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.
(k) Privileged information refers to any and all forms of data which under the Rules
of Court and other pertinent laws constitute privileged communication.
(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
SEC. 4. Scope. – This Act applies to the processing of all types of personal
information and to any natural and juridical person involved in personal
information processing including those personal information controllers and
processors who, although not found or established in the Philippines, use
equipment that are located in the Philippines, or those who maintain an office,
branch or agency in the Philippines subject to the immediately succeeding
paragraph: Provided, That the requirements of Section 5 are complied with.
(1) The fact that the individual is or was an officer or employee of the government
institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the
individual; and
(4) The name of the individual on a document prepared by the individual in the
course of employment with the government;
(e) Information necessary in order to carry out the functions of public authority
which includes the processing of personal data for the performance by the
independent, central monetary authority and law enforcement and regulatory
agencies of their constitutionally and statutorily mandated functions. Nothing in
this Act shall be construed as to have amended or repealed Republic Act No.
1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426,
otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other
applicable laws; and
SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act
shall be construed as to have amended or repealed the provisions of Republic Act
No. 53, which affords the publishers, editors or duly accredited reporters of any
newspaper, magazine or periodical of general circulation protection from being
compelled to reveal the source of any news report or information appearing in
said publication which was related in any confidence to such publisher, editor, or
reporter.
(b) The entity has a link with the Philippines, and the entity is processing personal
information in the Philippines or even if the processing is outside the Philippines as
long as it is about Philippine citizens or residents such as, but not limited to, the
following:
(2) A juridical entity unincorporated in the Philippines but has central management
and control in the country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal information;
and
(c) The entity has other links in the Philippines such as, but not limited to:
(2) The personal information was collected or held by an entity in the Philippines.
CHAPTER II
THE NATIONAL PRIVACY COMMISSION
(a) Ensure compliance of personal information controllers with the provisions of this
Act;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the
processing of personal information, upon finding that the processing will be
detrimental to national security and public interest;
(f) Coordinate with other government agencies and the private sector on efforts to
formulate and implement plans and policies to strengthen the protection of
personal information in the country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(h) Publish a compilation of agency system of records and notices, including index
and other finding aids;
(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition
of penalties specified in Sections 25 to 29 of this Act;
(n) Ensure proper and effective coordination with data privacy regulators in other
countries and private accountability agents, participate in international and
regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy authorities of other countries
for cross-border application and implementation of respective privacy laws;
SEC. 8. Confidentiality. – The Commission shall ensure at all times the confidentiality
of any personal information that comes to its knowledge and possession.
The Privacy Commissioner must be at least thirty-five (35) years of age and of good
moral character, unquestionable integrity and known probity, and a recognized
expert in the field of information technology and data privacy. The Privacy
Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the
rank of Secretary.
The Deputy Privacy Commissioners must be recognized experts in the field of
information and communications technology and data privacy. They shall enjoy
the benefits, privileges and emoluments equivalent to the rank of Undersecretary.
CHAPTER III
PROCESSING OF PERSONAL INFORMATION
SEC. 11. General Data Privacy Principles. – The processing of personal information
shall be allowed, subject to compliance with the requirements of this Act and
other laws allowing disclosure of information to the public and adherence to the
principles of transparency, legitimate purpose and proportionality.
(a) Collected for specified and legitimate purposes determined and declared
before, or as soon as reasonably practicable after collection, and later processed
in a way compatible with such declared, specified and legitimate purposes only;
(c) Accurate, relevant and, where necessary for purposes for which it is to be used
the processing of personal information, kept up to date; inaccurate or incomplete
data must be rectified, supplemented, destroyed or their further processing
restricted;
(d) Adequate and not excessive in relation to the purposes for which they are
collected and processed;
(e) Retained only for as long as necessary for the fulfillment of the purposes for
which the data was obtained or for the establishment, exercise or defense of legal
claims, or for legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the data were collected and
processed: Provided, That personal information collected for other purposes may
lie processed for historical, statistical or scientific purposes, and in cases laid down
in law may be stored for longer periods: Provided, further,That adequate
safeguards are guaranteed by said laws authorizing their processing.
SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of
personal information shall be permitted only if not otherwise prohibited by law, and
when at least one of the following conditions exists:
(c) The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data
subject, including life and health;
(f) The processing is necessary for the purposes of the legitimate interests pursued
by the personal information controller or by a third party or parties to whom the
data is disclosed, except where such interests are overridden by fundamental
rights and freedoms of the data subject which require protection under the
Philippine Constitution.
SEC. 13. Sensitive Personal Information and Privileged Information. – The processing
of sensitive personal information and privileged information shall be prohibited,
except in the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to
the processing, or in the case of privileged information, all parties to the exchange
have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee the protection
of the sensitive personal information and the privileged information: Provided,
further, That the consent of the data subjects are not required by law or regulation
permitting the processing of the sensitive personal information or the privileged
information;
(c) The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express his
or her consent prior to the processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by
a medical practitioner or a medical treatment institution, and an adequate level
of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or when
provided to government or public authority.
CHAPTER IV
RIGHTS OF THE DATA SUBJECT
SEC. 16. Rights of the Data Subject. – The data subject is entitled to:
(a) Be informed whether personal information pertaining to him or her shall be, are
being or have been processed;
(b) Be furnished the information indicated hereunder before the entry of his or her
personal information into the processing system of the personal information
controller, or at the next practical opportunity:
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its
representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to
lodge a complaint before the Commission.
(6) Information on automated processes where the data will or likely to be made
as the sole basis for any decision significantly affecting or will affect the data
subject;
(7) Date when his or her personal information concerning the data subject were
last accessed and modified; and
(8) The designation, or name or identity and address of the personal information
controller;
(d) Dispute the inaccuracy or error in the personal information and have the
personal information controller correct it immediately and accordingly, unless the
request is vexatious or otherwise unreasonable. If the personal information have
been corrected, the personal information controller shall ensure the accessibility of
both the new and the retracted information and the simultaneous receipt of the
new and the retracted information by recipients thereof: Provided, That the third
parties who have previously received such processed personal information shall he
informed of its inaccuracy and its rectification upon reasonable request of the
data subject;
(e) Suspend, withdraw or order the blocking, removal or destruction of his or her
personal information from the personal information controller’s filing system upon
discovery and substantial proof that the personal information are incomplete,
outdated, false, unlawfully obtained, used for unauthorized purposes or are no
longer necessary for the purposes for which they were collected. In this case, the
personal information controller may notify third parties who have previously
received such processed personal information; and
(f) Be indemnified for any damages sustained due to such inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal information.
SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns
of the data subject may invoke the rights of the data subject for, which he or she is
an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights as enumerated
in the immediately preceding section.
SEC. 18. Right to Data Portability. – The data subject shall have the right, where
personal information is processed by electronic means and in a structured and
commonly used format, to obtain from the personal information controller a copy
of data undergoing processing in an electronic or structured format, which is
commonly used and allows for further use by the data subject. The Commission
may specify the electronic format referred to above, as well as the technical
standards, modalities and procedures for their transfer.
CHAPTER V
SECURITY OF PERSONAL INFORMATION
SEC. 20. Security of Personal Information. – (a) The personal information controller
must implement reasonable and appropriate organizational, physical and
technical measures intended for the protection of personal information against
any accidental or unlawful destruction, alteration and disclosure, as well as against
any other unlawful processing.
(c) The determination of the appropriate level of security under this section must
take into account the nature of the personal information to be protected, the risks
represented by the processing, the size of the organization and complexity of its
operations, current data privacy best practices and the cost of security
implementation. Subject to guidelines as the Commission may issue from time to
time, the measures implemented must include:
(4) Regular monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach.
(d) The personal information controller must further ensure that third parties
processing personal information on its behalf shall implement the security measures
required by this provision.
(2) The Commission may exempt a personal information controller from notification
where, in its reasonable judgment, such notification would not be in the public
interest or in the interests of the affected data subjects.
CHAPTER VI
ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION
(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to
provide a comparable level of protection while the information are being
processed by a third party.
CHAPTER VII
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
(1) Deadline for Approval or Disapproval – In the case of any request submitted to
the head of an agency, such head of the agency shall approve or disapprove the
request within two (2) business days after the date of submission of the request. In
case there is no action by the head of the agency, then such request is
considered disapproved;
(2) Limitation to One thousand (1,000) Records – If a request is approved, the head
of the agency shall limit the access to not more than one thousand (1,000) records
at a time; and
The requirements of this subsection shall be implemented not later than six (6)
months after the date of the enactment of this Act.
CHAPTER VIII
PENALTIES
SEC. 25. Unauthorized Processing of Personal Information and Sensitive Personal
Information. – (a) The unauthorized processing of personal information shall be
penalized by imprisonment ranging from one (1) year to three (3) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who process
personal information without the consent of the data subject, or without being
authorized under this Act or any existing law.
SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to
Negligence. – (a) Accessing personal information due to negligence shall be
penalized by imprisonment ranging from one (1) year to three (3) years and a fine
of not less than Five hundred thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to
negligence, provided access to personal information without being authorized
under this Act or any existing law.
SEC. 28. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes. – The processing of personal information for unauthorized
purposes shall be penalized by imprisonment ranging from one (1) year and six (6)
months to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons processing personal information for purposes not authorized
by the data subject, or otherwise authorized under this Act or under existing laws.
SEC. 35. Large-Scale. – The maximum penalty in the scale of penalties respectively
provided for the preceding offenses shall be imposed when the personal
information of at least one hundred (100) persons is harmed, affected or involved
as the result of the above mentioned actions.
SEC. 36. Offense Committed by Public Officer. – When the offender or the person
responsible for the offense is a public officer as defined in the Administrative Code
of the Philippines in the exercise of his or her duties, an accessory penalty
consisting in the disqualification to occupy public office for a term double the term
of criminal penalty imposed shall he applied.
SEC. 37. Restitution. – Restitution for any aggrieved party shall be governed by the
provisions of the New Civil Code.
CHAPTER IX
MISCELLANEOUS PROVISIONS
SEC. 38. Interpretation. – Any doubt in the interpretation of any provision of this Act
shall be liberally interpreted in a manner mindful of the rights and interests of the
individual about whom personal information is processed.
SEC. 39. Implementing Rules and Regulations (IRR). – Within ninety (90) days from
the effectivity of this Act, the Commission shall promulgate the rules and
regulations to effectively implement the provisions of this Act.
SEC. 40. Reports and Information. – The Commission shall annually report to the
President and Congress on its activities in carrying out the provisions of this Act. The
Commission shall undertake whatever efforts it may determine to be necessary or
appropriate to inform and educate the public of data privacy, data protection
and fair information rights and responsibilities.
SEC. 41. Appropriations Clause. – The Commission shall be provided with an initial
appropriation of Twenty million pesos (Php20,000,000.00) to be drawn from the
national government. Appropriations for the succeeding years shall be included in
the General Appropriations Act. It shall likewise receive Ten million pesos
(Php10,000,000.00) per year for five (5) years upon implementation of this Act
drawn from the national government.
SEC. 42. Transitory Provision. – Existing industries, businesses and offices affected by
the implementation of this Act shall be given one (1) year transitory period from
the effectivity of the IRR or such other period as may be determined by the
Commission, to comply with the requirements of this Act.
In case that the DICT has not yet been created by the time the law takes full force
and effect, the National Privacy Commission shall be attached to the Office of the
President.
SEC. 43. Separability Clause. – If any provision or part hereof is held invalid or
unconstitutional, the remainder of the law or the provision not otherwise affected
shall remain valid and subsisting.
SEC. 44. Repealing Clause. – The provision of Section 7 of Republic Act No. 9372,
otherwise known as the “Human Security Act of 2007”, is hereby amended. Except
as otherwise expressly provided in this Act, all other laws, decrees, executive
orders, proclamations and administrative regulations or parts thereof inconsistent
herewith are hereby repealed or modified accordingly.
SEC. 45. Effectivity Clause. – This Act shall take effect fifteen (15) days after its
publication in at least two (2) national newspapers of general circulation.
Implementing Rules and Regulations of Republic Act No. 10173, known as the
“Data Privacy Act of 2012”
1. Title
2. Policy
3. Definitions
4. Scope
5. Special Cases
6. Protection afforded to data subjects
7. Protection afforded to journalists and their sources
8. Mandate
9. Functions
10. Administrative Issuances
11. Reports and Public Information
12. Confidentiality of Personal Data
13. Organizational Structure
14. Secretariat
15. Effect of Lawful Performance of Duty
16. Magna Carta for Science and Technology Personnel
66. Appeal
67. Period for Compliance
68. Appropriations Clause
69. Interpretation
70. Separability Clause
71. Repealing Clause
72. Effectivity Clause
Section 1. Title. These rules and regulations shall be known as the “Implementing
Rules and Regulations of the Data Privacy Act of 2012”, or the “Rules”. Section
2. Policy. These Rules further enforce the Data Privacy Act and adopt generally
accepted international principles and standards for personal data protection.
They safeguard the fundamental human right of every individual to privacy while
ensuring free flow of information for innovation, growth, and national
development. These Rules also recognize the vital role of information and
communications technology in nation-building and enforce the State’s inherent
obligation to ensure that personal data in information and communications
systems in the government and in the private sector are secured and protected.
Section 3. Definitions. Whenever used in these Rules, the following terms shall have
the respective meanings hereafter set forth:
a. “Act” refers to Republic Act No. 10173, also known as the Data Privacy Act
of 2012;
2. A natural person who processes personal data in connection with his or her
personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing;
q. “Privileged information” refers to any and all forms of data, which, under
the Rules of Court and other pertinent laws constitute privileged communication;
1. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person,
or to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the sentence
of any court in such proceedings;
Section 4. Scope. The Act and these Rules apply to the processing of personal
data by any natural and juridical person in the government or private sector. They
apply to an act done or practice engaged in and outside of the Philippines if:
a. The natural or juridical person involved in the processing of personal data
is found or established in the Philippines;
Section 5. Special Cases. The Act and these Rules shall not apply to the following
specified information, only to the minimum extent of collection, access, use,
disclosure or other processing necessary to the purpose, function, or activity
concerned:
a. Information processed for purpose of allowing public access to
information that fall within matters of public concern, pertaining to:
(a) The fact that the individual is or was an officer or employee of the
government;
(b) The title, office address, and office telephone number of the individual;
(c) The classification, salary range, and responsibilities of the position held by
the individual; and
(d) The name of the individual on a document he or she prepared in the course
of his or her employment with the government;
Provided, that the non-applicability of the Act or these Rules do not extend to
personal information controllers or personal information processors, who remain
subject to the requirements of implementing security measures for personal data
protection: Provided further, that the processing of the information provided in the
preceding paragraphs shall be exempted from the requirements of the Act only to
the minimum extent necessary to achieve the specific purpose, function, or
activity. Section 6. Protection afforded to Data Subjects.
a. Unless directly incompatible or inconsistent with the preceding sections in
relation to the purpose, function, or activities the non-applicability concerns, the
personal information controller or personal information processor shall uphold the
rights of data subjects, and adhere to general data privacy principles and the
requirements of lawful processing.
b. The burden of proving that the Act and these Rules are not applicable to
a particular information falls on those involved in the processing of personal data
or the party claiming the non-applicability.
6. Imposing administrative fines for violations of the Act, these Rules, and
other issuances of the Commission.
g. Other functions. The Commission shall exercise such other functions as may
be necessary to fulfill its mandate under the Act.
Section 10. Administrative Issuances. The Commission shall publish or issue official
directives and administrative issuances, orders, and circulars, which include:
a. Rules of procedure in the exercise of its quasi-judicial functions, subject to
the suppletory application of the Rules of Court;
Section 11. Reports and Information. The Commission shall report annually to the
President and Congress regarding its activities in carrying out the provisions of the
Act, these Rules, and its other issuances. It shall undertake all efforts it deems
necessary or appropriate to inform and educate the public of data privacy, data
protection, and fair information rights and responsibilities. Section
12. Confidentiality of Personal Data. Members, employees, and consultants of the
Commission shall ensure at all times the confidentiality of any personal data that
come to their knowledge and possession: Provided, that such duty of
confidentiality shall remain even after their term, employment, or contract has
ended. Section 13. Organizational Structure. The Commission is attached to the
Department of Information and Communications Technology for policy and
program coordination in accordance with Section 38(3) of Executive Order No.
292, series of 1987, also known as the Administrative Code of 1987. The Commission
shall remain completely independent in the performance of its functions. The
Commission shall be headed by a Privacy Commissioner, who shall act as
Chairman of the Commission. The Privacy Commissioner must be at least thirty-five
(35) years of age and of good moral character, unquestionable integrity and
known probity, and a recognized expert in the field of information technology and
data privacy. The Privacy Commissioner shall enjoy the benefits, privileges, and
emoluments equivalent to the rank of Secretary. The Privacy Commissioner shall be
assisted by two (2) Deputy Privacy Commissioners. One shall be responsible for
Data Processing Systems, while the other shall be responsible for Policies and
Planning. The Deputy Privacy Commissioners must be recognized experts in the
field of information and communications technology and data privacy. They shall
enjoy the benefits, privileges, and emoluments equivalent to the rank of
Undersecretary. Section 14. Secretariat. The Commission is authorized to establish a
Secretariat, which shall assist in the performance of its functions. The Secretariat
shall be headed by an Executive Director and shall be organized according to the
following offices:
a. Data Security and Compliance Office;
Section 17. General Data Privacy Principles. The processing of personal data shall
be allowed, subject to compliance with the requirements of the Act and other
laws allowing disclosure of information to the public, and adherence to the
principles of transparency, legitimate purpose, and proportionality. Section
18. Principles of Transparency, Legitimate Purpose and Proportionality. The
processing of personal data shall be allowed subject to adherence to the
principles of transparency, legitimate purpose, and proportionality.
a. Transparency. The data subject must be aware of the nature, purpose,
and extent of the processing of his or her personal data, including the risks and
safeguards involved, the identity of personal information controller, his or her rights
as a data subject, and how these can be exercised. Any information and
communication relating to the processing of personal data should be easy to
access and understand, using clear and plain language.
