Pursuing individual data privacy
IT is 35 days before Christmas, and everyone is excited to experience the joy this Yuletide season would bring after it was suppressed by the pandemic. Surely, like most people do, a lot of us pray for money to spend for the occasion. As if an answer from up above, Bon (not his real name) received a short message system (SMS or text message) from an “angel” who addresses him by name and offers a cash loan. Since the sender knows his name, Bon trustingly clicked the link that came with it. And true enough, after filling out and submitting a downloadable form where he supplied valuable information about himself, he got P3,000 out of the P5,000 loaned amount. But he must be able to pay the loan, with such an exorbitant interest and “processing fee” deducted in advance, within a week.
Since Bon missed the deadline, he began receiving death threats. Worst, unscrupulous text messages alleging Bon’s lewd activities were sent by the creditor to every one of his contacts. He was devastated as he was ballistic, like all too many who have been victimized by this scam. But somehow, they were comforted by the thought that the Subscriber Identity Module (SIM) Card Registration Act (Republic Act or RA 11934) has been signed into law.
If Bon, the other victims of text scams and the rest of us think that RA 11934 will spare us from these online crooks, we are wrong. The law that was enacted in October is yet to take effect on Dec. 27, 2022 because its implementing rules are yet to be completed. Besides, even when the law becomes effective, it could only at best provide a means to identify perpetrators of the fraud committed through spam texts and scam messages. And such identification must conform with a process that is prescribed under the law.
The law basically requires that all SIM cards to be sold by public telecommunication entities (PTEs or telcos), its agents and resellers shall be in a deactivated stage. They will only be activated after the end-user completes a process of registration by submitting online a pro forma number-controlled document and presenting a valid government-issued identification card to validate the information provided. Existing owners of active SIM cards are required to register their SIM cards until the end of June 2023 or face deactivation. The period of registration can be extended up to November 2023 when so needed. That will be a long wait before all SIM cards are registered, and the intent of the law is achieved!
Opposition from usual government critics and peddlers of distrust like Bayan tend to discredit this move and delay the SIM card registration. They raise the issue of subscribers losing their “anonymity” by submitting their personal information to PTEs like name, birthday, gender and address. It bears asking, what could be lost when these are the very same data many of us have already surrendered in various instances and in social media? Besides, as a safeguard, the law mandates that PTEs — not the government — shall be the sole repository of the data and that it be treated with absolute confidentiality. Aside from stiff penalties for infractions, only through court orders, subpoenas or other legal processes may the information be revealed in cases of investigation or in the prosecution of criminal offenses involving the use of mobile phones.
Identification of the perpetrator, however, is but a step in the process of instituting legal action. It will have to undergo a long process of court litigation before a conviction can be rendered and the finality of judgment is issued by the court. It will be best not to fall prey to criminals whose cunning and design evolve with technology. But one may wonder, how are these defrauders able to get hold of full names, mobile numbers and email addresses of their prospective victims?
The Covid-19 pandemic required the filling up of forms or applications with sensitive personal information primarily for purposes of contact tracing in exchange for access to establishments and other services like health. Lacking other recourse and to comply with the health emergency protocol, we were constrained into freely providing our names, addresses, contact details and even email addresses. And the improper handling, sharing or worst —selling of this personal information — is the primary suspect for the proliferation of text scams and online phishing.
Raymund Liboro, former head of the Data Privacy Commission and founder of think tank Privacy and Security by Design, blames the data aggregators of Globe, Smart and DITO Telecommunity. He says the contractors of these telcos could be the sources of data leaks. Former national telecommunications commissioner Edgardo Cabarios agrees.
Given these situations of possible data compromise, however, we are not without options. We have the Data Privacy Act (RA 10173) that provides for the rights and offers protection. And we must have to be abreast with its provisions.
The Data Privacy Act protects individuals from unauthorized processing (creation and collection, storage and transmission, usage and distribution, retention and disposal and destruction) of personal information that is private and not publicly available. The law also protects persons from processing of information where they, although not directly named, could be identified by direct attribution or by deduction.
We should know that data subjects (owner of information) cannot be compelled to provide such data without their written and informed consent. By informed consent, the law requires that the individuals being asked for their personal data are apprised as to the specific, legitimate and reasonable purpose for collecting such information. Otherwise, the owner of the information may refuse to provide the information asked for. But in cases where the pieces of information required are necessary in availing of government services, or in compliance with health protocols or health declarations to grant access to establishments, consent is not required.
All said, we are our own repository and the ones in control of our personal information. While we have the SIM Card Registration Act, the Data Privacy Act and the Cybercrime Prevention Act, they are but tools to protect our rights and to secure our identities. There is no substitute to prudence in taking into account all the possible consequences in giving personal information to and in consenting to its use by applications, software and social media platforms that require them.