Protection of Personal Data

(This article was first published in Sun.Star Cebu last September 15.)

One of the biggest concerns in e-commerce implementation today is whether the privacy of personal information can’t be compromised or abused.

From a practical perspective, this is where each one of us had to be cautious whenever our personal information is being asked for. Regardless of establishment, we have every right to decide which information do we like to provide and not. It is also important to find out from the organization asking you to fill up forms, how they handle such information.

Are they sharing it to others? Will they be selling it? How secure are the systems they are using to store this information? Who has access to it? How sure are you that these personnel won’t copy the data?

Most important of all, can this organization and/or its employees be sued or liable should you have sufficient evidence that your personal data was not used for its intended purpose?

Although the E-Commerce Law did not directly specify data protection or privacy of personal data, it is covered – for as long as the personal data passes through a computer or information and communication systems. In this process, the personal data becomes an electronic document that makes it covered by the E-Commerce Law.

Any abuse of these electronic documents gives its rightful owners the chance to fight and rectify the situation using the E-Commerce Law as a basis. Of course, you don’t necessarily have to sue these entities right away. You can start by sending a request for your personal information to be removed, retrieved, corrected, among others. The user is empowered with such a choice, as stated in the implementing rules and regulation of the law.

Note however, that these rights such as removal of data can be challenged if these entities are required to fulfill data retention requirements for purposes of audit and law enforcement such as access logs, among others. The Bureau of Internal Revenue requires companies to retain receipts and financial related documents for 3 years. For government, additional 7 years archiving is also asked for.

Data abuse that can be considered as unauthorized access or illegal copying (violating intellectual property as a result) that includes violations such as giving copies to persons without lawful access or consent from its owners, gives data owners the chance to sue using hacking, cracking, or piracy provision of the law. The minimum fine is P100,000 and maximum commensurate to damage. Mandatory imprisonment from 6 months to 3 years is also included. If multiple abuses are committed, multiple counts of offenses can be filed.

The coverage of the E-Commerce Law is very broad. It covers and empowers all existing laws. The challenge still remains for us to assist other entities in interpreting the law as to how it applies to traditional laws where only paper-based printed documents are recognized such as in the area of anti-pornography and also in subjects such as human trafficking. More about this soon.