1. Processing shall uphold the rights of the data subject, including the right to
refuse, withdraw consent, or object. It shall likewise be transparent, and allow the
data subject sufficient information to know the nature and extent of processing.
(a) for the fulfillment of the declared, specified, and legitimate purpose, or
when the processing relevant to the purpose has been terminated;
(c) for legitimate business purposes, which must be consistent with standards
followed by the applicable industry or approved by appropriate government
agency.
Section 20. General Principles for Data Sharing. Further Processing of Personal Data
collected from a party other than the Data Subject shall be allowed under any of
the following conditions:
a. Data sharing shall be allowed when it is expressly authorized by
law: Provided, that there are adequate safeguards for data privacy and security,
and processing adheres to principle of transparency, legitimate purpose and
proportionality.
b. Data Sharing shall be allowed in the private sector if the data subject
consents to data sharing, and the following conditions are complied with:
1. Consent for data sharing shall be required even when the data is to be
shared with an affiliate or mother company, or similar relationships;
2. Data sharing for commercial purposes, including direct marketing, shall be
covered by a data sharing agreement.
(a) The data sharing agreement shall establish adequate safeguards for data
privacy and security, and uphold rights of data subjects.
(b) The data sharing agreement shall be subject to review by the Commission,
on its own initiative or upon complaint of data subject;
3. The data subject shall be provided with the following information prior to
collection or before data is shared:
(e) Existence of the rights of data subjects, including the right to access and
correction, and the right to object;
(f) Other information that would sufficiently notify the data subject of the
nature and extent of data sharing and the manner of processing.
c. Data collected from parties other than the data subject for purpose of
research shall be allowed when the personal data is publicly available, or has the
consent of the data subject for purpose of research: Provided, that adequate
safeguards are in place, and no decision directly affecting the data subject shall
be made on the basis of the data collected or processed. The rights of the data
subject shall be upheld without compromising research integrity.
1. Any or all government agencies party to the agreement shall comply with
the Act, these Rules, and all other issuances of the Commission, including putting in
place adequate safeguards for data privacy and security.
c. The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically able to
express his or her consent prior to the processing;
d. The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associations provided that:
2. The sensitive personal information are not transferred to third parties; and
Section 25. Data Privacy and Security. Personal information controllers and
personal information processors shall implement reasonable and appropriate
organizational, physical, and technical security measures for the protection of
personal data. The personal information controller and personal information
processor shall take steps to ensure that any natural person acting under their
authority and who has access to personal data, does not process them except
upon their instructions, or as required by law. The security measures shall aim to
maintain the availability, integrity, and confidentiality of personal data and are
intended for the protection of personal data against any accidental or unlawful
destruction, alteration, and disclosure, as well as against any other unlawful
processing. These measures shall be implemented to protect personal data
against natural dangers such as accidental loss or destruction, and human
dangers such as unlawful access, fraudulent misuse, unlawful destruction,
alteration and contamination. Section 26. Organizational Security
Measures. Where appropriate, personal information controllers and personal
information processors shall comply with the following guidelines for organizational
security:
a. Compliance Officers. Any natural or juridical person or other body
involved in the processing of personal data shall designate an individual or
individuals who shall function as data protection officer, compliance officer or
otherwise be accountable for ensuring compliance with applicable laws and
regulations for the protection of data privacy and security.
1. The policies shall implement data protection principles both at the time of
the determination of the means for processing and at the time of the processing
itself.
5. The name and contact details of the personal information controller and,
where applicable, the joint controller, the its representative, and the compliance
officer or Data Protection Officer, or any other individual or individuals
accountable for ensuring compliance with the applicable laws and regulations for
the protection of data privacy and security.
The said employees, agents, or representatives shall operate and hold personal
data under strict confidentiality if the personal data are not intended for public
disclosure. This obligation shall continue even after leaving the public service,
transferring to another position, or upon terminating their employment or
contractual relations. There shall be capacity building, orientation or training
programs for such employees, agents or representatives, regarding privacy or
security policies.
2. Procedures that limit the processing of data, to ensure that it is only to the
extent necessary for the declared, specified, and legitimate purpose;
4. Policies and procedures for data subjects to exercise their rights under the
Act;
b. Design of office space and work stations, including the physical arrangement
of furniture and equipment, shall provide privacy to anyone processing personal
data, taking into consideration the environment and accessibility to the public;
e. Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established. The room and workstation used in the processing
of personal data shall, as far as practicable, be secured against natural disasters,
power disturbances, external access, and other similar threats.
d. Regular monitoring for security breaches, and a process both for identifying
and accessing reasonably foreseeable vulnerabilities in their computer networks,
and for taking preventive, corrective, and mitigating action against security
incidents that can lead to a personal data breach;
Section 29. Appropriate Level of Security. The Commission shall monitor the
compliance of natural or juridical person or other body involved in the processing
of personal data, specifically their security measures, with the guidelines provided
in these Rules and subsequent issuances of the Commission. In determining the
level of security appropriate for a particular personal information controller or
personal information processor, the Commission shall take into account the nature
of the personal data that requires protection, the risks posed by the processing, the
size of the organization and complexity of its operations, current data privacy best
practices, and the cost of security implementation. The security measures provided
herein shall be subject to regular review and evaluation, and may be updated as
necessary by the Commission in separate issuances, taking into account the most
appropriate standard recognized by the information and communications
technology industry and data privacy best practices.
Rule VII. Security of Sensitive Personal Information in Government
(d) The employee of the government is only given online access to sensitive
personal information necessary for the performance of official functions or the
provision of a public service.
b. Off-site access.
(a) Deadline for Approval or Disapproval. The head of agency shall approve
or disapprove the request within two (2) business days after the date of submission
of the request. Where no action is taken by the head of agency, the request is
considered disapproved;
Section 34. Rights of the Data Subject. The data subject is entitled to the following
rights:
a. Right to be informed.
2. The data subject shall be notified and furnished with information indicated
hereunder before the entry of his or her personal data into the processing system
of the personal information controller, or at the next practical opportunity:
(b) Purposes for which they are being or will be processed, including processing
for direct marketing, profiling or historical, statistical or scientific purpose;
(c) Basis of processing, when processing is not based on the consent of the
data subject;
(e) The recipients or classes of recipients to whom the personal data are or
may be disclosed;
(f) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized, including meaningful
information about the logic involved, as well as the significance and the
envisaged consequences of such processing for the data subject;
(g) The identity and contact details of the personal data controller or its
representative;
(h) The period for which the information will be stored; and
(i) The existence of their rights as data subjects, including the right to access,
correction, and object to the processing, as well as the right to lodge a complaint
before the Commission.
b. Right to object. The data subject shall have the right to object to the
processing of his or her personal data, including processing for direct marketing,
automated processing or profiling. The data subject shall also be notified and
given an opportunity to withhold consent to the processing in case of changes or
any amendment to the information supplied or declared to the data subject in the
preceding paragraph.
2. The collection and processing are for obvious purposes, including, when it
is necessary for the performance of or in relation to a contract or service to which
the data subject is a party, or when necessary or desirable in the context of an
employer-employee relationship between the collector and the data subject; or
c. Right to Access. The data subject has the right to reasonable access to,
upon demand, the following:
7. Date when his or her personal data concerning the data subject were last
accessed and modified; and
d. Right to rectification. The data subject has the right to dispute the
inaccuracy or error in the personal data and have the personal information
controller correct it immediately and accordingly, unless the request is vexatious or
otherwise unreasonable. If the personal data has been corrected, the personal
information controller shall ensure the accessibility of both the new and the
retracted information and the simultaneous receipt of the new and the retracted
information by the intended recipients thereof: Provided, That recipients or third
parties who have previously received such processed personal data shall be
informed of its inaccuracy and its rectification, upon reasonable request of the
data subject.
e. Right to Erasure or Blocking. The data subject shall have the right to
suspend, withdraw or order the blocking, removal or destruction of his or her
personal data from the personal information controller’s filing system.
1. This right may be exercised upon discovery and substantial proof of any of
the following:
(b) The personal data is being used for purpose not authorized by the data
subject;
(c) The personal data is no longer necessary for the purposes for which they
were collected;
(d) The data subject withdraws consent or objects to the processing, and there
is no other legal ground or overriding legitimate interest for the processing;
(e) The personal data concerns private information that is prejudicial to data
subject, unless justified by freedom of speech, of expression, or of the press or
otherwise authorized;
2. The personal information controller may notify third parties who have
previously received such processed personal information.
f. Right to damages. The data subject shall be indemnified for any damages
sustained due to such inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data, taking into account any violation
of his or her rights and freedoms as data subject.
Section 35. Transmissibility of Rights of the Data Subject. The lawful heirs and assigns
of the data subject may invoke the rights of the data subject to which he or she is
an heir or an assignee, at any time after the death of the data subject, or when
the data subject is incapacitated or incapable of exercising the rights as
enumerated in the immediately preceding section. Section 36. Right to Data
Portability. Where his or her personal data is processed by electronic means and in
a structured and commonly used format, the data subject shall have the right to
obtain from the personal information controller a copy of such data in an
electronic or structured format that is commonly used and allows for further use by
the data subject. The exercise of this right shall primarily take into account the right
of data subject to have control over his or her personal data being processed
based on consent or contract, for commercial purpose, or through automated
means. The Commission may specify the electronic format referred to above, as
well as the technical standards, modalities, procedures and other rules for their
transfer. Section 37. Limitation on Rights. The immediately preceding sections shall
not be applicable if the processed personal data are used only for the needs of
scientific and statistical research and, on the basis of such, no activities are carried
out and no decisions are taken regarding the data subject: Provided, that the
personal data shall be held under strict confidentiality and shall be used only for
the declared purpose. The said sections are also not applicable to the processing
of personal data gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject. Any limitations on the
rights of the data subject shall only be to the minimum extent necessary to
achieve the purpose of said research or investigation.
Rule IX. Data Breach Notification.
Section 39. Contents of Notification. The notification shall at least describe the
nature of the breach, the personal data possibly involved, and the measures taken
by the entity to address the breach. The notification shall also include measures
taken to reduce the harm or negative consequences of the breach, the
representatives of the personal information controller, including their contact
details, from whom the data subject can obtain additional information about the
breach, and any assistance to be provided to the affected data subjects. Section
40. Delay of Notification. Notification may be delayed only to the extent necessary
to determine the scope of the breach, to prevent further disclosures, or to restore
reasonable integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into
account compliance by the personal information controller with this section and
existence of good faith in the acquisition of personal data.
b. The Commission may exempt a personal information controller from
notification where, in its reasonable judgment, such notification would not be in
the public interest, or in the interest of the affected data subjects.
Section 42. Procedure for Notification. The Procedure for breach notification shall
be in accordance with the Act, these Rules, and any other issuance of the
Commission.
Rule X. Outsourcing and Subcontracting Agreements.
b. The contract or other legal act shall stipulate, in particular, that the
personal information processor shall:
1. Process the personal data only upon the documented instructions of the
personal information controller, including transfers of personal data to another
country or an international organization, unless such transfer is authorized by law;
3. Implement appropriate security measures and comply with the Act, these
Rules, and other issuances of the Commission;
4. Not engage another processor without prior instruction from the personal
information controller: Provided, that any such arrangement shall ensure that the
same obligations for data protection under the contract or legal act are
implemented, taking into account the nature of the processing;
Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the
Commission to administer and implement the Act, and to ensure the compliance
of personal information controllers with its obligations under the law, the
Commission requires the following:
a. Registration of personal data processing systems operating in the country
that involves accessing or requiring sensitive personal information of at least one
thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government
agencies;
b. The procedure for registration shall be in accordance with these Rules and
other issuances of the Commission.
1. Purpose of processing;
8. Decisions relating to the data subject that would be made on the basis of
processed data or that would significantly affect the rights and freedoms of data
subject; and
Section 49. Review by the Commission. The following are subject to the review of
the Commission, upon its own initiative or upon the filing of a complaint by a data
subject:
a. Compliance by a personal information controller or personal information
processor with the Act, these Rules, and other issuances of the Commission;
Section 51. Accountability for Violation of the Act, these Rules and Other Issuances
of the Commission.
a. Any natural or juridical person, or other body involved in the processing of
personal data, who fails to comply with the Act, these Rules, and other issuances
of the Commission, shall be liable for such violation, and shall be subject to its
corresponding sanction, penalty, or fine, without prejudice to any civil or criminal
liability, as may be applicable.
b. In cases where a data subject files a complaint for violation of his or her
rights as data subject, and for any injury suffered as a result of the processing of his
or her personal data, the Commission may award indemnity on the basis of the
applicable provisions of the New Civil Code.
b. A penalty of imprisonment ranging from three (3) years to six (6) years and
a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than Four million pesos (Php4,000,000.00) shall be imposed on persons who process
sensitive personal information without the consent of the data subject, or without
being authorized under the Act or any existing law.
Section 53. Accessing Personal Information and Sensitive Personal Information Due
to Negligence.
a. A penalty of imprisonment ranging from one (1) year to three (3) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons who,
due to negligence, provided access to personal information without being
authorized under the Act or any existing law.
b. A penalty of imprisonment ranging from three (3) years to six (6) years and
a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to
negligence, provided access to sensitive personal information without being
authorized under the Act or any existing law.
b. A penalty of imprisonment ranging from one (1) year to three (3) years and
a fine of not less than One hundred thousand pesos (Php100,000.00) but not more
than One million pesos (Php1,000,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the sensitive personal
information of an individual in an area accessible to the public or has otherwise
placed the sensitive personal information of an individual in its container for trash
collection.
Section 55. Processing of Personal Information and Sensitive Personal Information
for Unauthorized Purposes.
a. A penalty of imprisonment ranging from one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons processing personal information for purposes not authorized
by the data subject, or otherwise authorized under the Act or under existing laws.
b. A penalty of imprisonment ranging from two (2) years to seven (7) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons
processing sensitive personal information for purposes not authorized by the data
subject, or otherwise authorized under the Act or under existing laws.
Section 66. Appeal. Appeal from final decisions of the Commission shall be made
to the proper courts in accordance with the Rules of Court, or as may be
prescribed by law. Section 67. Period for Compliance. Any natural or juridical
person or other body involved in the processing of personal data shall comply with
the personal data processing principles and standards of personal data privacy
and security already laid out in the Act. Personal information controllers and
Personal Information processors shall register with the Commission their data
processing systems or automated processing operations, subject to notification,
within one (1) year after the effectivity of these Rules. Any subsequent issuance of
the Commission, including those that implement specific standards for data
portability, encryption, or other security measures shall provide the period for its
compliance. For a period of one (1) year from the effectivity of these Rules, a
personal information controller or personal information processor may apply for an
extension of the period within which to comply with the issuances of the
Commission. The Commission may grant such request for good cause shown.
Section 70. Separability Clause. If any provision or part hereof is held invalid or
unconstitutional, the remainder of these Rules or the provision not otherwise
affected shall remain valid and subsisting.
Section 71. Repealing Clause. Except as otherwise expressly provided in the Act or
these Rules, all other laws, decrees, executive orders, proclamations and
administrative regulations or parts thereof inconsistent herewith are hereby
repealed or modified accordingly. Section 72. Effectivity Clause. These Rules shall
take effect fifteen (15) days after its publication in the Official Gazette.
In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known
as the Data Privacy Act (DPA) of 2012. Five years later, the DPA’s Implementing
Rules and Regulations was put in effect on September 9, 2016, thus mandating all
companies to comply.
The act is a necessary and important precaution in a world economy that’s swiftly
going digital. In 2014, it was estimated that 2.5 quintillion — or 2.5 billion billion —
bytes of data were created everyday. This includes unprecedented knowledge
about what real individuals are doing, watching, thinking, and feeling.
Companies must be held accountable not only for what they do with customer
data — but how they protect that data from third parties. The past few years of
security breaches, system errors, and ethical scandals within some of the country’s
major banks have reminded us that there is much work to be done.
So, where to begin for institutions who want to comply with RA 10173 and be
proactive about their consumers’ digital privacy?
What is RA 10173?
Third, personal information must be discarded in a way that does not make it
visible and accessible to unauthorized third parties.
Companies with at least 250 employees or access to the personal and identifiable
information of of at least 1,000 people are required to register with the National
Privacy Commission and comply with the Data Privacy Act of 2012. Some of these
companies are already on their way to compliance — but many more are
unaware that they are even affected by the law.
The National Privacy Commission, which was created to enforce RA 10173, will
check whether companies are compliant based on a company having 5
elements:
1. Appointing a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection polic
The Philippines has a growing and important business process management and health
information technology industry. Total IT spending reached $4.4 billion in 2016, and the
sector is expected to more than double by 2020. Filipinos are heavy social media users,
42.1 million are on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn users.
The country is also in the process of enabling free public Wi-Fi. In the context of the rapid
growth of the digital economy and increasing international trade of data, the Philippines
has strengthened its privacy and security protections.
In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict
privacy legislation “to protect the fundamental human right of privacy, of communication
while ensuring free flow of information to promote innovation and growth.” (Republic Act.
No. 10173, Ch. 1, Sec. 2). This comprehensive privacy law also established a National
Privacy Commission that enforces and oversees it and is endowed with rulemaking power.
On September 9, 2016, the final implementing rules and regulations came into force,
adding specificity to the Privacy Act.
Scope and Application
The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application,
applying not only to businesses with offices in the Philippines, but when equipment based
in the Philippines is used for processing. The act further applies to the processing of the
personal information of Philippines citizens regardless of where they reside.
One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign
jurisdictions — an exception helpful for Philippines companies that offer cloud services.
Approach
The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”
The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent, the data subject be informed
about the extent and purpose of processing, and it specifically mentions the “automated
processing of his or her personal data for profiling, or processing for direct marketing, and
data sharing.” Consent is further required for sharing information with affiliates or even
mother companies.
Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However, processing
does not always require consent.
Consent is not required for processing where the data subject is party to a contractual
agreement, for purposes of fulfilling that contract. The exceptions of compliance with a
legal obligation upon the data controller, protection of the vital interests of the data
subject, and response to a national emergency are also available.
Required agreements
The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements are
subject to review by the National Privacy Commission.
About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.
Surveillance
Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a
major anti-terrorism law that enables surveillance) must comply with the Privacy Act.
The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access management, providing recourse
to data subjects, and appropriate data retention policies. These requirements necessitate
the creation of a privacy program. Requirements for technical security safeguards in the act
also mandate that an entity have a security program.
The law enumerates rights that are familiar to privacy professionals as related to the
principles of notice, choice, access, accuracy and integrity of data.
The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her personal
data from the filing system of the data controller. Exercising this right requires “substantial
proof,” the burden of producing which is placed on the data subject. This right is expressly
limited by the fact that continued publication may be justified by constitutional rights to
freedom of speech, expression and other rights.
Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.
The law defines “security incident” and “personal data breach” ensuring that the two are
not confused. A “security incident” is an event or occurrence that affects or tends to affect
data protection, or may compromise availability, integrity or confidentiality. This
definition includes incidents that would result in a personal breach, if not for safeguards
that have been put in place.
A “personal data breach,” on the other hand, is a subset of a security breach that actually
leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise processed.
Requirement to notify
The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority.
Section 38 of the IRRs provides the requirements of breach notification:
The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.
It is unclear at present whether the commission would allow a delay in notification of data
subjects to allow the commission to determine whether a notification is unwarranted. By
the law, this would appear to be a gamble.
Notification contents
The measures take to reduce the harm or negative consequence of the breach;
Penalties
The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.
Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately $20,000 to $100,000.
Notably, there is also the previously mentioned private right of action for damages, which
would apply.
photo credit: Storm Crypt For the 12th of June via photopin (license)
Author
With the advances in information technology, privacy in personal data has become
illusory. For the right price or with good connections, private information disclosed in
confidence to companies or government offices can be made available to or accessed by
interested parties.
This is the problem that is sought to be minimized, if not eliminated, by Republic Act
10173, otherwise known as the Data Privacy Act of 2012, which President Aquino
recently signed into law.
–– ADVERTISEMENT ––
learn more
In its declaration of policy, the law states that, although the free flow of information
promotes innovation and growth, it is essential that personal information in the
government’s and private sector’s information and communications systems are secured
and protected.
ADVERTISEMENT
It includes facts and figures about a person’s race, ethnic origin, marital status, age, color
and religious, philosophical and political affiliations. Or practically his life story.
Requirements
The most significant aspects of the law are: the procedures to be followed in the
collection, processing and handling of personal information; the rights of data subjects;
and the creation of a National Privacy Commission.
The law requires information collectors, holders and processors to follow strict rules on
transparency, legitimacy and proportionality in the conduct of their activities.
Among others, the collection should be conducted for “specific and legitimate purposes
determined and declared before, or as soon as reasonably practicable after collection, and
later processed in a way compatible with such declared, specified and legitimate purposes
only.”
Accuracy, relevance and essentiality of purpose must likewise be observed during the
collection stage.
Inaccurate or incomplete data should be corrected, supplemented, destroyed or their
further processing restricted.
ADVERTISEMENT
The information can be stored only as long as needed for the purpose for which it was
obtained, or “for the establishment, exercise or defense of legal claims, or for legitimate
business purposes, or as provided by law.”
Once collected, the information can be processed or used only if it is not prohibited by law
and the person who provided the information (or data subject) has given his consent; if no
such consent is given, the processing can still go on provided it meets the “necessity” test.
Necessary
The data subject’s lack of consent will not bar the processing if it is related to the
fulfillment of a contract with him or in order to take the steps he requested prior to
entering into the contract.
It may also be conducted in the following instances: to comply with a legal obligation that
the information collector has to obey; to protect the data subject’s vital interests, such as
life and health; to respond to the exigencies of a national emergency or public order and
security; and to serve the legitimate interests of the entity to which the information has
been disclosed as long as no constitutional rights are violated.
In the latter cases, the processing is allowed to continue even in the face of the data
subject’s opposition due to legal considerations (either on the part of the data subject or
the party that collects the information) or in order to serve the greater interests of the
public.
Such liberality, however, is tempered by the rights that the law gives to data subjects to
protect their privacy.
They have the right to know whether their personal information “shall be, are being or
have been processed.”
Before any such data are included in the collector’s information system, or at the next
practical opportunity, they can demand information about, among others, the purpose for
which it is processed, the scope and methodology of the process, the length of information
storage, and the identity of the people to whom their personal information shall be
disclosed.
Commission
In case the data subject finds that the information stored in the information system is
incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no
longer necessary, he can demand its withdrawal, blocking or removal of the subject
information.
And if the harm caused to him is grave, he can sue the erring parties for whatever damages
he may have sustained as a consequence of the mishandling or misuse of his information.
The law lists nine violations that can give rise to fines and prison terms. In what appears to
be a concession to inflationary times, except for two offenses, the average fine imposable
is a minimum of P500,000 and a maximum of P2,000,000.
The task of administering and implementing this law has been assigned to a still to be
created National Privacy Commission, which shall consist of three members: a Privacy
Commissioner who shall act as its chair and two Deputy Privacy Commissioners.
They shall be appointed by the president for a term of three years and may be reappointed
for another term of three years. The members of the commission have to be experts in
information and communications technology and data privacy.
Although the law is complete in all respects, its implementation will have to await the
promulgation by the commission of its implementing rules and regulations.
Recently, the Benitez Salem Baldonado Law Firm secured the country’s first ever conviction for a crime
involving R.A. No. 10173 otherwise known as the “Data Privacy Act of 2012.” On February 6, 2017, Presiding
Judge Hon. Carlito B. Calpatura of Branch 145 of the Regional Trial Court (RTC) of Makati City handed down
the judgment against the female accused in criminal case no. 16-01376 after the latter pleaded guilty to the charge.
On August 15, 2012, former President Aquino signed into law Republic Act (R.A.) No. 10173 or the “Data
Privacy Act of 2012”. The said law was the result of the consolidation of Senate Bill No. 2965 and House Bill No.
4115, which was passed by both houses of Congress on June 6, 2012. Thereafter, on September 12, 2012, former
President Aquino signed into law R.A. R.A. No. 10175 otherwise known as the “Cybercrime Prevention Act of
2012”. The said law was the result of the consolidation of Senate Bill No. 2796 and House Bill No. 5808, which
were finally passed by the Senate and the House of Representatives on June 5, 2012 and June 4, 2012,
respectively.
According to the Complaint filed by the complainant BPO on June 4, 2015, it was alleged that the accused
accessed several credit card accounts of a client credit card company without a call or actual request from their
real owners. Furthermore, according to the Complaint, the accused also illegally accessed personal identification
cards and changed into temporary PINs and that subsequently, a consistent amount of $500.00 were withdrawn as
cash advances from all the said credit cards.
According to Sec. 28 of the Data Privacy Act, it is prohibited for any person to process personal information and
sensitive personal information for any unauthorized purpose. Furthermore, Sec. 3 of the same law defines
“Personal Information” as “any information whether recorded in a material form or not, from which the identity of
an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or
when put together with other information would directly and certainly identify an individual.” On the other hand,
“Sensitive Personal Information” was also defined and included any information regarding an individual’s: race,
ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health, education,
genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; any
information issued by the government such as, but not limited to, social security numbers, previous or cm-rent
health records, licenses or its denials, suspension or revocation, and tax returns; and any information specifically
established by an executive order or an act of Congress to be kept classified.
Based on the records of the case, on May 30, 2016, the Office of the City Prosecutor (OCP) of Makati found
probable cause against the accused for several counts of violation Sec. 28 of Data Privacy Act of 2012 and Sec.
4(b)(3) of the Cybercrime Act of 2012. The said cases were raffled to fourteen (14) branches of the RTCs of
Makati City.
It was stated in the Information that the accused, “being a customer care professional” of a multinational BPO
company in the Philippines “unlawfully, willfully and feloniously accessed and processed without authority” the
account of one of said company’s American client account “by enrolling it to express cash and issuing a
temporary PIN for the said account, for the unauthorized purpose of withdrawing $500 from the said account,”
which was in violation of Section 28 of Republic Act (R.A.) No. 10173 otherwise known as the “Data Privacy Act
of 2012”.
According to the dispositive portion of the Judgment, the accused was sentenced to suffer imprisonment for one
(1) year and six (6) months as minimum and five (5) years as maximum, and a fine of Five Hundred Thousand
Pesos (PhP 500,000.00) pursuant to Sec. 28 of the R.A. 10173.
According to Atty. Ferdinand S. Benitez, one of the founding partners of Benitez Salem Baldonado Law Firm who
actively handled the prosecution of the case, this is a great development not only for our client but more
importantly the entire local BPO industry. Indeed, the Philippines has become a major hub for international
business process outsourcing companies (BPO). Industry leaders have projected its continuous expansion in the
coming years. Information technology, being the backbone of the industry, is dynamic and fast-paced in all
aspects. Unfortunately, these same characteristics make the industry vulnerable to online fraud, hacking and other
cybercrimes, which greatly affects the trust of multinational corporations in investing in the Philippines.
With the passage of Republic Act 10173, or the Data Privacy Act of 2012, companies may have to
change the way they handle employee data, supplie rs’ information, and even customer details. The
law, which was approved on August 15, 2012, is expected to not only create a new breed of human
resource executives or organizations specifically tasked to handle and protect employee information,
but also to compel the adoption of stringent measures to prevent any form of data breach.
In large organizations with thousands of employees, numerous suppliers and a wide customer base,
the careful handling of data may be taken for granted, which may result in unaut horized access, use,
misuse, and even disclosure of information. RA 10173 was enacted precisely “to protect the privacy of
communication while ensuring free flow of information to promote innovation and growth.” It also
seeks to ensure the security and pro tection of personal information stored in information and
communication systems in the government and in the private sector.
Section 3 of the law defines personal information as any information from which the identity of any
individual is apparent or can b e reasonably and directly ascertained by the entity holding the
information, or when put together with other information, would directly and certainly identify the
individual. The residential address, place of birth, and amount of salary are examples of pe rsonal
information. Meanwhile, sensitive personal information refers to personal information on an
individual’s marital status, age, religious affiliation, health, education, and tax returns. It also
includes information issued by government agencies pecul iar to an individual such as tax
identification and social security numbers, and licenses (or their denial, suspension or revocation).
Information that relates to the positions or functions of an incumbent or former government officer or
employee, and info rmation on government contractors or service providers on the performance of
such services, are excluded. RA 10173 likewise does not apply to information used for journalistic
purposes and those necessary to carry out the official functions of monetary aut horities and law
enforcement and regulatory agencies in pursuit of their legal mandate.
Personal information is gathered and collated on a regular basis. Under the law, this information may
be “processed” (i.e., collected, recorded, organized, stored, upda ted, used, consolidated, among
others) provided it is done in a transparent manner and for a legitimate purpose. Suffice it to say
that the gathered information must be accurate, adequate, and relevant for the purpose for which it
was collected.
A service or utility company also requires its subscribers to provide personal data in the subscription
or service agreement. The submission of lease contracts with supporting valid government -issued
identification cards is also usually required. Credit card applicat ions are not processed without
certificates of employment and copies of the latest withholding tax returns indicating the annual
gross and net taxable compensation.
A supplier – whether participating in an open bid or entering into a negotiated contract – may
likewise be required to provide information on its business to its prospective customer.
While most companies are careful about divulging information to third parties, there are still some
institutions that have not embraced the culture of confidential ity. Thus, the law puts a premium on
the role of the personal information controller (PIC), the one who is tasked to implement appropriate
measures to protect personal information against any accidental or unlawful destruction, alteration,
or disclosure. The PIC shall also determine the appropriate level of security to be adopted, depending
on the nature of the personal information protected. More importantly, the PIC is not only responsible
for personal information under his or her custody, but also for in formation that have been transferred
to a third party for processing, whether domestically or internationally, including business process
outsourcing (BPO) companies. The PIC must comply with the requirements of RA 10173, including
notifying the affected p ersonnel and soon -to-be-formed National Privacy Commission of any
unauthorized data breach that may pose harm to data subjects. Notification of any data breach is
required to allow for any mitigation strategy and even promote trust and transparency within the
company.
In light of RA 10173, companies may need to secure the permission of employees, customers, and
suppliers to process data gathered in the course of their relationship. For instance, the employee
must be informed whether personal information on him or her will be, is being, or has been
processed. Before the entry into the processing system, the personal information and the purpose for
which these are processed must be described.
In lieu of securing such permission, any of the following conditions must exist:
• The processing is necessary for, or related to, the fulfillment of a contract;
• It is required for compliance with a legal obligation of the PIC;
• It is necessary to protect the life and health of the data subject;
• It is required due to a national emergency or to fulfill public authority functions; and
• Legitimate interests are served, except when such interests are overridden by fundamental
constitutional rights and freedoms.
Unless it falls under any of these six conditions, processing of personal information may not be
permitted and the burden of proving that any of the conditions exist lies on the PIC.
With the Data Privacy Act, aggrieved parties are given the option to seek relief not directly from the
courts but from the National Privacy Commission, which can issue a temporary or permanent ban on
the processing of personal information and compel any entity to abide by its orders.
Next week, we will discuss the implementation of RA 10173 and how companies can comply with the
provisions of the new law.
RHONDA AVE S. VIVARES and SPS. MARGARITA and DAVID SUZARA, Petitioners,
vs.
ST. THERESA'S COLLEGE, MYLENE RHEZA T. ESCUDERO, and JOHN DOES, Respondents.
DECISION
The individual's desire for privacy is never absolute, since participation in society is an equally powerful
desire. Thus each individual is continually engaged in a personal adjustment process in which he
balances the desire for privacy with the desire for disclosure and communication of himself to others, in
light of the environmental conditions and social norms set by the society in which he lives.
The Case
Before Us is a Petition for Review on Certiorari under Rule 45 of the Rules of Court, in relation to
Section 19 of A.M. No. 08-1-16-SC,1 otherwise known as the "Rule on the Writ of Habeas Data."
Petitioners herein assail the July 27, 2012 Decision2 of the Regional Trial Court, Branch 14 in Cebu City
(RTC) in SP. Proc. No. 19251-CEB, which dismissed their habeas data petition.
The Facts
Nenita Julia V. Daluz (Julia) and Julienne Vida Suzara (Julienne), both minors, were, during the period
material, graduating high school students at St. Theresa's College (STC), Cebu City. Sometime in
January 2012, while changing into their swimsuits for a beach party they were about to attend, Julia and
Julienne, along with several others, took digital pictures of themselves clad only in their undergarments.
These pictures were then uploaded by Angela Lindsay Tan (Angela) on her Facebook3 profile.
Back at the school, Mylene Rheza T. Escudero (Escudero), a computer teacher at STC’s high school
department, learned from her students that some seniors at STC posted pictures online, depicting
themselves from the waist up, dressed only in brassieres. Escudero then asked her students if they
knew who the girls in the photos are. In turn, they readily identified Julia, Julienne, and Chloe Lourdes
Taboada (Chloe), among others.
Using STC’s computers, Escudero’s students logged in to their respective personal Facebook accounts
and showed her photos of the identified students, which include: (a) Julia and Julienne drinking hard
liquor and smoking cigarettes inside a bar; and (b) Julia and Julienne along the streets of Cebu wearing
articles of clothing that show virtually the entirety of their black brassieres. What is more, Escudero’s
students claimed that there were times when access to or the availability of the identified students’
photos was not confined to the girls’ Facebook friends,4but were, in fact, viewable by any Facebook
user.5
Upon discovery, Escudero reported the matter and, through one of her student’s Facebook page,
showed the photosto Kristine Rose Tigol (Tigol), STC’s Discipline-in-Charge, for appropriate action.
Thereafter, following an investigation, STC found the identified students to have deported themselves in
a manner proscribed by the school’s Student Handbook, to wit:
5. Clothing that advocates unhealthy behaviour; depicts obscenity; contains sexually suggestive
messages, language or symbols; and 6. Posing and uploading pictures on the Internet that
entail ample body exposure.
On March 1, 2012, Julia, Julienne, Angela, and the other students in the pictures in question, reported,
as required, to the office of Sr. Celeste Ma. Purisima Pe (Sr. Purisima), STC’s high school principal and
ICM6 Directress. They claimed that during the meeting, they were castigated and verbally abused by the
STC officials present in the conference, including Assistant Principal Mussolini S. Yap (Yap), Roswinda
Jumiller, and Tigol. What is more, Sr. Purisima informed their parents the following day that, as part of
their penalty, they are barred from joining the commencement exercises scheduled on March 30, 2012.
A week before graduation, or on March 23, 2012, Angela’s mother, Dr. Armenia M. Tan (Tan), filed a
Petition for Injunction and Damages before the RTC of Cebu City against STC, et al., docketed as Civil
Case No. CEB-38594.7In it, Tan prayed that defendants therein be enjoined from implementing the
sanction that precluded Angela from joining the commencement exercises.
On March 25, 2012,petitioner Rhonda Ave Vivares (Vivares), the mother of Julia, joined the fray as an
intervenor. On March 28, 2012, defendants inCivil Case No. CEB-38594 filed their memorandum,
containing printed copies of the photographs in issue as annexes. That same day, the RTC issued a
temporary restraining order (TRO) allowing the students to attend the graduation ceremony, to which
STC filed a motion for reconsideration.
Despite the issuance of the TRO,STC, nevertheless, barred the sanctioned students from participating
in the graduation rites, arguing that, on the date of the commencement exercises, its adverted motion
for reconsideration on the issuance ofthe TRO remained unresolved.
Thereafter, petitioners filed before the RTC a Petition for the Issuance of a Writ of Habeas Data,
docketed as SP. Proc. No. 19251-CEB8 on the basis of the following considerations:
1. The photos of their children in their undergarments (e.g., bra) were taken for posterity before
they changed into their swimsuits on the occasion of a birthday beach party;
2. The privacy setting of their children’s Facebook accounts was set at "Friends Only." They,
thus, have a reasonable expectation of privacy which must be respected.
3. Respondents, being involved in the field of education, knew or ought to have known of laws
that safeguard the right to privacy. Corollarily, respondents knew or ought to have known that
the girls, whose privacy has been invaded, are the victims in this case, and not the offenders.
Worse, after viewing the photos, the minors were called "immoral" and were punished outright;
4. The photos accessed belong to the girls and, thus, cannot be used and reproduced without
their consent. Escudero, however, violated their rights by saving digital copies of the photos and
by subsequently showing them to STC’s officials. Thus, the Facebook accounts of petitioners’
children were intruded upon;
5. The intrusion into the Facebook accounts, as well as the copying of information, data, and
digital images happened at STC’s Computer Laboratory; and
6. All the data and digital images that were extracted were boldly broadcasted by respondents
through their memorandum submitted to the RTC in connection with Civil Case No. CEB-38594.
To petitioners, the interplay of the foregoing constitutes an invasion of their children’s privacy
and, thus, prayed that: (a) a writ of habeas databe issued; (b) respondents be ordered to
surrender and deposit with the court all soft and printed copies of the subjectdata before or at
the preliminary hearing; and (c) after trial, judgment be rendered declaring all information, data,
and digital images accessed, saved or stored, reproduced, spread and used, to have been
illegally obtained inviolation of the children’s right to privacy.
Finding the petition sufficient in form and substance, the RTC, through an Order dated July 5, 2012,
issued the writ of habeas data. Through the same Order, herein respondents were directed to file their
verified written return, together with the supporting affidavits, within five (5) working days from service of
the writ.
In time, respondents complied with the RTC’s directive and filed their verified written return, laying down
the following grounds for the denial of the petition, viz: (a) petitioners are not the proper parties to file
the petition; (b) petitioners are engaging in forum shopping; (c) the instant case is not one where a writ
of habeas data may issue;and (d) there can be no violation of their right to privacy as there is no
reasonable expectation of privacy on Facebook.
On July 27, 2012, the RTC rendered a Decision dismissing the petition for habeas data. The dispositive
portion of the Decision pertinently states:
xxxx
SO ORDERED.9
To the trial court, petitioners failed to prove the existence of an actual or threatened violation of the
minors’ right to privacy, one of the preconditions for the issuance of the writ of habeas data. Moreover,
the court a quoheld that the photos, having been uploaded on Facebook without restrictions as to who
may view them, lost their privacy in some way. Besides, the RTC noted, STC gathered the photographs
through legal means and for a legal purpose, that is, the implementation of the school’s policies and
rules on discipline.
Not satisfied with the outcome, petitioners now come before this Court pursuant to Section 19 of the
Rule on Habeas Data.10
The Issues
The main issue to be threshed out inthis case is whether or not a writ of habeas datashould be issued
given the factual milieu. Crucial in resolving the controversy, however, is the pivotal point of whether or
not there was indeed an actual or threatened violation of the right to privacy in the life, liberty, or
security of the minors involved in this case.
Our Ruling
The writ of habeas datais a remedy available to any person whose right to privacy in life, liberty or
security is violated or threatened by an unlawful act or omission of a public official or employee, or of a
private individual or entity engaged in the gathering, collecting or storing of data or information
regarding the person, family, home and correspondence of the aggrieved party.11 It is an independent
and summary remedy designed to protect the image, privacy, honor, information, and freedom of
information of an individual, and to provide a forum to enforce one’s right to the truth and to
informational privacy. It seeks to protect a person’s right to control information regarding oneself,
particularly in instances in which such information is being collected through unlawful means in order to
achieve unlawful ends.12
In developing the writ of habeas data, the Court aimed to protect an individual’s right to informational
privacy, among others. A comparative law scholar has, in fact, defined habeas dataas "a procedure
designed to safeguard individual freedom from abuse in the information age."13 The writ, however, will
not issue on the basis merely of an alleged unauthorized access to information about a
person.Availment of the writ requires the existence of a nexus between the right to privacy on the one
hand, and the right to life, liberty or security on the other.14 Thus, the existence of a person’s right to
informational privacy and a showing, at least by substantial evidence, of an actual or threatened
violation of the right to privacy in life, liberty or security of the victim are indispensable before the
privilege of the writ may be extended.15
Without an actionable entitlement in the first place to the right to informational privacy, a habeas
datapetition will not prosper. Viewed from the perspective of the case at bar,this requisite begs this
question: given the nature of an online social network (OSN)––(1) that it facilitates and promotes real-
time interaction among millions, if not billions, of users, sans the spatial barriers,16 bridging the gap
created by physical space; and (2) that any information uploaded in OSNs leavesan indelible trace in
the provider’s databases, which are outside the control of the end-users––is there a right to
informational privacy in OSN activities of its users? Before addressing this point, We must first resolve
the procedural issues in this case.
a. The writ of habeas data is not only confined to cases of extralegal killings and enforced
disappearances
Contrary to respondents’ submission, the Writ of Habeas Datawas not enacted solely for the purpose of
complementing the Writ of Amparoin cases of extralegal killings and enforced disappearances.
Sec. 2. Who May File. – Any aggrieved party may file a petition for the writ of habeas data. However, in
cases of extralegal killings and enforced disappearances, the petition may be filed by:
(a) Any member of the immediate family of the aggrieved party, namely: the spouse, children
and parents; or
(b) Any ascendant, descendant or collateral relative of the aggrieved party within the fourth civil
degreeof consanguinity or affinity, in default of those mentioned in the preceding paragraph.
(emphasis supplied)
Had the framers of the Rule intended to narrow the operation of the writ only to cases of extralegal
killings or enforced disappearances, the above underscored portion of Section 2, reflecting a variance
of habeas data situations, would not have been made.
Habeas data, to stress, was designed "to safeguard individual freedom from abuse in the information
age."17 As such, it is erroneous to limit its applicability to extralegal killings and enforced disappearances
only. In fact, the annotations to the Rule preparedby the Committee on the Revision of the Rules of
Court, after explaining that the Writ of Habeas Data complements the Writ of Amparo, pointed out that:
The writ of habeas data, however, can be availed of as an independent remedy to enforce one’s right to
privacy, more specifically the right to informational privacy. The remedies against the violation of such
right can include the updating, rectification, suppression or destruction of the database or information or
files in possession or in control of respondents.18 (emphasis Ours) Clearly then, the privilege of the Writ
of Habeas Datamay also be availed of in cases outside of extralegal killings and enforced
disappearances.
Respondents’ contention that the habeas data writ may not issue against STC, it not being an entity
engaged in the gathering, collecting or storing of data or information regarding the person, family, home
and correspondence of the aggrieved party, while valid to a point, is, nonetheless, erroneous.
To be sure, nothing in the Rule would suggest that the habeas data protection shall be available only
against abuses of a person or entity engaged in the businessof gathering, storing, and collecting of
data. As provided under Section 1 of the Rule:
Section 1. Habeas Data. – The writ of habeas datais a remedy available to any person whose right to
privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public
official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of
data or information regarding the person, family, home and correspondence of the aggrieved party.
(emphasis Ours)
The provision, when taken in its proper context, as a whole, irresistibly conveys the idea that habeas
data is a protection against unlawful acts or omissions of public officials and of private individuals or
entities engaged in gathering, collecting, or storing data about the aggrieved party and his or her
correspondences, or about his or her family. Such individual or entity need not be in the business of
collecting or storing data.
To "engage" in something is different from undertaking a business endeavour. To "engage" means "to
do or take part in something."19 It does not necessarily mean that the activity must be done in pursuit of
a business. What matters is that the person or entity must be gathering, collecting or storing said data
or information about the aggrieved party or his or her family. Whether such undertaking carries the
element of regularity, as when one pursues a business, and is in the nature of a personal endeavour,
for any other reason or even for no reason at all, is immaterial and such will not prevent the writ from
getting to said person or entity.
To agree with respondents’ above argument, would mean unduly limiting the reach of the writ to a very
small group, i.e., private persons and entities whose business is data gathering and storage, and in the
process decreasing the effectiveness of the writ asan instrument designed to protect a right which is
easily violated in view of rapid advancements in the information and communications technology––a
right which a great majority of the users of technology themselves are not capable of protecting.
Having resolved the procedural aspect of the case, We now proceed to the core of the controversy.
The concept of privacyhas, through time, greatly evolved, with technological advancements having an
influential part therein. This evolution was briefly recounted in former Chief Justice Reynato S. Puno’s
speech, The Common Right to Privacy,20 where he explained the three strands of the right to privacy,
viz: (1) locational or situational privacy;21(2) informational privacy; and (3) decisional privacy.22 Of the
three, what is relevant to the case at bar is the right to informational privacy––usually defined as the
right of individuals to control information about themselves.23
With the availability of numerous avenues for information gathering and data sharing nowadays, not to
mention each system’s inherent vulnerability to attacks and intrusions, there is more reason that every
individual’s right to control said flow of information should be protected and that each individual should
have at least a reasonable expectation of privacy in cyberspace. Several commentators regarding
privacy and social networking sites, however, all agree that given the millions of OSN users, "[i]n this
[Social Networking] environment, privacy is no longer grounded in reasonable expectations, but rather
in some theoretical protocol better known as wishful thinking."24
It is due to this notion that the Court saw the pressing need to provide for judicial remedies that would
allow a summary hearing of the unlawful use of data or information and to remedy possible violations of
the right to privacy.25 In the same vein, the South African High Court, in its Decision in the landmark
case, H v. W,26promulgated on January30, 2013, recognized that "[t]he law has to take into account the
changing realities not only technologically but also socially or else it will lose credibility in the eyes of the
people. x x x It is imperative that the courts respond appropriately to changing times, acting cautiously
and with wisdom." Consistent with this, the Court, by developing what may be viewed as the Philippine
model of the writ of habeas data, in effect, recognized that, generally speaking, having an expectation
of informational privacy is not necessarily incompatible with engaging in cyberspace activities, including
those that occur in OSNs.
The question now though is up to whatextent is the right to privacy protected in OSNs? Bear in mind
that informational privacy involves personal information. At the same time, the very purpose of OSNs is
socializing––sharing a myriad of information,27 some of which would have otherwise remained personal.
b. Facebook’s Privacy Tools: a response to the clamor for privacy in OSN activities
Briefly, the purpose of an OSN is precisely to give users the ability to interact and to stay connected to
other members of the same or different social media platform through the sharing of statuses, photos,
videos, among others, depending on the services provided by the site. It is akin to having a room filled
with millions of personal bulletin boards or "walls," the contents of which are under the control of each
and every user. In his or her bulletin board, a user/owner can post anything––from text, to pictures, to
music and videos––access to which would depend on whether he or she allows one, some or all of the
other users to see his or her posts. Since gaining popularity, the OSN phenomenon has paved the way
to the creation of various social networking sites, includingthe one involved in the case at bar,
www.facebook.com (Facebook), which, according to its developers, people use "to stay connected with
friends and family, to discover what’s going on in the world, and to share and express what matters to
them."28
Facebook connections are established through the process of "friending" another user. By sending a
"friend request," the user invites another to connect their accounts so that they can view any and all
"Public" and "Friends Only" posts of the other.Once the request is accepted, the link is established and
both users are permitted to view the other user’s "Public" or "Friends Only" posts, among others.
"Friending," therefore, allows the user to form or maintain one-to-one relationships with other users,
whereby the user gives his or her "Facebook friend" access to his or her profile and shares certain
information to the latter.29
To address concerns about privacy,30 but without defeating its purpose, Facebook was armed with
different privacy tools designed to regulate the accessibility of a user’s profile31 as well as information
uploaded by the user. In H v. W,32 the South Gauteng High Court recognized this ability of the users to
"customize their privacy settings," but did so with this caveat: "Facebook states in its policies that,
although it makes every effort to protect a user’s information, these privacy settings are not foolproof."33
For instance, a Facebook user canregulate the visibility and accessibility of digital images(photos),
posted on his or her personal bulletin or "wall," except for the user’sprofile picture and ID, by selecting
his or her desired privacy setting:
(a) Public - the default setting; every Facebook user can view the photo;
(b) Friends of Friends - only the user’s Facebook friends and their friends can view the photo;
(b) Friends - only the user’s Facebook friends can view the photo;
(c) Custom - the photo is made visible only to particular friends and/or networks of the
Facebook user; and
(d) Only Me - the digital image can be viewed only by the user.
The foregoing are privacy tools, available to Facebook users, designed to set up barriers to broaden or
limit the visibility of his or her specific profile content, statuses, and photos, among others, from another
user’s point of view. In other words, Facebook extends its users an avenue to make the availability of
their Facebook activities reflect their choice as to "when and to what extent to disclose facts about
[themselves] – and to put others in the position of receiving such confidences."34 Ideally, the selected
setting will be based on one’s desire to interact with others, coupled with the opposing need to withhold
certain information as well as to regulate the spreading of his or her personal information. Needless to
say, as the privacy setting becomes more limiting, fewer Facebook users can view that user’s particular
post.
Without these privacy settings, respondents’ contention that there is no reasonable expectation of
privacy in Facebook would, in context, be correct. However, such is not the case. It is through the
availability of said privacy tools that many OSN users are said to have a subjective expectation that only
those to whomthey grant access to their profile will view the information they post or upload thereto.35
This, however, does not mean thatany Facebook user automatically has a protected expectation of
privacy inall of his or her Facebook activities.
Before one can have an expectation of privacy in his or her OSN activity, it is first necessary that said
user, in this case the children of petitioners,manifest the intention to keepcertain posts private, through
the employment of measures to prevent access thereto or to limit its visibility.36 And this intention can
materialize in cyberspace through the utilization of the OSN’s privacy tools. In other words, utilization of
these privacy tools is the manifestation,in cyber world, of the user’s invocation of his or her right to
informational privacy.37
Therefore, a Facebook user who opts to make use of a privacy tool to grant or deny access to his or her
post orprofile detail should not be denied the informational privacy right which necessarily accompanies
said choice.38Otherwise, using these privacy tools would be a feckless exercise, such that if, for
instance, a user uploads a photo or any personal information to his or her Facebook page and sets its
privacy level at "Only Me" or a custom list so that only the user or a chosen few can view it, said photo
would still be deemed public by the courts as if the user never chose to limit the photo’s visibility and
accessibility. Such position, if adopted, will not only strip these privacy tools of their function but it would
also disregard the very intention of the user to keep said photo or information within the confines of his
or her private space.
We must now determine the extent that the images in question were visible to other Facebook users
and whether the disclosure was confidential in nature. In other words, did the minors limit the disclosure
of the photos such that the images were kept within their zones of privacy? This determination is
necessary in resolving the issue of whether the minors carved out a zone of privacy when the photos
were uploaded to Facebook so that the images will be protected against unauthorized access and
disclosure.
Petitioners, in support of their thesis about their children’s privacy right being violated, insist that
Escudero intruded upon their children’s Facebook accounts, downloaded copies ofthe pictures and
showed said photos to Tigol. To them, this was a breach of the minors’ privacy since their Facebook
accounts, allegedly, were under "very private" or "Only Friends" setting safeguarded with a
password.39 Ultimately, they posit that their children’s disclosure was only limited since their profiles
were not open to public viewing. Therefore, according to them, people who are not their Facebook
friends, including respondents, are barred from accessing said post without their knowledge and
consent. Aspetitioner’s children testified, it was Angelawho uploaded the subjectphotos which were only
viewable by the five of them,40 although who these five are do not appear on the records.
Escudero, on the other hand, stated in her affidavit41 that "my students showed me some pictures of
girls cladin brassieres. This student [sic] of mine informed me that these are senior high school
[students] of STC, who are their friends in [F]acebook. x x x They then said [that] there are still many
other photos posted on the Facebook accounts of these girls. At the computer lab, these students then
logged into their Facebook account [sic], and accessed from there the various photographs x x x. They
even told me that there had been times when these photos were ‘public’ i.e., not confined to their
friends in Facebook."
In this regard, We cannot give muchweight to the minors’ testimonies for one key reason: failure to
question the students’ act of showing the photos to Tigol disproves their allegation that the photos were
viewable only by the five of them. Without any evidence to corroborate their statement that the images
were visible only to the five of them, and without their challenging Escudero’s claim that the other
students were able to view the photos, their statements are, at best, self-serving, thus deserving scant
consideration.42
It is well to note that not one of petitioners disputed Escudero’s sworn account that her students, who
are the minors’ Facebook "friends," showed her the photos using their own Facebook accounts. This
only goes to show that no special means to be able to viewthe allegedly private posts were ever
resorted to by Escudero’s students,43 and that it is reasonable to assume, therefore, that the photos
were, in reality, viewable either by (1) their Facebook friends, or (2) by the public at large.
Considering that the default setting for Facebook posts is"Public," it can be surmised that the
photographs in question were viewable to everyone on Facebook, absent any proof that petitioners’
children positively limited the disclosure of the photograph. If suchwere the case, they cannot invoke the
protection attached to the right to informational privacy. The ensuing pronouncement in US v. Gines-
Perez44 is most instructive:
[A] person who places a photograph on the Internet precisely intends to forsake and renounce all
privacy rights to such imagery, particularly under circumstances suchas here, where the Defendant did
not employ protective measures or devices that would have controlled access to the Web page or the
photograph itself.45
Also, United States v. Maxwell46 held that "[t]he more open the method of transmission is, the less
privacy one can reasonably expect. Messages sent to the public at large inthe chat room or e-mail that
is forwarded from correspondent to correspondent loses any semblance of privacy."
That the photos are viewable by "friends only" does not necessarily bolster the petitioners’ contention.
