Skip to main content

Data Privacy in the Time of Leaks and Hackers

Written by Pericles Casuela.

#Comeleak became a trending topic early in 2016 when hackers exposed the data of over 55 million registered voters. The wealth of information leaked included crucial data that could enable identity theft – including full names, birthdays, addresses, height, weight, and passport details, among others.
 
Roughly a year after, the National Privacy Commission (NPC) released a press statement singling out Chairman Andres Bautista of the Commission on Elections (COMELEC) as the lone officio personally liable for the leak. The NPC posits that Bautista is liable under the Data Privacy Act of 2012 for failing to put data privacy policies in place. Specifically, NPC recommends the filing of criminal charges against Bautista based on Section 26, which provides for a penalty of imprisonment for one to three years and a fine ranging from Php500,000 to Php2,000,000.00 for accessing of personal information due to negligence, and a penalty of imprisonment for three to six years and a fine ranging from Php500,000 to Php4,000,000.00 for accessing sensitive personal information due to negligence.
 
COMELEC, for its part, issued a statement maintaining that data breach is not a new phenomenon, and that it has been following generally accepted standards and international best practices regarding technology-related activities. In his personal Facebook page, Bautista shared a December 2016 news article pertaining to Yahoo! data security issues, wherein the international tech-giant admitted that over one billion user accounts have been hacked. Indeed, “Comeleak” is just one of the many “leaks” surfacing in the political arena – with a number of otherwise privileged information/communication being exposed via “WikiLeaks”, among others.
 
At present, there is yet no landmark Supreme Court decision tackling the Data Privacy Act. To what extent can individuals be protected? What measures are expected to be taken? If even tech giants are vulnerable to hackers, is anyone really safe? Where do we draw the line in establishing liability? It would be interesting to monitor the jurisprudential development of data privacy laws as this case progresses.