Philippine Data Privacy 101: Why should you care?

Tech giant Bill Gates had this to say about data privacy rights today:

“Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments but for private companies.”

Bill Gates

I. The big business of data

Big Data and Artificial Intelligence are hot topics right now. In today’s global and competitive market, corporations and businesses are racing to increase marketing and sales effectiveness through improving user and customer experiences with greater insights. This is the primary force driving the AI and Machine learning industries today.

According to Forbes Magazine the AI industry has the potential to create an additional $2.6Trillion (USD) in value by 2020 for marketing and sales and $2Trillion (USD) in manufacturing and supply chain planning. Forbes sites an IDC prediction that worldwide spending on AI systems could reach $77.6B (USD) in 2022.1

Applications of AI and machine learning technology have also been very impactful in the political arena. Cambridge Analytica claimed it had up to 5,000 data points on each American citizen. It was hired by the Trump campaign, which successfully won the 2016 presidential election.

What is the driver of this new industry? The simple answer is Data.

Tech giants like Amazon, Google, Facebook and Netflix have used customer data and data analytics for customer acquisition, retention and growth.

They have generated Billions of dollars in profit from the data of individuals worldwide.

We generate huge amounts of data everyday through social media, e-commerce transactions, emails, post likes, video views, web searches, uploads etc… Our electronic devices such as phones and computers log every action. These online platforms often times have more insights into our daily decisions than ourselves. Data about individuals are sold, analyzed and used to target them

with advertisements and draw insights and conclusions used to influence behavior, which translate into huge profits.

II. Data as property right

Philippine law has greatly adopted the principles of the GDPR, primarily the concept of personal data as a property right owned by the data subject. In other words: your data is owned by you and not the controller or processor of the data.

Very interestingly, the Philippine Data Privacy Act of 20122 declares that the right to privacy is a HUMAN RIGHT. But this right has to be balanced with the vital role of information and communication technology in nation-building. [How this balance is executed will be determined by regulators and interpreted further by the courts].

Under Philippine law, personal information is defined as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

III. Data privacy rights of individuals

Individuals have the following rights under Philippine law:

1. Right to be informed of the following:

a. Whether or not personal information on the individual has been/is currently or will be processed by the data collector or processor.

b. Be furnished the following information prior to processing the data on the individual:

i. A description of the information

ii. The purpose/s for processing the data

iii. The scope and method of processing the data

iv. The recipients or potential recipients of the data

v. The methods utilized for automated access of the data

vi. The identity and contact details of the personal information controller

vii. The period the data will be stored

viii. The existence of their rights

2. Right to access the following information upon demand:

a. The contents of his/her data processed

b. Sources from which the data was obtained

c. Names and addresses of recipients of his/her data

d. The manner of processing the his/her data

e. The reasons for disclosing the data with the recipients

f. Information on automated processes

g. Specific date when his or her data was last accessed or modified

h. The designation/name/identity and address of the personal information controller

3. Right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly.

4. Right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.

5. Right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

6. Right to data portability or to obtain a copy of data undergoing processing in an electronic or structured format.

All these rights are transmissible and may pass on to the lawful heirs/assignees of the individual or data subject.

These rights, although not comprehensive, are a huge step in regulating data privacy of data subjects under Philippine law. It would be interesting to know how this policy is fine-tuned and transforms as new technology and business models evolve.

The business of data collection, analytics and machine learning is here to stay. There is just so much value in information. Both corporations and various governments are capable of collecting, analyzing and extracting huge amounts of data on every individual on the planet. Although it is difficult to predict the future of data collection, processing and use, it is comforting to know that certain jurisdictions like the Philippines and EU have recognized the rights of individuals to their own data. Hopefully further data policy can be developed from there.