In this regard, the cyber community is agreed that the digital images under this setting still remain to be
outside the confines of the zones of privacy in view of the following:
(1) Facebook "allows the world to be more open and connected by giving its users the tools to
interact and share in any conceivable way;"47
(2) A good number of Facebook users "befriend" other users who are total strangers;48
(3) The sheer number of "Friends" one user has, usually by the hundreds; and
(4) A user’s Facebook friend can "share"49 the former’s post, or "tag"50 others who are not
Facebook friends with the former, despite its being visible only tohis or her own Facebook
friends.
It is well to emphasize at this point that setting a post’s or profile detail’s privacy to "Friends" is no
assurance that it can no longer be viewed by another user who is not Facebook friends with the source
of the content. The user’s own Facebook friend can share said content or tag his or her own Facebook
friend thereto, regardless of whether the user tagged by the latter is Facebook friends or not with the
former. Also, when the post is shared or when a person is tagged, the respective Facebook friends of
the person who shared the post or who was tagged can view the post, the privacy setting of which was
set at "Friends."
To illustrate, suppose A has 100 Facebook friends and B has 200. A and B are not Facebook friends. If
C, A’s Facebook friend, tags B in A’s post, which is set at "Friends," the initial audience of 100 (A’s own
Facebook friends) is dramatically increased to 300 (A’s 100 friends plus B’s 200 friends or the public,
depending upon B’s privacy setting). As a result, the audience who can view the post is effectively
expanded––and to a very large extent.
This, along with its other features and uses, is confirmation of Facebook’s proclivity towards user
interaction and socialization rather than seclusion or privacy, as it encourages broadcasting of individual
user posts. In fact, it has been said that OSNs have facilitated their users’ self-tribute, thereby resulting
into the "democratization of fame."51Thus, it is suggested, that a profile, or even a post, with visibility set
at "Friends Only" cannot easily, more so automatically, be said to be "very private," contrary to
petitioners’ argument.
As applied, even assuming that the photos in issue are visible only to the sanctioned students’
Facebook friends, respondent STC can hardly be taken to task for the perceived privacy invasion since
it was the minors’ Facebook friends who showed the pictures to Tigol. Respondents were mere
recipients of what were posted. They did not resort to any unlawful means of gathering the information
as it was voluntarily given to them by persons who had legitimate access to the said posts. Clearly, the
fault, if any, lies with the friends of the minors. Curiously enough, however, neither the minors nor their
parents imputed any violation of privacy against the students who showed the images to Escudero.
Furthermore, petitioners failed to prove their contention that respondents reproduced and broadcasted
the photographs. In fact, what petitioners attributed to respondents as an act of offensive disclosure
was no more than the actuality that respondents appended said photographs in their memorandum
submitted to the trial court in connection with Civil Case No. CEB-38594.52 These are not tantamount to
a violation of the minor’s informational privacy rights, contrary to petitioners’ assertion.
In sum, there can be no quibbling that the images in question, or to be more precise, the photos of
minor students scantily clad, are personal in nature, likely to affect, if indiscriminately circulated, the
reputation of the minors enrolled in a conservative institution. However, the records are bereft of any
evidence, other than bare assertions that they utilized Facebook’s privacy settings to make the photos
visible only to them or to a select few. Without proof that they placed the photographs subject of this
case within the ambit of their protected zone of privacy, they cannot now insist that they have an
expectation of privacy with respect to the photographs in question.
Had it been proved that the access tothe pictures posted were limited to the original uploader, through
the "Me Only" privacy setting, or that the user’s contact list has been screened to limit access to a
select few, through the "Custom" setting, the result may have been different, for in such instances, the
intention to limit access to the particular post, instead of being broadcasted to the public at large or all
the user’s friends en masse, becomes more manifest and palpable.
On Cyber Responsibility
It has been said that "the best filter is the one between your children’s ears."53 This means that self-
regulation on the part of OSN users and internet consumers ingeneral is the best means of avoiding
privacy rights violations.54 As a cyberspace communitymember, one has to be proactive in protecting his
or her own privacy.55 It is in this regard that many OSN users, especially minors, fail.Responsible social
networking or observance of the "netiquettes"56 on the part of teenagers has been the concern of many
due to the widespreadnotion that teenagers can sometimes go too far since they generally lack the
people skills or general wisdom to conduct themselves sensibly in a public forum.57
Respondent STC is clearly aware of this and incorporating lessons on good cyber citizenship in its
curriculum to educate its students on proper online conduct may be mosttimely. Too, it is not only STC
but a number of schools and organizations have already deemed it important to include digital literacy
and good cyber citizenshipin their respective programs and curricula in view of the risks that the
children are exposed to every time they participate in online activities.58 Furthermore, considering the
complexity of the cyber world and its pervasiveness,as well as the dangers that these children are
wittingly or unwittingly exposed to in view of their unsupervised activities in cyberspace, the participation
of the parents in disciplining and educating their children about being a good digital citizen is
encouraged by these institutions and organizations. In fact, it is believed that "to limit such risks, there’s
no substitute for parental involvement and supervision."59
As such, STC cannot be faulted for being steadfast in its duty of teaching its students to beresponsible
in their dealings and activities in cyberspace, particularly in OSNs, whenit enforced the disciplinary
actions specified in the Student Handbook, absenta showing that, in the process, it violated the
students’ rights.
OSN users should be aware of the risks that they expose themselves to whenever they engage
incyberspace activities. Accordingly, they should be cautious enough to control their privacy and to
1âw phi 1
exercise sound discretion regarding how much information about themselves they are willing to give up.
Internet consumers ought to be aware that, by entering or uploading any kind of data or information
online, they are automatically and inevitably making it permanently available online, the perpetuation of
which is outside the ambit of their control. Furthermore, and more importantly, information, otherwise
private, voluntarily surrendered by them can be opened, read, or copied by third parties who may or
may not be allowed access to such.
It is, thus, incumbent upon internet users to exercise due diligence in their online dealings and activities
and must not be negligent in protecting their rights. Equity serves the vigilant. Demanding relief from the
courts, as here, requires that claimants themselves take utmost care in safeguarding a right which they
allege to have been violated. These are indispensable. We cannot afford protection to persons if they
themselves did nothing to place the matter within the confines of their private zone. OSN users must be
mindful enough to learn the use of privacy tools, to use them if they desire to keep the information
private, and to keep track of changes in the available privacy settings, such as those of Facebook,
especially because Facebook is notorious for changing these settings and the site's layout often.
In finding that respondent STC and its officials did not violate the minors' privacy rights, We find no
cogent reason to disturb the findings and case disposition of the court a quo.
In light of the foregoing, the Court need not belabor the other assigned errors.
WHEREFORE, premises considered, the petition is hereby DENIED. The Decision dated July 27, 2012
of the Regional Trial Court, Branch 14 in Cebu City in SP. Proc. No. 19251-CEB is hereby AFFIRMED.
No pronouncement as to costs.
Be it enacted by the Senate and House of Representatives of the Philippines in Congress assembled:
CHAPTER I
PRELIMINARY PROVISIONS
Section 1. Title. — This Act shall be known as the "Cybercrime Prevention Act of 2012″.
Section 2. Declaration of Policy. — The State recognizes the vital role of information and
communications industries such as content production, telecommunications, broadcasting electronic
commerce, and data processing, in the nation’s overall social and economic development. The State
also recognizes the importance of providing an environment conducive to the development,
acceleration, and rational application and exploitation of information and communications technology
(ICT) to attain free, easy, and intelligible access to exchange and/or delivery of information; and the
need to protect and safeguard the integrity of computer, computer and communications systems,
networks, and databases, and the confidentiality, integrity, and availability of information and data
stored therein, from all forms of misuse, abuse, and illegal access by making punishable under the law
such conduct or conducts. In this light, the State shall adopt sufficient powers to effectively prevent and
combat such offenses by facilitating their detection, investigation, and prosecution at both the domestic
and international levels, and by providing arrangements for fast and reliable international cooperation.
Section 3. Definition of Terms. — For purposes of this Act, the following terms are hereby defined as
follows:
(a) Access refers to the instruction, communication with, storing data in, retrieving data from, or
otherwise making use of any resources of a computer system or communication network.
(b) Alteration refers to the modification or change, in form or substance, of an existing computer
data or program.
(c) Communication refers to the transmission of information through ICT media, including voice,
video and other forms of data.
(e) Computer data refers to any representation of facts, information, or concepts in a form
suitable for processing in a computer system including a program suitable to cause a computer
system to perform a function and includes electronic documents and/or electronic data
messages whether stored in local computer systems or online.
(f) Computer program refers to a set of instructions executed by the computer to achieve
intended results.
(g) Computer system refers to any device or group of interconnected or related devices, one or
more of which, pursuant to a program, performs automated processing of data. It covers any
type of device with data processing capabilities including, but not limited to, computers and
mobile phones. The device consisting of hardware and software may include input, output and
storage components which may stand alone or be connected in a network or other similar
devices. It also includes computer data storage devices or media.
(h) Without right refers to either: (i) conduct undertaken without or in excess of authority; or (ii)
conduct not covered by established legal defenses, excuses, court orders, justifications, or
relevant principles under the law.
(i) Cyber refers to a computer or a computer network, the electronic medium in which online
communication takes place.
(j) Critical infrastructure refers to the computer systems, and/or networks, whether physical or
virtual, and/or the computer programs, computer data and/or traffic data so vital to this country
that the incapacity or destruction of or interference with such system and assets would have a
debilitating impact on security, national or economic security, national public health and safety,
or any combination of those matters.
(k) Cybersecurity refers to the collection of tools, policies, risk management approaches,
actions, training, best practices, assurance and technologies that can be used to protect the
cyber environment and organization and user’s assets.
(m) Interception refers to listening to, recording, monitoring or surveillance of the content of
communications, including procuring of the content of data, either directly, through access and
use of a computer system or indirectly, through the use of electronic eavesdropping or tapping
devices, at the same time that the communication is occurring.
(1) Any public or private entity that provides to users of its service the ability to
communicate by means of a computer system; and
(2) Any other entity that processes or stores computer data on behalf of such
communication service or users of such service.
(o) Subscriber’s information refers to any information contained in the form of computer data or
any other form that is held by a service provider, relating to subscribers of its services other
than traffic or content data and by which identity can be established:
(1) The type of communication service used, the technical provisions taken thereto and
the period of service;
(2) The subscriber’s identity, postal or geographic address, telephone and other access
numbers, any assigned network address, billing and payment information, available on
the basis of the service agreement or arrangement; and
(3) Any other available information on the site of the installation of communication
equipment, available on the basis of the service agreement or arrangement.
(p) Traffic data or non-content data refers to any computer data other than the content of the
communication including, but not limited to, the communication’s origin, destination, route, time,
date, size, duration, or type of underlying service.
CHAPTER II
PUNISHABLE ACTS
Section 4. Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable
under this Act:
(a) Offenses against the confidentiality, integrity and availability of computer data and systems:
(1) Illegal Access. – The access to the whole or any part of a computer system without
right.
(2) Illegal Interception. – The interception made by technical means without right of any
non-public transmission of computer data to, from, or within a computer system
including electromagnetic emissions from a computer system carrying such computer
data.
(6) Cyber-squatting. – The acquisition of a domain name over the internet in bad faith to
profit, mislead, destroy reputation, and deprive others from registering the same, if such
a domain name is:
(ii) Identical or in any way similar with the name of a person other than the
registrant, in case of a personal name; and
(i) The input, alteration, or deletion of any computer data without right resulting
in inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic, regardless whether or not the data is directly
readable and intelligible; or
(ii) The act of knowingly using computer data which is the product of computer-
related forgery as defined herein, for the purpose of perpetuating a fraudulent or
dishonest design.
damage has yet been caused, the penalty imposable shall be one (1) degree lower.
(3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another,
whether natural or juridical, without right: Provided, That if no damage has yet been
caused, the penalty imposable shall be one (1) degree lower.
(2) Child Pornography. — The unlawful or prohibited acts defined and punishable
by Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through
a computer system: Provided, That the penalty to be imposed shall be (1) one degree
higher than that provided for in Republic Act No. 9775. 1âw phi1
(ii) The primary intent of the communication is for service and/or administrative
announcements from the sender to its existing users, subscribers or customers;
or
Section 5. Other Offenses. — The following acts shall also constitute an offense:
(a) Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets or aids
in the commission of any of the offenses enumerated in this Act shall be held liable.
(b) Attempt in the Commission of Cybercrime. — Any person who willfully attempts to commit
any of the offenses enumerated in this Act shall be held liable.
Section 6. All crimes defined and penalized by the Revised Penal Code, as amended, and special
laws, if committed by, through and with the use of information and communications technologies shall
be covered by the relevant provisions of this Act: Provided, That the penalty to be imposed shall be one
(1) degree higher than that provided for by the Revised Penal Code, as amended, and special laws, as
the case may be.
Section 7. Liability under Other Laws. — A prosecution under this Act shall be without prejudice to any
liability for violation of any provision of the Revised Penal Code, as amended, or special laws.
CHAPTER III
PENALTIES
Section 8. Penalties. — Any person found guilty of any of the punishable acts enumerated in Sections
4(a) and 4(b) of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two
hundred thousand pesos (PhP200,000.00) up to a maximum amount commensurate to the damage
incurred or both.
Any person found guilty of the punishable act under Section 4(a)(5) shall be punished with
imprisonment of prision mayor or a fine of not more than Five hundred thousand pesos
(PhP500,000.00) or both.
If punishable acts in Section 4(a) are committed against critical infrastructure, the penalty of reclusion
temporal or a fine of at least Five hundred thousand pesos (PhP500,000.00) up to maximum amount
commensurate to the damage incurred or both, shall be imposed.
Any person found guilty of any of the punishable acts enumerated in Section 4(c)(1) of this Act shall be
punished with imprisonment of prision mayor or a fine of at least Two hundred thousand pesos
(PhP200,000.00) but not exceeding One million pesos (PhPl,000,000.00) or both.
Any person found guilty of any of the punishable acts enumerated in Section 4(c)(2) of this Act shall be
punished with the penalties as enumerated in Republic Act No. 9775 or the "Anti-Child Pornography Act
of 2009″: Provided,That the penalty to be imposed shall be one (1) degree higher than that provided for
in Republic Act No. 9775, if committed through a computer system.
Any person found guilty of any of the punishable acts enumerated in Section 4(c)(3) shall be punished
with imprisonment of arresto mayor or a fine of at least Fifty thousand pesos (PhP50,000.00) but not
exceeding Two hundred fifty thousand pesos (PhP250,000.00) or both.
Any person found guilty of any of the punishable acts enumerated in Section 5 shall be punished with
imprisonment one (1) degree lower than that of the prescribed penalty for the offense or a fine of at
least One hundred thousand pesos (PhPl00,000.00) but not exceeding Five hundred thousand pesos
(PhP500,000.00) or both.
Section 9. Corporate Liability. — When any of the punishable acts herein defined are knowingly
committed on behalf of or for the benefit of a juridical person, by a natural person acting either
individually or as part of an organ of the juridical person, who has a leading position within, based on:
(a) a power of representation of the juridical person provided the act committed falls within the scope of
such authority; (b) an authority to take decisions on behalf of the juridical person: Provided, That the act
committed falls within the scope of such authority; or (c) an authority to exercise control within the
juridical person, the juridical person shall be held liable for a fine equivalent to at least double the fines
imposable in Section 7 up to a maximum of Ten million pesos (PhP10,000,000.00).
If the commission of any of the punishable acts herein defined was made possible due to the lack of
supervision or control by a natural person referred to and described in the preceding paragraph, for the
benefit of that juridical person by a natural person acting under its authority, the juridical person shall be
held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of
Five million pesos (PhP5,000,000.00).
The liability imposed on the juridical person shall be without prejudice to the criminal liability of the
natural person who has committed the offense.
CHAPTER IV
ENFORCEMENT AND IMPLEMENTATION
Section 10. Law Enforcement Authorities. — The National Bureau of Investigation (NBI) and the
Philippine National Police (PNP) shall be responsible for the efficient and effective law enforcement of
the provisions of this Act. The NBI and the PNP shall organize a cybercrime unit or center manned by
special investigators to exclusively handle cases involving violations of this Act.
Section 11. Duties of Law Enforcement Authorities. — To ensure that the technical nature of
cybercrime and its prevention is given focus and considering the procedures involved for international
cooperation, law enforcement authorities specifically the computer or technology crime divisions or units
responsible for the investigation of cybercrimes are required to submit timely and regular reports
including pre-operation, post-operation and investigation results and such other documents as may be
required to the Department of Justice (DOJ) for review and monitoring.
Section 12. Real-Time Collection of Traffic Data. — Law enforcement authorities, with due cause, shall
be authorized to collect or record by technical or electronic means traffic data in real-time associated
with specified communications transmitted by means of a computer system.
Traffic data refer only to the communication’s origin, destination, route, time, date, size, duration, or
type of underlying service, but not content, nor identities.
All other data to be collected or seized or disclosed will require a court warrant.
Service providers are required to cooperate and assist law enforcement authorities in the collection or
recording of the above-stated information.
The court warrant required under this section shall only be issued or granted upon written application
and the examination under oath or affirmation of the applicant and the witnesses he may produce and
the showing: (1) that there are reasonable grounds to believe that any of the crimes enumerated
hereinabove has been committed, or is being committed, or is about to be committed: (2) that there are
reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any
person for, or to the solution of, or to the prevention of, any such crimes; and (3) that there are no other
means readily available for obtaining such evidence.
Section 13. Preservation of Computer Data. — The integrity of traffic data and subscriber information
relating to communication services provided by a service provider shall be preserved for a minimum
period of six (6) months from the date of the transaction. Content data shall be similarly preserved for
six (6) months from the date of receipt of the order from law enforcement authorities requiring its
preservation.
Law enforcement authorities may order a one-time extension for another six (6) months: Provided, That
once computer data preserved, transmitted or stored by a service provider is used as evidence in a
case, the mere furnishing to such service provider of the transmittal document to the Office of the
Prosecutor shall be deemed a notification to preserve the computer data until the termination of the
case.
