MANILA, PHILIPPINES — Just because personal information is publicly available on social media doesn’t mean someone can simply get it and use it for any purpose he or she likes.
This was the reminder of National Privacy Commission Deputy Commissioner Ivy Patdu during the conference “Countdown to Data Privacy” on Wednesday at the Crowne Plaza Hotel in Quezon City.
Patdu had made the comment in response to a question about a school using a student’s social media posts to discipline the latter.
She cited the example of a group of researchers scraping all the public profiles on a dating website, then making these available in another format. One just had to type in a name to find out if a person was registered in the dating site. The researchers didn’t get the consent of the users of the dating site, because, they reasoned, the information was publicly available.
“Their jurisdiction said, that’s not allowed. That was still a violation,” Patdu said.
What is consent? According to the Data Privacy Act, it refers to “any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.”
Patdu continued, “Even if something is publicly available, like for instance, it’s posted during election time, your name and precinct numbers are there, and your address maybe is there, you can freely look at it, it does not mean that when that is breached, there is no longer any violation… While you may have been able to collect it, which you may do so for personal use or any other purpose, the next question is, what are you gonna do with that data which you may have lawfully collected because they are publicly available? Your processing must be evaluated as against the Data Privacy Act.”
While there are court decisions in the Philippines which affirm that there is no expectation of privacy when it comes to social media, Patdu believes this may change when a case is brought before the National Privacy Commission.
“I personally believe that you can’t just dismiss the right to privacy simply because it’s in social media,” she said.
As a general rule, she explained, even if information is publicly available, one cannot assume that it is free to use for any purpose. The Data Privacy Act simple says that it is a violation if one processes personal data for unauthorized purposes.
“Exercise caution on how that personal data is used,” she stressed. “The law itself says that if what’s involved is personal data, then that’s covered by the Data Privacy Act.”
At its core, Patdu said, the Data Privacy Act is about protection of individuals and of personal data. Personal data must be protected because it may fall into the wrong hands.
She noted that the Philippine National Police had reported that identity theft had been on the rise. A case the National Privacy Commission is handling involves a person whose loan application was rejected because he bought a car and did not pay for it. Except it wasn’t really him who bought that car. All he remembered doing was giving his personal information to a supposed agent of a company that sells cars.
Financial losses aren’t the only consequence; a victim may suffer loss of reputation or discrimination. For example, if the results of a random drug test are published, or one’s illnesses are made public. The wrong use of information can cause real harm, Patdu said.
“A violation of privacy may be an affront to human dignity,” she added. And what is right to privacy? It is “the ability to control information about ourselves.”
Nevertheless, Patdu pointed out that the right of privacy is not an absolute.
“By the very mandate of the law, the intention is to balance it with other legitimate concerns (or) other legitimate interests and other freedoms that are enjoyed,” she explained. Under the Data Privacy Act, the state’s policy is to protect the right to privacy while supporting the freeflow of information for innovation, growth, and development, Patdu said.
For example, certain information about public officials are not under the scope of the Data Privacy Act, “but only as it pertains to official functions, and only in relation to contracts, and only in relation to what the is still called the legitimate concerns of the public,” Patdu emphasized.
“You have to balance where privacy should be given due importance, and where the other right and other freedoms should be given importance,” she added. Asking for the names and birthdays of politicians’ minor children was different from asking for information about politicians’ properties.
As for a public authority that performs a regulatory or law enforcement function, “they may be granted flexibility” under the Data Privacy Act. The latter will not apply to the specific information “only to the extent necessary to fulfill that particular public function.”
Does this mean that a law enforcer can go to a company and request for a list of all its employees and their medical records? The answer is no.
“Because it (Data Privacy Act) does not supplant the Constitution. The limitations provided in our Constitution will always prevail,” Patdu stressed.
Under the Constitution, she said, “You have the freedom from unwarranted search and seizure.”