Philippine Data Privacy 101: Why should you care?
Why should you care and what are your rights under Philippine law?
Tech giant Bill Gates had this to say about data privacy rights today:
“Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules — not just for governments but for private companies.”
I. The big business of data
Big Data and Artificial Intelligence are hot topics right now. In today’s global and competitive market, corporations and businesses are racing to increase marketing and sales effectiveness through improving user and customer experiences with greater insights. This is the primary force driving the AI and Machine learning industries today.
According to Forbes Magazine, the AI industry has the potential to create an additional $2.6Trillion (USD) in value by 2020 for marketing and sales and $2Trillion (USD) in manufacturing and supply chain planning. Forbes sites an IDC prediction that worldwide spending on AI systems could reach $77.6B (USD) in 2022.
Applications of AI and machine learning technology have also been very impactful in the political arena. Cambridge Analytica claimed it had up to 5,000 data points on each American citizen. It was hired by the Trump campaign, which successfully won the 2016 presidential election.
What is the driver of this new industry? The simple answer is Data.
Tech giants like Amazon, Google, Facebook, and Netflix have used customer data and data analytics for customer acquisition, retention, and growth.
They have generated Billions of dollars in profit from the data of individuals worldwide.
We generate huge amounts of data every day through social media, e-commerce transactions, emails, post likes, video views, web searches, uploads, etc… Our electronic devices such as phones and computers log every action. These online platforms often times have more insights into our daily decisions than ourselves. Data about individuals are sold, analyzed and used to target them with advertisements and draw insights and conclusions used to influence behavior, which translates into huge profits.
II. Data as a property right
Philippine law has greatly adopted the principles of the GDPR, primarily the concept of personal data as a property right owned by the data subject. In other words: your data is owned by you and not the controller or processor of the data.
Very interestingly, the Philippine Data Privacy Act of 2012 declares that the right to privacy is a HUMAN RIGHT. But this right has to be balanced with the vital role of information and communication technology in nation-building. [How this balance is executed will be determined by regulators and interpreted further by the courts].
Under Philippine law, personal information is defined as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.
III. Data privacy rights of individuals
Individuals have the following rights under Philippine law:
1. Right to be informed of the following:
a. Whether or not personal information on the individual has been/is currently or will be processed by the data collector or processor.
b. Be furnished the following information prior to processing the data on the individual:
i. A description of the information
ii. The purpose/s for processing the data
iii. The scope and method of processing data
iv. The recipients or potential recipients of the data
v. The methods utilized for automated access to the data
vi. The identity and contact details of the personal information controller
vii. The period the data will be stored
viii. The existence of their rights
2. Right to access the following information upon demand:
i. The contents of his/her data processed
ii. Sources from which the data was obtained
iii. Names and addresses of recipients of his/her data
iv. The manner of processing his/her data
v. The reasons for disclosing the data with the recipients
vi. Information on automated processes
vii. The specific date when his or her data was last accessed or modified
viii. The designation/name/identity and address of the personal information controller
3. Right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly.
4. Right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.
5. Right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
6. Right to data portability or to obtain a copy of data undergoing processing in an electronic or structured format.
Republic Act 10173
All these rights are transmissible and may pass on to the lawful heirs/assignees of the individual or data subject.
These rights, although not comprehensive, are a huge step in regulating data privacy of data subjects under Philippine law. It would be interesting to know how this policy is fine-tuned and transforms as new technology and business models evolve.
The business of data collection, analytics, and machine learning is here to stay. There is just so much value in information. Both corporations and various governments are capable of collecting, analyzing and extracting huge amounts of data on every individual on the planet. Although it is difficult to predict the future of data collection, processing, and use, it is comforting to know that certain jurisdictions like the Philippines and EU have recognized the rights of individuals to their own data. Hopefully, further data policy can be developed from there.
This article is also published on Medium.