The service provider ordered to preserve computer data shall keep confidential the order and its
compliance.
Section 14. Disclosure of Computer Data. — Law enforcement authorities, upon securing a court
warrant, shall issue an order requiring any person or service provider to disclose or submit subscriber’s
information, traffic data or relevant data in his/its possession or control within seventy-two (72) hours
from receipt of the order in relation to a valid complaint officially docketed and assigned for investigation
and the disclosure is necessary and relevant for the purpose of investigation.
Section 15. Search, Seizure and Examination of Computer Data. — Where a search and seizure
warrant is properly issued, the law enforcement authorities shall likewise have the following powers and
duties.
Within the time period specified in the warrant, to conduct interception, as defined in this Act, and:
(d) To conduct forensic analysis or examination of the computer data storage medium; and
(e) To render inaccessible or remove those computer data in the accessed computer or
computer and communications network.
Pursuant thereof, the law enforcement authorities may order any person who has knowledge about the
functioning of the computer system and the measures to protect and preserve the computer data
therein to provide, as is reasonable, the necessary information, to enable the undertaking of the search,
seizure and examination.
Law enforcement authorities may request for an extension of time to complete the examination of the
computer data storage medium and to make a return thereon but in no case for a period longer than
thirty (30) days from date of approval by the court.
Section 16. Custody of Computer Data. — All computer data, including content and traffic data,
examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the period
fixed therein, be deposited with the court in a sealed package, and shall be accompanied by an affidavit
of the law enforcement authority executing it stating the dates and times covered by the examination,
and the law enforcement authority who may access the deposit, among other relevant data. The law
enforcement authority shall also certify that no duplicates or copies of the whole or any part thereof
have been made, or if made, that all such duplicates or copies are included in the package deposited
with the court. The package so deposited shall not be opened, or the recordings replayed, or used in
evidence, or then contents revealed, except upon order of the court, which shall not be granted except
upon motion, with due notice and opportunity to be heard to the person or persons whose conversation
or communications have been recorded.
Section 17. Destruction of Computer Data. — Upon expiration of the periods as provided in Sections
13 and 15, service providers and law enforcement authorities, as the case may be, shall immediately
and completely destroy the computer data subject of a preservation and examination.
Section 18. Exclusionary Rule. — Any evidence procured without a valid warrant or beyond the
authority of the same shall be inadmissible for any proceeding before any court or tribunal.
Section 19. Restricting or Blocking Access to Computer Data. — When a computer data is prima facie
found to be in violation of the provisions of this Act, the DOJ shall issue an order to restrict or block
access to such computer data.
Section 20. Noncompliance. — Failure to comply with the provisions of Chapter IV hereof specifically
the orders from law enforcement authorities shall be punished as a violation of Presidential Decree No.
1829 with imprisonment of prision correctional in its maximum period or a fine of One hundred thousand
pesos (Php100,000.00) or both, for each and every noncompliance with an order issued by law
enforcement authorities.
CHAPTER V
JURISDICTION
Section 21. Jurisdiction. — The Regional Trial Court shall have jurisdiction over any violation of the
provisions of this Act. including any violation committed by a Filipino national regardless of the place of
commission. Jurisdiction shall lie if any of the elements was committed within the Philippines or
committed with the use of any computer system wholly or partly situated in the country, or when by
such commission any damage is caused to a natural or juridical person who, at the time the offense
was committed, was in the Philippines.
There shall be designated special cybercrime courts manned by specially trained judges to handle
cybercrime cases.
CHAPTER VI
INTERNATIONAL COOPERATION
Section 22. General Principles Relating to International Cooperation. — All relevant international
instruments on international cooperation in criminal matters, arrangements agreed on the basis of
uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of
investigations or proceedings concerning criminal offenses related to computer systems and data, or for
the collection of evidence in electronic form of a criminal, offense shall be given full force and effect.
CHAPTER VII
COMPETENT AUTHORITIES
Section 23. Department of Justice (DOJ). — There is hereby created an Office of Cybercrime within the
DOJ designated as the central authority in all matters related to international mutual assistance and
extradition.
Section 24. Cybercrime Investigation and Coordinating Center. — There is hereby created, within thirty
(30) days from the effectivity of this Act, an inter-agency body to be known as the Cybercrime
Investigation and Coordinating Center (CICC), under the administrative supervision of the Office of the
President, for policy coordination among concerned agencies and for the formulation and enforcement
of the national cybersecurity plan.
Section 25. Composition. — The CICC shall be headed by the Executive Director of the Information
and Communications Technology Office under the Department of Science and Technology (ICTO-
DOST) as Chairperson with the Director of the NBI as Vice Chairperson; the Chief of the PNP; Head of
the DOJ Office of Cybercrime; and one (1) representative from the private sector and academe, as
members. The CICC shall be manned by a secretariat of selected existing personnel and
representatives from the different participating agencies.1âwphi 1
Section 26. Powers and Functions. — The CICC shall have the following powers and functions:
(a) To formulate a national cybersecurity plan and extend immediate assistance for the
suppression of real-time commission of cybercrime offenses through a computer emergency
response team (CERT);
(b) To coordinate the preparation of appropriate and effective measures to prevent and
suppress cybercrime activities as provided for in this Act;
(c) To monitor cybercrime cases being bandied by participating law enforcement and
prosecution agencies;
(e) To coordinate the support and participation of the business sector, local government units
and nongovernment organizations in cybercrime prevention programs and other related
projects;
(f) To recommend the enactment of appropriate laws, issuances, measures and policies;
(g) To call upon any government agency to render assistance in the accomplishment of the
CICC’s mandated tasks and functions; and
(h) To perform all other matters related to cybercrime prevention and suppression, including
capacity building and such other functions and duties as may be necessary for the proper
implementation of this Act.
CHAPTER VIII
FINAL PROVISIONS
Section 27. Appropriations. — The amount of Fifty million pesos (PhP50,000,000_00) shall be
appropriated annually for the implementation of this Act.
Section 28. Implementing Rules and Regulations. — The ICTO-DOST, the DOJ and the Department of
the Interior and Local Government (DILG) shall jointly formulate the necessary rules and regulations
within ninety (90) days from approval of this Act, for its effective implementation.
Section 29. Separability Clause — If any provision of this Act is held invalid, the other provisions not
affected shall remain in full force and effect.
Section 30. Repealing Clause. — All laws, decrees or rules inconsistent with this Act are hereby
repealed or modified accordingly. Section 33(a) of Republic Act No. 8792 or the "Electronic Commerce
Act" is hereby modified accordingly.
Section 31. Effectivity. — This Act shall take effect fifteen (15) days after the completion of its
publication in the Official Gazette or in at least two (2) newspapers of general circulation.
Pursuant to the authority of the Department of Justice, Department of Interior and Local
Government, and Department of Science and Technology under Republic Act No. 10175, otherwise
known as the “Cybercrime Prevention Act of 2012”, the following rules and regulations are hereby
promulgated to implement the provisions of said Act:
RULE 1
Preliminary Provisions
Section 1. Title. – These Rules shall be referred to as the Implementing Rules and Regulations of
Republic Act No. 10175, or the “Cybercrime Prevention Act of 2012”.
Section 2. Declaration of Policy. – The State recognizes the vital role of information and
communications industries, such as content production, telecommunications, broadcasting,
electronic commerce and data processing, in the State’s overall social and economic development.
The State also recognizes the importance of providing an environment conducive to the
development, acceleration, and rational application and exploitation of information and
communications technology to attain free, easy, and intelligible access to exchange and/or delivery
of information; and the need to protect and safeguard the integrity of computer, computer and
communications systems, networks and databases, and the confidentiality, integrity, and availability
of information and data stored therein from all forms of misuse, abuse and illegal access by making
punishable under the law such conduct or conducts.
The State shall adopt sufficient powers to effectively prevent and combat such offenses by
facilitating their detection, investigation and prosecution at both the domestic and international
levels, and by providing arrangements for fast and reliable international cooperation.
a) Access refers to the instruction, communication with, storing data in, retrieving data from, or
otherwise making use of any resources of a computer system or communication network;
b) Act refers to Republic Act No. 10175 or the “Cybercrime Prevention Act of 2012”;
e) Child Pornography refers to the unlawful or prohibited acts defined and punishable by Republic
Act No. 9775 or the “Anti-Child Pornography Act of 2009”, committed through a computer
system: Provided, that the penalty to be imposed shall be one (1) degree higher than that provided
for in Republic Act No. 9775;
h) Competent Authority refers to either the Cybercrime Investigation and Coordinating Center or
the DOJ – Office of Cybercrime, as the case may be;
j) Computer data refers to any representation of facts, information, or concepts in a form suitable
for processing in a computer system, including a program suitable to cause a computer system to
perform a function, and includes electronic documents and/or electronic data messages whether
stored in local computer systems or online;
k) Computer program refers to a set of instructions executed by the computer to achieve intended
results;
l) Computer system refers to any device or group of interconnected or related devices, one or more
of which, pursuant to a program, performs automated processing of data. It covers any type of
device with data processing capabilities, including, but not limited to, computers and mobile
phones. The device consisting of hardware and software may include input, output and storage
components, which may stand alone or be connected to a network or other similar devices. It also
includes computer data storage devices or media;
m) Content Data refers to the communication content of the communication, the meaning or
purport of the communication, or the message or information being conveyed by the
communication, other than traffic data.
n) Critical infrastructure refers to the computer systems, and/or networks, whether physical or
virtual, and/or the computer programs, computer data and/or traffic data that are so vital to this
country that the incapacity or destruction of or interference with such system and assets would have
a debilitating impact on security, national or economic security, national public health and safety, or
any combination of those matters;
o) Cybersecurity refers to the collection of tools, policies, risk management approaches, actions,
training, best practices, assurance and technologies that can be used to protect the cyber
environment, and organization and user’s assets;
p) National Cybersecurity Plan refers to a comprehensive plan of actions designed to improve the
security and enhance cyber resilience of infrastructures and services. It is a top-down approach to
cybersecurity that contains broad policy statements and establishes a set of national objectives and
priorities that should be achieved within a specific timeframe;
r) Cyber refers to a computer or a computer network, the electronic medium in which online
communication takes place;
t) Digital evidence refers to digital information that may be used as evidence in a case. The
gathering of the digital information may be carried out by confiscation of the storage media (data
carrier), the tapping or monitoring of network traffic, or the making of digital copies (e.g., forensic
images, file copies, etc.), of the data held;
u) Electronic evidence refers to evidence, the use of which is sanctioned by existing rules of
evidence, in ascertaining in a judicial proceeding, the truth respecting a matter of fact, which
evidence is received, recorded, transmitted, stored, processed, retrieved or produced electronically;
v) Forensics refers to the application of investigative and analytical techniques that conform to
evidentiary standards, and are used in, or appropriate for, a court of law or other legal context;
w) Forensic image, also known as a forensic copy, refers to an exact bit-by-bit copy of a data
carrier, including slack, unallocated space and unused space. There are forensic tools available for
making these images. Most tools produce information, like a hash value, to ensure the integrity of
the image;
x) Hash value refers to the mathematical algorithm produced against digital information (a file, a
physical disk or a logical disk) thereby creating a “digital fingerprint” or “digital DNA” for that
information. It is a one-way algorithm and thus it is not possible to change digital evidence without
changing the corresponding hash values;
y) Identifying information refers to any name or number that may be used alone or in conjunction
with any other information to identify any specific individual, including any of the following:
1. Name, date of birth, driver’s license number, passport number or tax identification number;
2. Unique biometric data, such as fingerprint or other unique physical representation;
3. Unique electronic identification number, address or routing code; and
4. Telecommunication identifying information or access device.
z) Information and communication technology system refers to system intended for, and capable
of, generating, sending, receiving, storing or otherwise processing electronic data messages or
electronic documents, and includes the computer system or other similar device by or in which data
is recorded or stored, and any procedures related to the recording or storage of electronic data
message or electronic document;
aa) Interception refers to listening to, recording, monitoring or surveillance of the content of
communications, including procurement of the content of data, either directly through access and
use of a computer system, or indirectly through the use of electronic eavesdropping or tapping
devices, at the same time that the communication is occurring;
bb) Internet content host refers to a person who hosts or who proposes to host internet content in
the Philippines;
cc) Law enforcement authorities refers to the National Bureau of Investigation (NBI) and the
Philippine National Police (PNP) under Section 10 of the Act;
dd) Original author refers to the person who created or is the origin of the assailed electronic
statement or post using a computer system;
ee) Preservation refers to the keeping of data that already exists in a stored form, protected from
anything that would cause its current quality or condition to change or deteriorate. It is the activity
that keeps that stored data secure and safe;
gg) Subscriber’s information refers to any information contained in the form of computer data or
any other form that is held by a service provider, relating to subscribers of its services, other than
traffic or content data, and by which any of the following can be established:
The type of communication service used, the technical provisions taken thereto and the period of
service;
The subscriber’s identity, postal or geographic address, telephone and other access number, any
assigned network address, billing and payment information that are available on the basis of the
service agreement or arrangement; or
Any other available information on the site of the installation of communication equipment that is
available on the basis of the service agreement or arrangement.
hh) Traffic Data or Non-Content Data refers to any computer data other than the content of the
communication, including, but not limited to the communication’s origin, destination, route, time,
date, size, duration, or type of underlying service; and
ii) Without Right refers to either: (i) conduct undertaken without or in excess of authority; or (ii)
conduct not covered by established legal defenses, excuses, court orders, justifications or relevant
principles under the law.
RULE 2
Punishable Acts and Penalties
Cybercrimes
Section 4. Cybercrime Offenses. – The following acts constitute the offense of core cybercrime
punishable under the Act:
A. Offenses against the confidentiality, integrity and availability of computer data and
systems shall be punished with imprisonment of prision mayor or a fine of at least Two Hundred
Thousand Pesos (P200,000.00) up to a maximum amount commensurate to the damage incurred, or
both, except with respect to number 5 herein:
1. Illegal Access – The access to the whole or any part of a computer system without right.
2. Illegal Interception – The interception made by technical means and without right, of any
non-public transmission of computer data to, from, or within a computer system, including
electromagnetic emissions from a computer system carrying such computer data: Provided,
however, That it shall not be unlawful for an officer, employee, or agent of a service
provider, whose facilities are used in the transmission of communications, to intercept,
disclose or use that communication in the normal course of employment, while engaged in
any activity that is necessary to the rendition of service or to the protection of the rights or
property of the service provider, except that the latter shall not utilize service observing or
random monitoring other than for purposes of mechanical or service control quality checks.
3. Data Interference – The intentional or reckless alteration, damaging, deletion or
deterioration of computer data, electronic document or electronic data message, without
right, including the introduction or transmission of viruses.
4. System Interference – The intentional alteration, or reckless hindering or interference with
the functioning of a computer or computer network by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data or program, electronic
document or electronic data message, without right or authority, including the introduction
or transmission of viruses.
5. Misuse of Devices, which shall be punished with imprisonment of prision mayor, or a fine
of not more than Five Hundred Thousand Pesos (P500,000.00), or both, is committed
through any of the following acts:
a. The use, production, sale, procurement, importation, distribution or otherwise making available,
intentionally and without right, of any of the following:
i. A device, including a computer program, designed or adapted primarily for the purpose of
committing any of the offenses under this rules; or
ii. A computer password, access code, or similar data by which the whole or any part of a computer
system is capable of being accessed with the intent that it be used for the purpose of committing any
of the offenses under this rules.
b. The possession of an item referred to in subparagraphs 5(a)(i) or (ii) above, with the intent to use
said devices for the purpose of committing any of the offenses under this section.
Provided, That no criminal liability shall attach when the use, production, sale, procurement,
importation, distribution, otherwise making available, or possession of computer devices or data
referred to in this section is for the authorized testing of a computer system.
If any of the punishable acts enumerated in Section 4(A) is committed against critical infrastructure,
the penalty of reclusion temporal, or a fine of at least Five Hundred Thousand Pesos (P500,000.00)
up to maximum amount commensurate to the damage incurred, or both shall be imposed.
1. Computer-related Forgery –
a. The input, alteration or deletion of any computer data without right, resulting in inauthentic data,
with the intent that it be considered or acted upon for legal purposes as if it were authentic,
regardless whether or not the data is directly readable and intelligible; or
b. The act of knowingly using computer data, which is the product of computer-related forgery as
defined herein, for the purpose of perpetuating a fraudulent or dishonest design.
C. Content-related Offenses:
1. Any person found guilty of Child Pornography shall be punished in accordance with the penalties
set forth in Republic Act No. 9775 or the “Anti-Child Pornography Act of 2009”: Provided, That
the penalty to be imposed shall be one (1) degree higher than that provided for in Republic Act No.
9775 if committed through a computer system.
Section 5. Other Cybercrimes. – The following constitute other cybercrime offenses punishable
under the Act:
1. Cyber-squatting – The acquisition of a domain name over the internet, in bad faith, in order to
profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain
name is:
Cyber-squatting shall be punished with imprisonment of prision mayor, or a fine of at least Two
Hundred Thousand Pesos (P200,000.00) up to a maximum amount commensurate to the damage
incurred, or both: Provided, That if it is committed against critical infrastructure, the penalty
of reclusion temporal, or a fine of at least Five Hundred Thousand Pesos (P500,000.00) up to
maximum amount commensurate to the damage incurred, or both shall be imposed.
Cybersex involving a child shall be punished in accordance with the provision on child pornography
of the Act.
Where the maintenance, control, or operation of cybersex likewise constitutes an offense punishable
under Republic Act No. 9208, as amended, a prosecution under the Act shall be without prejudice to
any liability for violation of any provision of the Revised Penal Code, as amended, or special laws,
including R.A. No. 9208, consistent with Section 8 hereof.
3. Libel – The unlawful or prohibited acts of libel, as defined in Article 355 of the Revised Penal
Code, as amended, committed through a computer system or any other similar means which may be
devised in the future shall be punished with prision correccional in its maximum period to prision
mayor in its minimum period or a fine ranging from Six Thousand Pesos (P6,000.00) up to the
maximum amount determined by Court, or both, in addition to the civil action which may be
brought by the offended party: Provided, That this provision applies only to the original author of
the post or online libel, and not to others who simply receive the post and react to it.
