Chapter 1
Chapter 1
For: Violation of Section thirteen, in relation to Section twenty-five B of the Data Privacy Act of twenty twelve
Respondents.
RESOLUTION
RESOLUTION
For consideration of the Commission is the Motion filed by the respondents Pieceland Corporation, RCM, and AD seeking reconsideration of the Order dated eleven September twenty nineteen, which stated the following:
The DPA provides that it is the policy of the State to protect the fundamental human right of privacy. This policy taken together with the DPA's interpretation provision that states "any doubt in the interpretation of any provision of this Act shall be liberally interpreted in a manner mindful of the rights and interest of the individual about whom personal information is processed," signifies that the protection of the rights of the data subject is considered public interest as contemplated in Section seven C of the DPA.
In view of the foregoing, a temporary ban on the processing of personal data is hereby issued against the respondent Pieceland Corporation. The temporary ban shall cover the following:
One. The processing of personal data of the MNLCI's church members who have not yet provided their identification documents to respondents for validation; and
Two. The requirement for the use of Pieceland-issued IDs for the MNCLI church members who have already submitted their passports and IDs.
Pieceland Corporation is hereby ordered to one, return to MNLCI's church members all the copies of their passports and valid IDs; two, delete or dispose all copies of the passports and valid IDs, digital or otherwise; and three, to allow MNLCI to provide IDs for their church members and officers bearing only their photos and English names.
On twenty-five September twenty nineteen, the respondents filed their Motion for Reconsideration which argues that "to consider the complaint of MNLC as one permeated with public interest would create an absurdity." The respondents also stated, in their Motion, that they have conformed and observed, "not just a sole condition mandated in the Data Privacy Act but several of which, if not all."
The Commission denies the Motion for Reconsideration.
The respondents argue that "public interest refers to what will benefit, affects or related to the public in general not those merely of a particular class. Manila New Life Church is a corporation, a particular and specified class, composed of church members which are mostly foreign individuals, certainly they cannot be considered public in general for the protection against public interest to apply."
The respondents enumerate cases decided by the Supreme Court that gave "illustrations of entities imbued with public interests" which they claim to have "common denominators," yet they also admit that "the High Court did not categorically define public interest." They also cited the case of Valmonte versus Belmonte Junior which held that:
In determining whether or not a particular information is public concern there is no rigid test which can be applied. "Public concern" like "public interest" is a term that eludes exact definition. Both terms embrace a broad spectrum of subjects which the public may want to know, either because these directly affect their lives, or simply because such matters naturally arouse the interest of an ordinary citizen. In the final analysis, it is for the courts to determine on a case by case basis whether the matter at issue is of interest or important, as it related to or affects the public.
This supports the basis of the Order dated eleven September twenty nineteen. Based on the pronouncements of the Supreme Court, the respondents cannot limit the definition of "public interest" on the basis of the number of individuals involved. The Supreme Court has even pronounced the term "public" is a "comprehensive, all-inclusive term" and said that "properly construed, it embraces everyone."
What the Data Privacy Act of twenty twelve provides is that the Commission may "impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest." The Commission upholds the investigating officer's position in the DPA provision stating "it is the policy of the State to protect the fundamental human right of privacy" is considered public interest as contemplated in Section seven C of the law. This declaration of policy in the DPA, having been enacted by Congress and the President, as representatives of the people, is a manifestation of a matter relating to the general welfare of the public.
Given all these, respondents' position that it is absurd to consider the complaint of MNLC as one that is permeated with public interest is not convincing.
It must be emphasized that the personal data involved (citizenship, passport number, and individual's ID number as determined by the issuing authority) fall under the enumeration of sensitive personal information which can only be processed based on the criteria provided under Section thirteen of the DPA.
The respondents anchor their claim of observing and conforming to the DPA on having obtained the consent of the members of MNLC to use the Marvin Plaza ID. They cite an e-mail dated twenty-eight June twenty nineteen from IKP, an elder of MNLC, that stated:
I am now writing this letter to you as Head of the Elder Committee of Manila New Life Church that we MNLC officially confirm that all our church member including Pastors and Elders will use Marvin Plaza ... for purposes of smooth and quick entrance to process for normal and spiritual worship on Sunday ... because serving normal and spiritual worship for their Good God is really most important and worthy matter in their whole life.
Indeed, consent is one criteria for the lawful processing of sensitive personal information under the DPA. A proper reliance on consent by a personal information controller, however, requires adherence to the provisions of the law.
