Consent is Needed in Data Collection
Personal data may be collected through innumerable means. Text messaging, emails, electronic surveys, social media, and other applications are only some of the ways in which data, specifically, personal data, may be collected. Republic Act No. 10173 otherwise known as the Data Privacy Act of 2012 safeguards the collection of personal data, or personally identifiable information, and provides obligations to those engaged in collecting them.
With the variances in the means to collecting personal information, does the law impose different obligations, based on the means of collecting them? The answer is no.
Where Personal Data is Collected, in General
The conditions for consent, so long as the requirements of the Data Privacy Act of 2012 for getting consent is met, do not differ depending upon the means of communication used.
Section 3(a) of the Data Privacy Act defines consent as any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relation to him or her. The same section provides that the consent given shall be evidenced by written, electronic, or recorded means, and that it may be given on behalf of the data subject by an agent specifically authorized by him/her to do so.
Sec. 19(a), Rule IV of the law’s Implementing Rules and Regulations further provides that consent must be secured prior to the collection and processing of the personal data, and that the same must be time-bound, in relation to the declared, specified, and legitimate purpose thereof.
As regards the requirement of the consent being “time-bound”, the National Privacy Commission explained that:
“If the [personal information controller] has the data subject for its customer or client, and the processing of the latter’s personal data is contingent on such relationship, indicating that the effectivity of the consent is coterminous with that of the relationship may be a considered as consistent with the “time-bound” requirement.
What is not permitted is having the duration of the consent determined solely by the [personal information controller]. This directly contravenes the “time-bound” element of consent and undermines the very concept of consent, which, as defined in the [Data Privacy Act] and its [Implementing Rules and Regulations], is an indication of will of the data subject, and not that of the [personal information controller].”[1]
The Data Privacy Commission also emphasized that “implied or inferred consent” is not allowed by the Data Privacy Law, unless the circumstances under Section 13 (b) to (f) of the said law are attendant. This is because in implied or inferred consent, the approval of the data subject, which is required by law to be recorded through written, electronic, or recorded means, is wanting.[2] Apart from these general guidelines, the Data Privacy Act did not make any other specifications regarding the method of securing consent from the data subject, and whether such method differs depending upon the method of securing the same. As such, it may be concluded that the conditions for consent do not differ depending upon the means of communication used.
Where the Personal Data collected is classified Sensitive Personal Information
Yes, the conditions for consent differ when the data involved is sensitive personal information.
As a general rule, the processing of sensitive personal information shall be prohibited, except if it falls under any of the following categories:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
Therefore, to summarize the foregoing rules on the processing of sensitive personal information:
a. If the purpose of processing the sensitive personal information falls under sub-paragraphs (a) and (d) of Section 13 of the Data Privacy Act, the express consent of the data subject is required prior to processing.
b. However, if the purpose for the processing of the same falls under sub-paragraphs (b) to (c) and (e) to (f), consent of the data subject is no longer required, as long as the requirements of the law are met by the personal information processor.
About Nicolas and De Vega Law Offices
If you have issues on data privacy or information technology law or corporate law, commercial law, corporate or commercial litigation, or civil or other criminal law-related issues, we can help you. Nicolas and de Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.
[1] National Privacy Commission, ADVISORY OPINION No. 2017-018 (21 April 2017).
[2] Id.; National Privacy Commission, ADVISORY OPINION No. 2017-042 (14 August 2017).