A new NPC and the future of data privacy

In the middle of December last year, the National Privacy Commission (NPC), the country’s data protection authority, finally found itself under new management, with the departure of the body’s last original member. Looking at its new roster, however, it’s apparent the change is not that substantial. They have all been part of the agency, just working in different roles.

Nevertheless, the transition is a welcome development for privacy advocates around the country. The local landscape is riddled with data protection issues. A number of them relate to the NPC itself. If they remain unchecked, confidence in the domestic data protection regime will wane. Violations of the Data Privacy Act (DPA) will become more prevalent, as people gradually lose interest even in the appreciation of their own rights. That would be tragic.

To avoid such fate, there are several matters the Commission must focus its attention on. One might say they are responsible for stunting the growth and proper maturation of data protection this side of the world.

At the top of the list is the much-awaited issuance by the NPC of a schedule of fines. It would be its basis for imposing regulatory fines on erring personal information controllers (PICs) and personal information processors (PIPs). The Commission has released a draft of the Circular, and requested comments thereon. It carried out consultations, and then promised to publish the policy some time mid-2021. To date, it is nowhere to be seen. Without it, many view the agency as a toothless tiger, unable to strike terror into entities that choose to ignore or intentionally violate data protection regulations.

The Commission should also recall its commitment to facilitate the inclusion of the data protection officer (DPO)—and even compliance officers for privacy—in the government’s Position Classification and Compensation System. Until that is fulfilled, most government entities are unable to hire or designate DPOs who can take their jobs seriously—and effectively. They are forced to assign DPO tasks to individuals already burdened with existing functions. For these people, taking on the job of a DPO is often the last thing on their mind. Not only is the set of responsibilities quite onerous, the field of data protection itself needs some getting used to. Valuable training and mentoring is crucial; extremely difficult, if one has two or more other roles to attend to.

There ought be greater transparency in the outcomes of the NPC’s investigations, as well. The Commission has not been shy when announcing investigations involving high-profile data protection issues. As of today, there is already a long list of probes it has launched through the years. The problem is that the public is rarely informed of the results of such investigations. Unlike its foreign counterparts, the NPC often keeps mum after its announcements are made. If one does hear from them again, it’s usually because there’s another investigation in the works. It cannot continue like this. The people need assurance that their welfare is being attended to. PICs and PIPs, on the other hand, must be reminded that there’s a public authority looking over their shoulders, prepared to hold them accountable if circumstances should so warrant. Disclosing the results of investigations achieves both.

The NPC should also enhance and expand its stakeholder engagements. The data privacy councils established a couple of years back was a good start, but the mechanism has stagnated for the most part. The primary goal of the initiative is the development of sectoral privacy codes that would aid PICs and PIPs belonging to the same industry in complying with data protection regulations. The idea is that they are best suited to come up with supplementary rules and guidance that cater to their unique issues and concerns. So far, however, it doesn’t look like a single sector has actually come up with one. Addressing this has to be complemented with better coordination with civil society, including the academe, independent researchers, and the media. Public consultations prior to the release of key policies and initiatives are always critical.

It is also imperative that the NPC adopts a more neutral posture vis-à-vis technologies and data processing systems, especially those maintained by government entities. The former Privacy Commissioner was fond of insisting that the agency is not a “gatekeeper of public policy and technology”. It cannot determine what can and cannot be implemented. This view is erroneous. Part of a privacy watchdog’s mandate is to scrutinize and even oppose policies and technologies it finds devoid of public good, particularly in terms of privacy rights. The NPC, however, looks to be neither of the two at the moment. It has not presented itself as overtly rights-leaning, but neither has it been consistently neutral.

One quick look at its active promotion of the national ID system says it all. That program, which has significant privacy implications, is made possible by a set of technologies and has a national law standing behind it. To promote the system is to endorse those technologies and the policy that put it in place. So it turns out the Commission can be a gatekeeper, after all, just not in the way it is supposed to. This situation could develop into a serious problem if the Commission is someday called on to investigate the system after it suffers a data breach or becomes embroiled in some controversy. The agency’s close ties to the system would taint its efforts with bias or at least a conflict of interest. Why? Because as an independent regulator it is only supposed to keep watch over such system, not promote it with effervescent zeal.

Finally, the NPC should pursue with renewed vigor the amendments to the DPA it initiated via the House of Representatives. The proposal has already been transmitted to the Senate for its consideration. The law in its current state has a lot of elements that need revisiting. Some ought to be corrected, others removed. There are also items worth introducing in order to keep the law current and aligned with its more modern peers, as well as recent technological advancements. In this endeavor, the Commission should maintain a proper balance between the interests of various stakeholders. The primary movers of the DPA were mostly private sector entities, with little to no participation by civil society and other groups. Some of its existing weaknesses are directly attributable to that. The NPC cannot let that happen again.

On January 28, the world celebrates Data Privacy Day. Its foremost objective is to raise awareness and promote privacy and data protection best practices. This year, let it also be a timely reminder that there is still so much work to be done towards realizing a future where data protection is seamlessly embedded in our way of life. In the hands of a capable NPC, it’s possible that that future would be within reach sooner than current estimates. Are they up to the task? We’re about to find out.

This article first appeared on GMA News on January 27, 2022, 8:14 am