Allowing an app to access our photographs on our mobile devices is a dangerous permission. For all we know, we might be unwittingly giving away facial recognition data which is actually stronger than a password that is vital and essential to mobile banking in order for us to do online transactions. We might become victims of identity theft and suffer financial loss because some apps may apparently mine and harvest our data particularly biometrics for purposes we are not aware of. In a similar way, we should not rely on the fact that, just because others do it, it is already safe. Hence, it is best to consult information privacy professionals or IT experts on the matter.
Do we value privacy on our mobile devices?
By: Atty. Jeremy O. Panganiban
Most of the time, we unknowingly grant permission for many applications (apps, for brevity) to access our data and to perform functions that are unnecessary for the purpose of the app’s functionality (vide: 99 Privacy Breaches to be Aware of by Kevin Shepherdson, Atty. Lyn Boxall, et al., at page 281).
Many apps require us to give permission for our personal data to be revealed to third parties. A few apps may even sell our data with our permission already given! (ibid.)
My suggestion is that we must carefully read the terms of use, meticulously acquaint ourselves with the permissions, and scrutinize the app’s privacy notice before we give our consent. Please take note that, under the law, a blanket consent is void. Neither is failure to opt out from a pre-ticked box deemed valid when it comes to data privacy.
What does consent mean under the Data Privacy Act of 2012?
Consent is a freely given, specified and informed indication of will that the data subject gives to the collection or processing of his/her personal data.
Construing the foregoing, the National Privacy Commission opined that, if it is not clear, it is not consent. Moreover, the law explicitly requires that consent must be in writing, recorded or in electronic form. Apart from these modes, there can be no valid consent. Implied consent is not permissible. Neither is a blanket consent allowed.
Parenthetically, as an added information, consent may be given not only by the data subject (an individual whose personal information is or will be processed) but also by his duly authorized representative or agent.
Given these, one may ask: Must covered entities require a documented consent every time a closed circuit television (cctv, for short) captures the data subject? What about a recorded telephone conversation where the data subject is informed that it will be recorded and yet he/she still proceeds with the call without expressly uttering the word “yes”, does it amount to an implied consent? The answer to these questions is in the negative. In these situations, consent in a way is substituted by operational practicability. For, it is impracticable nay impossible to document consent in every single moment that a cctv records information. And, proceeding with the call in a recorded phone conversation where the caller is informed of the recording is also acceptable.
Data Privacy
Backgrounder
Since time immemorial, the right to privacy has been recognized in civilized societies. Take for instance the Anglo-Saxons in England made the edict that not even the King can enter into one’s humble home. Hundreds of years later, in 1928, Justice Louis Brandeis of the United States Federal Supreme Court termed the right to privacy as the “the right to be left alone” in his dissenting opinion in Olmstead vs. United States.
In our own jurisdiction, in 1968, the Philippine Supreme Court acknowledged the right to privacy as deserving of constitutional guarantee in Morfe vs. Mutuc. Then too, decades later or in 2008, it came up with the “writ of habeas data” which safeguards a person’s right to privacy and allows the individual to control any information concerning him/her.
Note that I am speaking of privacy in general owing to the fact that the right to privacy takes several forms like the privacy of communication/correspondence, the integrity of one’s person/body, one’s home, and, most especially, personal data/information which is the subject matter of this discussion.
In this light, sometime in 2014, the Court of Justice of the European Union in the Google Spain SL case broadened the right to privacy by recognizing the “right to be forgotten” having its leanings on the 1995 Directive for Data Protection.
Indeed, data privacy laws have been in place in the West since the 1970s. But with the rapid advancement in technology and the digitization of information, personal data today has become a highly monetized product. This must be secured and protected in the face of increasing incidents of hacking and data breaches, thereby necessitating an updating of existing laws. Hence, data protection laws were enacted in the 1990s and again further updated up until recent years.
In our own country, the law has caught up with data privacy brought about by the pressure and dictates of the modern world. Our leaders thus came up with the Data Privacy Act of 2012. However, it was not until March 2016 that the National Privacy Commission (NPC, for brevity) was appointed. The said Commission came up with the Implementing Rules and Regulations only in September 2016. Soon after, circulars, advisories and advisory opinions were released while the NPC’s initial deadline for mandatory registration ended in September 2017. Presently, government agencies and those organizations and individuals/professionals in the covered business sectors who registered during the first deadline need not renew their registration until March 2020.
References: Partly from retired Chief Justice Artemio Panganiban; and from the National Privacy Commission