4. Other offenses – The following acts shall also constitute an offense which shall be punished with
imprisonment of one (1) degree lower than that of the prescribed penalty for the offense, or a fine of
at least One Hundred Thousand Pesos (P100,000.00) but not exceeding Five Hundred Thousand
Pesos (P500,000.00), or both:
A. Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets,
aids, or financially benefits in the commission of any of the offenses enumerated in the Act
shall be held liable, except with respect to Sections 4(c)(2) on Child Pornography and
4(c)(4) on online Libel.
B. Attempt to Commit Cybercrime. – Any person who willfully attempts to commit any of the
offenses enumerated in the Act shall be held liable, except with respect to Sections 4(c)(2)
on Child Pornography and 4(c)(4) on online Libel.
Section 6. Corporate Liability. – When any of the punishable acts herein defined are knowingly
committed on behalf of or for the benefit of a juridical person, by a natural person acting either
individually or as part of an organ of the juridical person, who has a leading position within, based
on: (a) a power of representation of the juridical person; (b) an authority to take decisions on behalf
of the juridical person; or (c) an authority to exercise control within the juridical person, the
juridical person shall be held liable for a fine equivalent to at least double the fines imposable in
Section 7 up to a maximum of Ten Million Pesos (P10,000,000.00).
If the commission of any of the punishable acts herein defined was made possible due to the lack of
supervision or control by a natural person referred to and described in the preceding paragraph, for
the benefit of that juridical person by a natural person acting under its authority, the juridical person
shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a
maximum of Five Million Pesos (P5,000,000.00).
The liability imposed on the juridical person shall be without prejudice to the criminal liability of
the natural person who has committed the offense.
Section 7. Violation of the Revised Penal Code, as Amended, Through and With the Use of
Information and Communication Technology. – All crimes defined and penalized by the Revised
Penal Code, as amended, and special criminal laws committed by, through and with the use of
information and communications technologies shall be covered by the relevant provisions of the
Act: Provided, That the penalty to be imposed shall be one (1) degree higher than that provided for
by the Revised Penal Code, as amended, and special laws, as the case may be.
Section 8. Liability under Other Laws. – A prosecution under the Act shall be without prejudice to
any liability for violation of any provision of the Revised Penal Code, as amended, or special
laws: Provided, That this provision shall not apply to the prosecution of an offender under (1) both
Section 4(c)(4) of R.A. 10175 and Article 353 of the Revised Penal Code; and (2) both Section
4(c)(2) of R.A. 10175 and R.A. 9775 or the “Anti-Child Pornography Act of 2009”.
RULE 3
Enforcement and Implementation
Section 9. Law Enforcement Authorities. – The National Bureau of Investigation (NBI) and the
Philippine National Police (PNP) shall be responsible for the efficient and effective law
enforcement of the provisions of the Act. The NBI and the PNP shall organize a cybercrime
division or unit to be manned by Special Investigators to exclusively handle cases involving
violations of the Act.
The NBI shall create a cybercrime division to be headed by at least a Head Agent. The PNP shall
create an anti-cybercrime unit headed by at least a Police Director.
The DOJ – Office of Cybercrime (OOC) created under the Act shall coordinate the efforts of the
NBI and the PNP in enforcing the provisions of the Act.
Section 10. Powers and Functions of Law Enforcement Authorities. – The NBI and PNP
cybercrime unit or division shall have the following powers and functions:
Section 11. Duties of Law Enforcement Authorities. – To ensure that the technical nature of
cybercrime and its prevention is given focus, and considering the procedures involved for
international cooperation, law enforcement authorities, specifically the computer or technology
crime divisions or units responsible for the investigation of cybercrimes, are required to submit
timely and regular reports including pre-operation, post-operation and investigation results, and
such other documents as may be required to the Department of Justice (DOJ) – Office of
Cybercrime for review and monitoring.
Law enforcement authorities shall act in accordance with the guidelines, advisories and procedures
issued and promulgated by the competent authority in all matters related to cybercrime, and utilize
the prescribed forms and templates, including, but not limited to, preservation orders, chain of
custody, consent to search, consent to assume account/online identity and request for computer
forensic examination.
Section 12. Preservation and Retention of Computer Data. – The integrity of traffic data and
subscriber information shall be kept, retained and preserved by a service provider for a minimum
period of six (6) months from the date of the transaction. Content data shall be similarly preserved
for six (6) months from the date of receipt of the order from law enforcement authorities requiring
its preservation.
Law enforcement authorities may order a one-time extension for another six (6) months: Provided,
That once computer data that is preserved, transmitted or stored by a service provider is used as
evidence in a case, the mere act of furnishing such service provider with a copy of the transmittal
document to the Office of the Prosecutor shall be deemed a notification to preserve the computer
data until the final termination of the case and/or as ordered by the Court, as the case may be.
The service provider ordered to preserve computer data shall keep the order and its compliance
therewith confidential.
Section 13. Collection of Computer Data. Law enforcement authorities, upon the issuance of a
court warrant, shall be authorized to collect or record by technical or electronic means, and the
service providers are required to collect or record by technical or electronic means and/or to
cooperate and assist in the collection or recording of computer data that are associated with
specified communications transmitted by means of a computer system.
The court warrant required under this section shall be issued or granted upon written application,
after the examination under oath or affirmation of the applicant and the witnesses he may produce,
and the showing that: (1) there are reasonable grounds to believe that any of the crimes enumerated
hereinabove has been committed, is being committed or is about to be committed; (2) there are
reasonable grounds to believe that the evidence that will be obtained is essential to the conviction of
any person for, or to the solution of, or to the prevention of any such crimes; and (3) there are no
other means readily available for obtaining such evidence.
Section 14. Disclosure of Computer Data. – Law enforcement authorities, upon securing a court
warrant, shall issue an order requiring any person or service provider to disclose or submit, within
seventy-two (72) hours from receipt of such order, subscriber’s information, traffic data or relevant
data in his/its possession or control, in relation to a valid complaint officially docketed and assigned
for investigation by law enforcement authorities, and the disclosure of which is necessary and
relevant for the purpose of investigation.
Law enforcement authorities shall record all sworn complaints in their official docketing system for
investigation.
Section 15. Search, Seizure and Examination of Computer Data. – Where a search and seizure
warrant is properly issued, the law enforcement authorities shall likewise have the following powers
and duties:
a. Within the time period specified in the warrant, to conduct interception, as defined in this Rules,
and to:
b. Pursuant thereto, the law enforcement authorities may order any person, who has knowledge
about the functioning of the computer system and the measures to protect and preserve the computer
data therein, to provide, as is reasonable, the necessary information to enable the undertaking of the
search, seizure and examination.
c. Law enforcement authorities may request for an extension of time to complete the examination of
the computer data storage medium and to make a return thereon, but in no case for a period longer
than thirty (30) days from date of approval by the court.
Section 16. Custody of Computer Data. – All computer data, including content and traffic data, that
are examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the
period fixed therein, be deposited with the court in a sealed package, and shall be accompanied by
an affidavit of the law enforcement authority executing it, stating the dates and times covered by the
examination, and the law enforcement authority who may have access to the deposit, among other
relevant data. The law enforcement authority shall also certify that no duplicates or copies of the
whole or any part thereof have been made or, if made, that all such duplicates or copies are included
in the package deposited with the court. The package so deposited shall not be opened, or the
recordings replayed, or used in evidence, or their contents revealed, except upon order of the court,
which shall not be granted except upon motion, with due notice and opportunity to be heard to the
person or persons whose conversation or communications have been recorded.
Section 17. Destruction of Computer Data. – Upon expiration of the periods as provided in
Sections 12 and 15 hereof, or until the final termination of the case and/or as ordered by the Court,
as the case may be, service providers and law enforcement authorities, as the case may be, shall
immediately and completely destroy the computer data that are the subject of a preservation and
examination order or warrant.
Section 18. Exclusionary Rule. – Any evidence obtained without a valid warrant or beyond the
authority of the same shall be inadmissible for any proceeding before any court or tribunal.
The Rules of Court shall have suppletory application in implementing the Act.
Section 19. Non-compliance. – Failure to comply with the provisions of Chapter IV of the Act, and
Rules 7 and 8 of Chapter VII hereof, specifically the orders from law enforcement authorities, shall
be punished as a violation of Presidential Order No. 1829 (entitled “Penalizing Obstruction Of
Apprehension And Prosecution Of Criminal Offenders”) with imprisonment of prision
correccional in its maximum period, or a fine of One Hundred Thousand Pesos (P100,000.00), or
both for each and every noncompliance with an order issued by law enforcement authorities.
Section 20. Extent of Liability of a Service Provider. – Except as otherwise provided in this
Section, no person or party shall be subject to any civil or criminal liability in respect of a computer
data for which the person or party acting as a service provider merely provides access if such
liability is founded on:
b. The making, publication, dissemination or distribution of such computer data or any statement
made in such computer data, including possible infringement of any right subsisting in or in relation
to such computer data: Provided, That:
1. The service provider does not have actual knowledge, or is not aware of the facts or
circumstances from which it is apparent, that the making, publication, dissemination or
distribution of such material is unlawful or infringes any rights subsisting in or in relation to
such material;
2. The service provider does not knowingly receive a financial benefit directly attributable to
the unlawful or infringing activity; and
3. The service provider does not directly commit any infringement or other unlawful act, does
not induce or cause another person or party to commit any infringement or other unlawful
act, and/or does not directly benefit financially from the infringing activity or unlawful act
of another person or party: Provided, further, That nothing in this Section shall affect:
ii. The obligation of a service provider as such under a licensing or other regulatory regime
established under law;
iv. The civil liability of any party to the extent that such liability forms the basis for injunctive relief
issued by a court under any law requiring that the service provider take or refrain from actions
necessary to remove, block or deny access to any computer data, or to preserve evidence of a
violation of law.
RULE 4
Jurisdiction
Section 21. Jurisdiction. – The Regional Trial Court shall have jurisdiction over any violation of
the provisions of the Act, including any violation committed by a Filipino national regardless of the
place of commission. Jurisdiction shall lie if any of the elements was committed within the
Philippines, or committed with the use of any computer system that is wholly or partly situated in
the country, or when by such commission any damage is caused to a natural or juridical person who,
at the time the offense was committed, was in the Philippines.
Section 22. Venue. – Criminal action for violation of the Act may be filed with the RTC of the
province or city where the cybercrime or any of its elements is committed, or where any part of the
computer system used is situated, or where any of the damage caused to a natural or juridical person
took place: Provided, That the court where the criminal action is first filed shall acquire jurisdiction
to the exclusion of other courts.
Section 23. Designation of Cybercrime Courts. – There shall be designated special cybercrime
courts manned by specially trained judges to handle cybercrime cases.
Section 24. Designation of Special Prosecutors and Investigators. – The Secretary of Justice shall
designate prosecutors and investigators who shall comprise the prosecution task force or division
under the DOJ-Office of Cybercrime, which will handle cybercrime cases in violation of the Act.
RULE 5
International Cooperation
The DOJ shall cooperate and render assistance to other contracting parties, as well as request
assistance from foreign states, for purposes of detection, investigation and prosecution of offenses
referred to in the Act and in the collection of evidence in electronic form in relation thereto. The
principles contained in Presidential Decree No. 1069 and other pertinent laws, as well as existing
extradition and mutual legal assistance treaties, shall apply. In this regard, the central authority
shall:
a. Provide assistance to a requesting State in the real-time collection of traffic data associated with
specified communications in the country transmitted by means of a computer system, with respect
to criminal offenses defined in the Act for which real-time collection of traffic data would be
available, subject to the provisions of Section 13 hereof;
1. Access publicly available stored computer data located in the country or elsewhere; or
2. Access or receive, through a computer system located in the country, stored computer data
located in another country, if the other State obtains the lawful and voluntary consent of the
person who has the lawful authority to disclose the data to said other State through that
computer system.
d. Receive a request of another State for it to order or obtain the expeditious preservation of data
stored by means of a computer system located within the country, relative to which the requesting
State shall submit a request for mutual assistance for the search or similar access, seizure or similar
securing, or disclosure of the stored computer data: Provided, That:
ii. The offense that is the subject of a criminal investigation or proceedings and a brief summary of
the related facts;
iii. The stored computer data to be preserved and its relationship to the offense;
v. That the requesting State shall submit a request for mutual assistance for the search or similar
access, seizure or similar securing, or disclosure of the stored computer data.
2. Upon receiving the request from another State, the DOJ and law enforcement agencies shall take
all appropriate measures to expeditiously preserve the specified data, in accordance with the Act
and other pertinent laws. For the purposes of responding to a request for preservation, dual
criminality shall not be required as a condition;
i. The request concerns an offense that the Philippine Government considers as a political offense or
an offense connected with a political offense; or
ii. The Philippine Government considers the execution of the request to be prejudicial to its
sovereignty, security, public order or other national interest.
4. Where the Philippine Government believes that preservation will not ensure the future
availability of the data, or will threaten the confidentiality of, or otherwise prejudice the requesting
State’s investigation, it shall promptly so inform the requesting State. The requesting State will
determine whether its request should be executed; and
5. Any preservation effected in response to the request referred to in paragraph (d) shall be for a
period not less than sixty (60) days, in order to enable the requesting State to submit a request for
the search or similar access, seizure or similar securing, or disclosure of the data. Following the
receipt of such a request, the data shall continue to be preserved pending a decision on that request.
e. Accommodate request from another State to search, access, seize, secure, or disclose data stored
by means of a computer system located within the country, including data that has been preserved
under the previous subsection.
The Philippine Government shall respond to the request through the proper application of
international instruments, arrangements and laws, and in accordance with the following rules:
i. There are grounds to believe that relevant data is particularly vulnerable to loss or modification;
or
ii. The instruments, arrangements and laws referred to in paragraph (b) of this section otherwise
provide for expedited cooperation.
2. The requesting State must maintain the confidentiality of the fact or the subject of request for
assistance and cooperation. It may only use the requested information subject to the conditions
specified in the grant.
f. Make a request to any foreign state for assistance for purposes of detection, investigation and
prosecution of offenses referred to in the Act;
g. The criminal offenses described under Chapter II of the Act shall be deemed to be included as
extraditable offenses in any extradition treaty where the Philippines is a party: Provided, That the
offense is punishable under the laws of both Parties concerned by deprivation of liberty for a
minimum period of at least one year or by a more severe penalty.
The Secretary of Justice shall designate appropriate State Counsels to handle all matters of
international cooperation as provided in this Rule.
RULE 6
Competent Authorities
Section 26. Cybercrime Investigation and Coordinating Center; Composition. – The inter-agency
body known as the Cybercrime Investigation and Coordinating Center (CICC), under the
administrative supervision of the Office of the President, established for policy coordination among
concerned agencies and for the formulation and enforcement of the national cyber security plan, is
headed by the Executive Director of the Information and Communications Technology Office under
the Department of Science and Technology (ICTO-DOST) as Chairperson; the Director of the NBI
as Vice-Chairperson; and the Chief of the PNP, the Head of the DOJ Office of Cybercrime, and one
(1) representative each from the private sector, non-governmental organizations, and the academe as
members.
The CICC members shall be constituted as an Executive Committee and shall be supported by
Secretariats, specifically for Cybercrime, Administration, and Cybersecurity. The Secretariats shall
be manned from existing personnel or representatives of the participating agencies of the CICC.
The CICC may enlist the assistance of any other agency of the government including government-
owned and -controlled corporations, and the following:
a. Bureau of Immigration;
b. Philippine Drug Enforcement Agency;
c. Bureau of Customs;
d. National Prosecution Service;
e. Anti-Money Laundering Council;
f. Securities and Exchange Commission;
g. National Telecommunications Commission; and
h. Such other offices, agencies and/or units, as may be necessary.
The DOJ Office of Cybercrime shall serve as the Cybercrime Operations Center of the CICC and
shall submit periodic reports to the CICC.
Participation and representation in the Secretariat and/or Operations Center does not require
physical presence, but may be done through electronic modes such as email, audio-visual
conference calls, and the like.
Section 27. Powers and Functions. – The CICC shall have the following powers and functions:
a. Formulate a national cybersecurity plan and extend immediate assistance for the suppression
of real-time commission of cybercrime offenses through a computer emergency response
team (CERT);
b. Coordinate the preparation of appropriate and effective measures to prevent and suppress
cybercrime activities as provided for in the Act;
c. Monitor cybercrime cases being handled by participating law enforcement and prosecution
agencies;
d. Facilitate international cooperation on intelligence, investigations, training and capacity-
building related to cybercrime prevention, suppression and prosecution through the DOJ-
Office of Cybercrime;
e. Coordinate the support and participation of the business sector, local government units and
NGOs in cybercrime prevention programs and other related projects;
f. Recommend the enactment of appropriate laws, issuances, measures and policies;
g. Call upon any government agency to render assistance in the accomplishment of the CICC’s
mandated tasks and functions;
h. Establish and perform community awareness program on cybercrime prevention in
coordination with law enforcement authorities and stakeholders; and
i. Perform all other matters related to cybercrime prevention and suppression, including
capacity-building and such other functions and duties as may be necessary for the proper
implementation of the Act.
