Data protection issues and lessons in 2019
To many observers, there is little doubt that the issue of data protection gained prominence in the Philippines this year. Filipinos are certainly more aware of what it is, with the number of people now asserting their rights as data subjects being a good indicator.
The critical question, though, is whether this issue's new-found popularity has actually kept personal data safer, at least in the local context.
In trying to answer this question, let’s do a recap of some of the issues that hogged the headlines to get a sense of the current state of data protection in the country:
1. Passport data fiasco. The year had barely begun when Secretary Teodoro Locsin, Jr., of the Department of Foreign Affairs (DFA) came out of nowhere and caused public hysteria when he announced (via tweet) that a former contractor of the agency “made off with the data” being collected during passport application, after the company’s contract expired and was not renewed.
He would later retract his statement and clarify that the data only became inaccessible.
Meanwhile, the DFA’s Data Protection Officer, Assistant Secretary Medardo Macaraig, together with other officials, assured the nation and the National Privacy Commission (NPC), in particular, during a fact-finding inquiry that all passport data remain under the government’s full control and custody.
2. Cebuana Lhuiller data breach. Just a few days after the passport data issue started to die down, one of the country’s major non-bank financial institutions—a pawnshop and remittance company—reported a data breach involving one of its servers being used for marketing operations.
According to Cebuana, among the data compromised was customer information such as birth date, addresses, and sources of income.
The company was quick to reassure the public that transaction details were not compromised and that its main servers remained unaffected. It also claimed that the number of affected individuals only represented 3% of its total clientele. The company said that it had reported the breach to the NPC.
3. FOI data leak. Ending the first quarter of the year was another data breach—this time affecting the website of the government’s Freedom of Information (FOI) initiative. It involved the unauthorized publication of the scanned copies of IDs of individuals asking for information via the FOI website.
The breach was discovered by a columnist who himself was affected by the incident.
News about the issue dissipated fairly quickly after it was downplayed by the authorities who, despite acknowledging the flaw, dismissed it as typical of all innovations. The exposed IDs were taken down, although no notification was supposedly given to the affected individuals.
Democracy.net.ph, a civil society organization, pointed out that requiring an ID for an FOI request is actually against the internationally recognized best practices on FOI.
4. FaceApp frenzy. In terms of global notoriety, the FaceApp controversy counts itself among the top for the year.
Faceapp is a mobile application that allows users to change their physical appearance with the help of filters. It’s one of the most downloaded apps in both the Google Play Store and Apple’s App Store.
One of the early allegations was that the app supposedly collects its users' entire photo libraries. This was refuted by the company behind the app and even by some security experts who noted that it was actually using only those images uploaded by users.
In the end, it was the app’s terms of use that managed to raise more than a few eyebrows. Among others, it states that users effectively revoke their rights over their uploaded images, including other related personal data such as names and usernames, thereby allowing FaceApp’s developers to do whatever they want with the collected data.
Apart from reminding the public to read the privacy policies of mobile apps, the NPC committed to analyze FaceApps’s privacy policy vis-à-vis the Data Privacy Act of 2012 (DPA), the country’s comprehensive data protection law.
It did not probe further into the issue, though, due to the lack of formal complaints.
5. Money-lending apps and their unlawful practices. Still, it was the issues surrounding money-lending apps that became the country’s hot-button topic for 2019.
Through applications downloaded mostly into people’s phones, borrowing money became easy, especially with debtors having to contend with fewer requirements to access small loans. In the process of installing the apps, however, people unwittingly allowed the companies behind the apps to gain unprecedented access to their phones, including their contact lists, photos, camera, microphone, and files.
Then, should they fail to settle their dues on time, they are harassed by company reps or shamed through the people on their phone directory.
According to the NPC, the agency received over 4,000 complaints (both formal and informal) involving these apps as of August 2019. In October, it summoned 67 lending firms in relation to these complaints. It banned 26 of these from processing personal data after finding them to have committed practices in violation of the DPA, and for failing or refusing to appear before the Commission.
Meanwhile, another regulator, the Securities and Exchange Commission, also issued cease-and-desist orders against 30 unregistered lenders as part of its own investigation of the issue.
These issues that cropped up over the course of the year, together with many more not included here, all appear to suggest a negative response to the question posed earlier. The bottom line seems to be that despite the assurances made by organizations that they will fairly, lawfully, and safely process people’s personal data, many are failing to live up to such promise.
It hasn’t also helped that the NPC’s actions still leave a lot to be desired or are too vague to be properly appreciated. News reports about the agency’s responses almost always end up with a mere statement indicating the agency is looking into the situation. Except for the issue involving money-lending apps, there is a dearth of information as to how the other issues are resolved, if at all.
This doesn’t bode well for next year when challenges for data protection are bound to get harder, with more and more institutions relying on harnessed personal data to operate and deliver services. For many, this setup has become integral to their existence.
Fortunately, 2019 is not only defined by issues and controversies. It has also taught us that a sound response to difficult data protection problems must consist of three things.
One, an effective regulator. The NPC has to do a whole lot more than raise awareness regarding data protection. Other components of its mandate, like more responsive policy-making, and fair but consistent enforcement of the law, will be the real test of its powers and effectiveness.
Two, more responsible data processors. Both the government and private institutions should treat data protection as a fundamental element of their operations, especially when set against today’s all too common backdrop of modernization and globalization.
And three, an engaged citizenry. People shouldn’t let themselves off the hook and should play their parts, too. While the law has given us rights over our personal data, it is up to us to assert and fight for those rights at the appropriate time and in accordance with the law.
If we take to heart that we need all three of these, 2019 will have prepared us well for whatever 2020 has up its sleeve.
Maris Miranda is a Certified Information Privacy Manager. A former member of the Privacy Policy Office of the National Privacy Commission, she now serves as a resource speaker and consultant on privacy and data protection.