Are credit card details sensitive personal information?

Over the course of the week, I was asked these rather curious questions: are credit card details sensitive personal information? If they are, where is it in the Data Privacy Act (DPA) — the country’s data protection law — does it say that?

Before we get around to answering these two, it’s probably best to explain first why it is essential to make a distinction between sensitive personal information and those of the regular variety (i.e., personal information). 

For those still unfamiliar with the DPA, the law defines personal information this way: it is any information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information. Sometimes, you would have to put it together with other information before their consolidated form actually manages to identify a specific individual.

With that description, the DPA then proceeds to define sensitive personal information as consisting of any of the following: 

1. Personal information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2. Personal information about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

3. Personal information issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

4. Personal information specifically established by an executive order or an act of Congress to be kept classified.

Now, why do these definitions matter?

The law treats these two concepts in different ways; that’s why. 

In terms of legal bases, the DPA has one list prepared for personal information, and another that’s meant for sensitive personal information and privileged information. If one looks at the two, it is readily apparent that the law adopts a more permissive stance when it comes to processing personal information. 

While both lists recognize consent as a proper legal bases, those grounds that apply to sensitive personal information tend to be stricter and impose more conditions. So much so that anyone looking to process sensitive personal information almost always end up having to ask for consent, since it is the only viable option for them. 

Another area where the distinction is very important is in the imposable penalties. Except only in two instances, the DPA prescribes heavier penalties when violations of the law involve sensitive personal information. By heavier penalties, we mean longer prison terms and more expensive fines. 

Given these, it’s rather obvious that the distinction does matter — a lot. 

Circling back to credit card information, it is clear from the language of the DPA that there is nothing in it that explicitly mentions this type of data as sensitive personal information. It would then be easy to see how a person can come to the conclusion that it is, in fact, just regular personal information. 

But not so fast. Note that the last part of the definition for sensitive personal information states that any personal information that is specifically established by an executive issuance or law as classified shall also qualify as one. 

That is a crucial detail because, since 2016, we already have Republic Act No. 10870, which is also known as the “Philippine Credit Card Industry Regulation Law”. This piece of legislation expressly provides that, except only in certain circumstances, credit card issuers are duty-bound to keep data on cardholders strictly confidential. More importantly, even recipients of this information are also expected to preserve its confidentiality. It’s not clear, though, if the same set of grounds for permitted disclosures also apply to the latter group. 

What does this mean? It means credit card details may actually qualify as sensitive personal information since there is, in fact, a law that mandates its treatment as strictly confidential information. 

In 2019, the National Privacy Commission (NPC) had the opportunity to elaborate on this subject in one of its policy unit’s opinions. In Privacy Policy Office Advisory Opinion No. 2019-041, a clarification was being requested regarding the implications of RA 10870, in conjunction with the DPA, on credit card fraud investigations. Specifically, the inquiring party was asking if personal information provided to online merchants could be disclosed to credit card issuers as part of said investigations. 

Unfortunately, in discussing the relevant provision of RA 10870, the agency chose to focus on the authority of credit card issuers to make permitted disclosures. It made no categorical statement as regards the classification of credit card information as sensitive personal information. Neither did it directly clarify if recipients of credit card information can also rely on the grounds for permitted disclosures available to credit card issuers. At best, one could probably argue that it may have implied the latter point, considering the question posed by the inquiring party. 

As a consequence, anyone seeking long-term relief from all this ambiguity will probably have to wait further and see if current efforts to amend the DPA actually gain ground and pass the gauntlet of lawmaking. This is because one of the key features of the bill pending at the House of Representatives is its inclusion of individual financial data and other information established by regulations as confidential in the DPA’s definition of sensitive personal information. That particular proposal, if adopted, should put to rest any lingering doubts on this issue. 

For now, we must deal with our own interpretations of the two laws and our unique way of reconciling their relevant provisions. 

Would it be fair to recognize equivalence between strictly confidential information, as described in RA 10870, and classified personal information, as a component of the DPA’s definition of sensitive personal information? I think so. It is the interpretation that offers the better cover for the rights and interests of individuals, and best represents the value proposition of data protection. And isn’t that what the DPA is for?

This article first appeared on Newsbytes.PH on September 3, 2021, 11:41 am