Section 28. Department of Justice (DOJ); Functions and Duties. – The DOJ-Office of Cybercrime
(OOC), designated as the central authority in all matters related to international mutual assistance
and extradition, and the Cybercrime Operations Center of the CICC, shall have the following
functions and duties:
a. Act as a competent authority for all requests for assistance for investigation or proceedings
concerning cybercrimes, facilitate the provisions of legal or technical advice, preservation
and production of data, collection of evidence, giving legal information and location of
suspects;
b. Act on complaints/referrals, and cause the investigation and prosecution of cybercrimes and
other violations of the Act;
c. Issue preservation orders addressed to service providers;
d. Administer oaths, issue subpoena and summon witnesses to appear in an investigation or
proceedings for cybercrime;
e. Require the submission of timely and regular reports including pre-operation, post-operation
and investigation results, and such other documents from the PNP and NBI for monitoring
and review;
f. Monitor the compliance of the service providers with the provisions of Chapter IV of the
Act, and Rules 7 and 8 hereof;
g. Facilitate international cooperation with other law enforcement agencies on intelligence,
investigations, training and capacity-building related to cybercrime prevention, suppression
and prosecution;
h. Issue and promulgate guidelines, advisories, and procedures in all matters related to
cybercrime investigation, forensic evidence recovery, and forensic data analysis consistent
with industry standard practices;
i. Prescribe forms and templates, including, but not limited to, those for preservation orders,
chain of custody, consent to search, consent to assume account/online identity, and request
for computer forensic examination;
j. Undertake the specific roles and responsibilities of the DOJ related to cybercrime under the
Implementing Rules and Regulation of Republic Act No. 9775 or the “Anti-Child
Pornography Act of 2009”; and
k. Perform such other acts necessary for the implementation of the Act.
Section 29. Computer Emergency Response Team (CERT). – The DOST-ICT Office shall
establish and operate the Computer Emergency Response Team (CERT) that shall serve as
coordinator for cybersecurity related activities, including but not limited to the following functions
and duties:
a. Extend immediate assistance to the CICC to fulfil its mandate under the Act with respect to
matters related to cybersecurity and the national cybersecurity plan;
b. Issue and promulgate guidelines, advisories, and procedures in all matters related to cybersecurity
and the national cybersecurity plan;
c. Facilitate international cooperation with other security agencies on intelligence, training, and
capacity-building related to cybersecurity; and
d. Serve as the focal point for all instances of cybersecurity incidents by:
The Philippine National Police and the National Bureau of Investigation shall serve as the field
operations arm of the CERT. The CERT may also enlist other government agencies to perform
CERT functions.
RULE 7
Duties of Service Providers
Section 30. Duties of a Service Provider. – The following are the duties of a service provider:
a. Preserve the integrity of traffic data and subscriber information for a minimum period of six
(6) months from the date of the transaction;
b. Preserve the integrity of content data for six (6) months from the date of receipt of the order
from law enforcement or competent authorities requiring its preservation;
c. Preserve the integrity of computer data for an extended period of six (6) months from the
date of receipt of the order from law enforcement or competent authorities requiring
extension on its preservation;
d. Preserve the integrity of computer data until the final termination of the case and/or as
ordered by the Court, as the case may be, upon receipt of a copy of the transmittal document
to the Office of the Prosecutor;
e. Ensure the confidentiality of the preservation orders and its compliance;
f. Collect or record by technical or electronic means, and/or cooperate and assist law
enforcement or competent authorities in the collection or recording of computer data that are
associated with specified communications transmitted by means of a computer system, in
relation to Section 13 hereof;
g. Disclose or submit subscriber’s information, traffic data or relevant data in his/its possession
or control to law enforcement or competent authorities within seventy-two (72) hours after
receipt of order and/or copy of the court warrant;
h. Report to the DOJ – Office of Cybercrime compliance with the provisions of Chapter IV of
the Act, and Rules 7 and 8 hereof;
i. Immediately and completely destroy the computer data subject of a preservation and
examination after the expiration of the period provided in Sections 13 and 15 of the Act; and
j. Perform such other duties as may be necessary and proper to carry into effect the provisions
of the Act.
Section 31. Duties of a Service Provider in Child Pornography Cases. – In line with RA 9775 or
the “Anti-Child Pornography Act of 2009”, the following are the duties of a service provider in
child pornography cases:
1. An internet service provider (ISP)/internet content host shall install available technology,
program or software, such as, but not limited to, system/technology that produces hash value
or any similar calculation, to ensure that access to or transmittal of any form of child
pornography will be blocked or filtered;
2. Service providers shall immediately notify law enforcement authorities within seven (7)
days of facts and circumstances relating to any form child pornography that passes through
or are being committed in their system; and
3. A service provider or any person in possession of traffic data or subscriber’s information,
shall, upon the request of law enforcement or competent authorities, furnish the particulars
of users who gained or attempted to gain access to an internet address that contains any form
of child pornography. ISPs shall also preserve customer data records, specifically the time,
origin, and destination of access, for purposes of investigation and prosecution by relevant
authorities under Sections 9 and 11 of R.A. 9775.
RULE 8
Prescribed Forms and Procedures
SEC. 32. Prescribed Forms and Procedures. – The DOJ – Office of Cybercrime shall issue and
promulgate guidelines, advisories, and procedures in all matters related to cybercrime, investigation,
forensic evidence recovery, and forensic data analysis consistent with international best practices, in
accordance with Section 28(h) and (i) hereof.
It shall also prescribe forms and templates such as, but not limited to, preservation orders, chain of
custody, consent to search, consent to assume account/online identity, request for computer forensic
assistance, write-blocking device validation and first responder checklist.
RULE 9
Final Provisions
SEC. 33. Appropriations. – The amount of Fifty Million Pesos (P50,000,000.00) shall be
appropriated annually for the implementation of the Act under the fiscal management of DOJ –
Office of Cybercrime.
Section 34. Separability Clause. – If any provision of these Rules is held invalid, the other
provisions not affected shall remain in full force and effect.
Section 35. Repealing Clause. – All rules and regulations inconsistent with these Rules are hereby
repealed or modified accordingly.
Section 36. Effectivity. – These rules and regulations shall take effect fifteen (15) days after the
completion of its publication in at least two (2) newspapers of general circulation.
Republic Act 10175 – Cybercrime Prevention Act was signed into law last September 12,
2012. This law is already in effect as the Supreme Court uphold its constitutionality
(February 18, 2014). Although some provisions were deemed as unconstitutional (struck down)
particularly Sections 4(c)(3), 7, 12, and 19.
If you are going to include all provisions in the Revised Penal Code, there can even be more than
16 types of cybercrime as a result.
Section 7 was struck down by Supreme Court as it violated the provision on double
jeopardy.
3. Jurisdiction
(a) The Regional Trial Court designated special cybercrime courts shall have jurisdiction over
any violation of the provisions of this Act including any violation committed by a Filipino
national regardless of the place of commission. Jurisdiction shall lie if any of the elements was
committed within the Philippines or committed with the use of any computer system wholly or
partly situation in the country, or when by such commission any damage is caused to a natural or
juridical person who, at the time the offense was committed, was in the Philippines. (section 21)
(b) For international and trans-national cybercrime investigation and prosecution, all relevant
international instruments on international cooperation in criminal maters, arrangements agreed on
the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for
the purposes of investigations or proceedings concerning criminal offenses related to computer
systems and data, or for the collection of evidence in electronic form of a criminal offense shall
be given full force and effect. (section 21)
This gives the Philippines the ability to participate in treaties and of mutual cooperation with
countries that have counterpart legislation effectively – especially – on cybercrime cases that
have team members or victims residing in the Philippines.
The law gave police authorities the mandate it needs to initiate investigation to process the
various complaints / report it gets from citizens. There are instances of online attacks, done
anonymously, where victims approach police authorities for help. They often find themselves lost
in getting investigation assistance as police authorities can’t effectively initiate an investigation
(only do special request) – as their legal authority to request for logs or data does not exist at all
unless a case is already filed. (which in case of anonymously done – will be hard to initiate)
I truly believe in giving citizen victims, regardless of stature, the necessary investigation
assistance they deserve. This law – gave our police authorities just that.
The PNP and NBI shall be responsible for the enforcement of this law. This includes:
(a) The PNP and NBI are mandated to organize a cybercrime unit or center manned by special
investigators to exclusively handle cases involving violations of this Act. (Section 10).
(b) The PNP and NBI are required to submit timely and regular reports including pre-operation,
post operation, and investigation results and such other documents as may be required to the
Department of Justice for review and monitoring. (Section 11)
(d) May order a one-time extension of another six (6) months on computer data requested for
preservation. Provided, That once computer data preserved, transmitted or stored by service
provider is used as evidence in a case, the mere furnishing to such service provider of the
transmittal document to the Office of the Prosecutor shall be deemed a notification to preserve
the computer data until the termination of the case. (Section 13)
(e) Carry out search and seizure warrants on computer data. (section 15) Once done, turn-over
custody in a sealed manner to courts within 48 hours (section 16) unless extension for no more
than 30 days was given by the courts (section 15).
(f) Upon expiration of time required to preserve data, police authorities shall immediately and
completely destroy the computer data subject of a preservation and examination. (section 17)
Service provider refers any public or private entity that provides to users of its service the ability
to communicate by means of a computer system, and processes or stores computer data on behalf
of such communication service or users of such service. (Section 3(n).
(a) SP upon receipt of a court warrant from police authorities to disclose or submit subscriber’s
information, traffic data or relevant data in its possession or control shall comply within seventy-
two (72) hours from receipt of the order in relation to a valid complaint officially docketed and
assigned for investigation and the disclosure is necessary and relevant for the purpose of
investigation. (section 14)
(b) The integrity of traffic data and subscriber information relating to communication services
provided by a service provider shall be preserved for a minimum of six (6) months period from
the date of the transaction. Content data shall be similarly preserved for six (6) months from the
date of receipt of the order from law enforcement authorities requiring its preservation.(Section
13)
(c) Once computer data preserved, transmitted or stored by service provider is used as evidence
in a case, the mere furnishing to such service provider of the transmittal document to the Office
of the Prosecutor shall be deemed a notification to preserve the computer data until the
termination of the case. (Section 13)
(d) Upon expiration of time required to preserve data, SP shall immediately and completely
destroy the computer data subject of a preservation and examination. (section 17)
(e) Failure to comply with the provisions of Chapter IV specifically the orders from law
enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with
imprisonment of prision correccional in its maximum period or a fine of One hundred thousand
pesos (P100,000) or both for each and every non-compliance with an order issued by law
enforcement authorities.
Service Provider protection insofar as liability is concern is already covered under the E-
Commerce Law.
6. Responsibility of individuals
(a) Individuals upon receipt of a court warrant being required to disclose or submit subscriber’s
information, traffic data or relevant data in his possession or control shall comply within seventy-
two (72) hours from receipt of the order in relation to a valid complaint officially docketed and
assigned for investigation and the disclosure is necessary and relevant for the purpose of
investigation.
(b) Failure to comply with the provisions of Chapter IV specifically the orders from law
enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with
imprisonment of prision correccional in its maximum period or a fine of One hundred thousand
pesos (P100,000) or both for each and every non-compliance with an order issued by law
enforcement authorities.
7. Inadmissible evidence
(a) Any evidence procured without a valid warrant or beyond the authority of the same shall be
inadmissible for any proceeding before any court or tribunal. (section 18)
8. Access limitation
The Supreme Court struck down Section 19 of the law that gives the Department of Justice
powers to order the blocking of access to a site provided there is prima facie evidence supporting
it.
(a) Office of Cybercrime within the DOJ designated as the central authority in all matters relating
to international mutual assistance and extradition. (section 23)
CICC will be headed by the Executive Director of the Information and Communications
Technology Office under the Department of Science and Technology as Chairperson with the
Director of the NBI as Vice Chairperson; the Chief of the PNP, Head of the DOJ Office of
Cybercrime; and one (1) representative from the private sector and academe, as members.
(section 25)
The CICC is the cybercrime czar tasked to ensure this law is effectively implemented. (section
26)
Although the law specifically stated a fifty million pesos (P50,000,000) annual budget, the
determination as where it would go or allotted to, I assume shall be to the CICC.
In my discussion with lawyers, journalist, bloggers, among others, concerns were raised on how
the law can be in violation of the Constitution and other laws. This includes:
In crimes committed online, the law gives higher penalty compared to its offline counterpart.
This is seen as violation of principles within the E-Commerce Law where both offline and online
evidence is given equal weight. In its implementing rules and regulations, it also indicated not to
give special benefit or penalty to electronic transactions just because it is committed online.
However, I note that perhaps the reason for this also is to increase the penalties. The original
Revised Penal Code for example gives penalty for libel in the amount of up to six thousand pesos
(P6,000).
2. Did the Cybercrime Law criminalized online libel? Will it result to double jeopardy?
Some see the Cybercrime Law as enabling criminalization of online libel. I think that is not
correct.
Libel being a criminal offense was defined under the Revised Penal Code.
The E-Commerce Law empowered all existing laws to recognize its electronic counterpart. It
recognized both commercial and non-commercial in form. This made electronic documents (text
message, email, web pages, blog post, etc) admissible as evidence in court (and can’t be denied
legal admissibility just because it is electronic form and have the same primary evidence weight).
Existing penalties under the laws where offense fall in shall apply. That is why filing of libel
cases committed electronically became possible in the past years (and there were cases filed,
some won, some lost, and some are ongoing).
Libel is already a criminal offense under the Revised Penal Code as is. Then it got extended to its
electronic form since 2000 (with the recognition of its electronic form provided by the E-
Commerce Law) with existing penalties applying to it. With the Cybercrime Law, it increased the
penalty further if committed with the use of ICT.
According to Atty. Geronimo Sy (Department of Justice), during the PTV4 Forum on Anti-
Cybercrime Law, a complaint on electronic libel will only have one (1) case to be filed. The
maximum penalty for electronic libel is 8 years.
Hitting the “Like” button on Facebook does not make you commit the act of libel. In this ANC
interview, Senator Ed Angara clarified that posting a comment where you get to share your
thoughts is covered under “protected expression”.
The amount of penalty is still to be set by the DOJ as there is usually no automatic degree scaling
in special penal laws. If a person who got accused of committing electronic libel also did the
same in traditional (offline) form, only one case shall be filed. It will be interesting to see how the
DOJ will implement the scaling in effect as a result of this.
The mention of libel in the Cybercrime Law is the most contested provision in the law. The
additional penalties is seen to curtail freedom of expression. Most of the petitions against the
Cybercrime Law focused on this provision.
Numerous legislators are already expressing interest as well in amending the Cybercrime Law
and Revised Penal Code.
I appreciate the need for real-time access to data, such as cellular traffic data, especially in
tracking scammers and any critical incident as it happens (such as kidnapping and other in-
progress crimes) where immediate access is important.
However, the mining of this data for surveillance can be seen as subject abuse. Furthermore, if no
intervention such as a judge approval, comes first before getting access where need can be
justified.
Although I think this will slow down the process if anything needs court approval first. But other
parties believe that this is a must requirement. As the Supreme Court struck down Section 12,
I hope processes will be set-up to assist law enforcement with its investigation, to fasten
court warrant issuance, especially as it receives complaints from victims of cybercrime.
As the Cybercrime Law gets upheld by the Supreme Court, here are my
personal notes on the development of its implementing rules and
regulations:
1. Ensure that procedures for police assistance and securing court orders will be fair regardless
whether complainants can afford a lawyer or not to assist them.
2. Make the process for data access efficient so that text and online scams culprits can be made
accountable soon while ensuring that the data collected won’t be abused.
I am glad that lobbying moves to strike down the whole Cybercrime Prevention Act
(Republic Act 10175) did not prosper. The law has greater purposes and intentions that can
be helpful in protecting the interest of our netizens and country online.
does downloading through utorrent, bit torrent, etc, belongs to the scope of the cybercrime law?even if
the contents downloaded were already old?like old movies, songs etc?
Reply
o Janette ToralMarch 31st, 2014
Yes it is. But only if the copyright holder will be the one to sue you.
Reply
2. EdJune 15th, 2015
Is the libelous or defamatory exchange in the PM inbox of Facebook can be used as evidence for Libel in
RA 10175?
Reply
o Janette ToralJuly 4th, 2015
Yes it can be since the year 2000 when the E-Commerce Law or Republic Act 8792 was passed.
Reply
3. JKenneth RendalDecember 25th, 2015
i’ve been trying to file a case against my neighbors but they have been continously blocking all evident
proof and other forms of evidence, they have tried all sorts of ways just for me to send the given pictures
and videos how should i consult the NBI or the PNP with the correct approach on this? since i already
tried but authorities here in Dumaguete are still naive about the cybercrime law, and by far has been
gradually increasing with more of my friends experiencing the same technical issues i’m dealing with.
They are using the OS program Linux, please give me an IT or Programmer who’s under the supervision
of the NBI or the PNP to contact in region 7 please.
Reply
4. Dhan JarinFebruary 24th, 2016
Hello sakop po b nito yung pag sell online. Niloko po kasi ako ng pinagbilihan ko ng laptop. May sira
yunf item. Ano pwede kong icase dun? Thank you.
Reply
o Janette ToralFebruary 25th, 2016
Hi Dhan. You can file a complaint sa NBI or PNP. Cover siya ng Consumer Act of the Philippines.
Reply
5. Danriel CabertoJune 12th, 2017
Hi po. Ah ma’am i would like to ask if sakop ba nito kapag ba yung naka away mo is post ng post online
pero shes not naming you . She has a lot of post po ma’am concerning to our fight. Amd even using bad
words. ? Her post dont contain my name and the case po is sinasabi niyang chinismis ko siya about sa
pagkakaroon po niya ng ibang kinakasama and nagpapabayad po siya sakin ng 10k for moral damage. I
cant afford to pay her so she posted a lot na. Po what case can i file to her?
Reply
o Janette ToralJuly 11th, 2017
If it does not mention you in anyway – it will be hard to push it. Unless this person started giving clues that
will clearly allude to you.
Reply
6. Gail satorreJune 16th, 2017
Does the libelous or defamatory exchange in the PM inbox of skype can be used as evidence for Libel in
RA 10175?
Reply
o Janette ToralJuly 11th, 2017
It can be. But it will also put the person sharing that conversation at risk for violating confidentiality.
Reply
7. RemoJune 26th, 2017
If some body blackmails some one to post their nude pictures online . Does it comes under cyber crime?
Reply
o Janette ToralJuly 11th, 2017
Yes and other related crimes (including extortion).