The DPA provides that the consent of a data subject must be a "freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so."
In determining whether consent was freely given, the data subject must be given a real choice - that is, without any element of pressure or influence which could affect the outcome of the choice, resulting from an imbalance between the controller and the data subject. In relation to the requirement that consent be specific, such consent cannot be overly broad. For instance, "bundled" consent will generally not suffice as the data subject is not empowered to make a true choice. This means that consent to an enumeration of various, unrelated purposes of processing combined in a single paragraph cannot be considered specific because the data subject will be bound to sign off on the entire provision in toto. Consent given through an informed indication of will may include a signature, an opt-in box, sending a confirmation e-mail, or oral confirmation, among other means.
The e-mail that respondents cited in their Motion, supposedly an indication of consent as a lawful basis for processing, must be contextualized. This Commission notes that this e-mail was written after several events that have already unfolded involving the respondent corporation and their policies and the MNLC church members. The respondents have not refuted the allegations in the Complaint-Affidavit dated nineteen July twenty nineteen which stated thus:
On twelve May twenty nineteen, tempers flared resulting in exchange of words between MNLCI members and Pieceland's guards. In a letter dated fifteen May twenty nineteen, Pieceland banned two respected church members, Senior Pastor MH and LSB, from entering the Building from fourteen to nineteen May twenty nineteen.
Guard dogs are posted at the entrance and churchgoers are delayed for as long as an hour and a half before they can enter the Building. They attach pictures of the long line at the entrance endured by MNLCI's members on twenty-third June two thousand nineteen, thereby leaving mostly vacant seats by eleven o'clock AM, which is the start of our time of worship during Sundays. Such form of harassment was implemented by Pieceland by significantly reducing the entrance line to one, intended to force churchgoers to surrender their passports and valid IDs for processing by Pieceland's employees, supposedly for the production of Pieceland-issued IDs that shall be paid for by MNLCI's members.
While the consent evidenced by the email dated twenty-eighth June two thousand nineteen may be considered as specific and an informed indication of will, such cannot be considered "freely given" as contemplated in the law. An imbalance already exists between the controller and data subject, considering that the respondents control the MNLC members' access to their worship service which they describe as a "really most important and worthy matter in their whole life." As cited in the Motion, the email confirming the use of the Marvin Plaza ID was "purely for the purpose of smooth and quick entrance process for normal and spiritual worship on Sunday."
Even assuming that the email from IKP can be taken as validly obtained consent, the collection of sensitive personal data for the mandatory issuance of uniform IDs to the members of MNLC still cannot find justification under the law for failing to meet the requirements of the proportionality principle.
In their Motion, the respondents state that "to ensure safety, security measures are needed to be imposed and part of which is to identify the tenants of the buildings, visitors coming to and from and requiring them to wear identification cards."
In arguing the observance of proportionality, the respondents state that "while indeed it is true that other tenants provide an ID of their own ... [t]he reason why respondents allow them is due to the fact that other tenant's employees have two hundred one files (employee record) with them."
Notably, this is a new argument that is inconsistent with their earlier position on the supposed need for stricter security measures imposed on the members of MNLC. During the summary hearings, respondent AD, acting as the respondent corporation's Legal and Corporate External Affairs Head, stated that while the MNLC-issued IDs showed both the Korean and English names of the church members, the Korean characters were bigger and more prominent. He stated that this was a security threat to the other tenants of the building, because only the church members can read and understand the Korean characters. Also included in the annexes of the Complaint-Affidavit is a letter dated sixteenth May two thousand nineteen from the respondent corporation, through respondent AD, stating that " ... after much review of your identification cards, our security and safety consultants have observed that the archetype of the MNLCI Identification Cards are without a doubt susceptible to security breach, which may include but not limited to meager identification control system and counterfeit."
The investigating officer's Order imposing a temporary ban on processing by Pieceland corporation was issued based on the evidence on record, pursuant to the NPC Rules of Procedure. The respondents cannot now assail such Order using arguments that have not been previously presented, much less substantiated.
Nevertheless, it remains undisputed that these stricter security measures applied only to MNLCI's church members and not to the other tenants of the building.
The Implementing Rules and Regulations of the DPA elaborates on the requirements of the principle of proportionality stating that the "processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means."
The Marvin Plaza Building House Rules and Regulations explain their access policies in this way: