The SIM Card Registration Act, which aims to fight text scams and misinformation, will take effect on Oct. 28, or 15 days after it was published in the Official Gazette.
Within 60 days from Oct. 28, the National Telecommunications Commission, in coordination with the departments of Information and Communications Technology (DICT) and Trade and Industry, the National Privacy Commission, the three telecommunications companies and major consumer groups, has to come up with the law’s implementing rules and regulations (IRR).
If the usual bureaucratic practice in drafting IRRs were to be followed, the salient provisions of the law, except for a few embellishments or inclusion of procedural items, would be simply repeated to meet that deadline.
A significant hurdle in the IRR preparation is the telcos’ compliance with the identification requirements for SIM (subscriber identity module) card registration.
The law enumerates 17 kinds of government-issued identification cards (IDs), with the catch-all phrase “other valid government-issued ID with photo,” that mobile phone users can present as proof of their identity.
Note that except for the last item, all the 16 IDs are issued by government offices at the national level.
The question is posed: Will IDs issued by local government units, in particular, barangays, be considered as valid proof of identification? It is common knowledge that, with the right amount of persuasion, some barangay officials are quick to issue identification or residency certificates.
Additionally, if any of the government-issued IDs is presented, should it be taken at its face value and therefore considered fully compliant with the identification requirement?
In case the ID looks spurious or questionable, what action should the telcos take? Reject it and risk getting an earful from the disgruntled user? Or get in touch with the government office that issued it to verify its validity and hold in abeyance the registration of the SIM card pending receipt of the office’s reply?
Knowing the “efficiency” of most government offices in responding to queries from third parties, that could take forever. In the meantime, the mobile phone user is deprived of the beneficial use of his or her mobile phone.
If that gadget happens to be an essential part of a business or the only means of communication with family members, the concerned user cannot be faulted for raising hell for the deprivation of his or her phone.
Another possible contentious issue is the requirement that the record keeping of personal data by the telcos “… should comply with the minimum information security standards prescribed by the DICT consistent with internationally accepted security standards.”
In light of the ease by which databases are being hacked by unscrupulous parties in spite of strong firewalls, this safeguard provision is undoubtedly critical.
But the DICT should not lose sight of the fact that software programs do not come cheap and that every security feature placed on them to prevent unauthorized access comes with costs that would eventually be passed on to users.
Then there is the matter of “internationally accepted security standards” which has become a buzzword in laws or regulations that relate to security matters.
While there is a generally recognized standard for information security management, i.e., ISO/IEC 27001, its application here should take into consideration, among others, the financial capacity of telcos and the enforcement capability of regulators.
Finally, the law requires the participation of major consumer groups in the preparation of the IRR. Since mobile phones are used in practically all forms of commercial activities, the selection of those groups could pose some problems. Those who do not get invited may raise a howl and cry “discrimination.”
All told, considering the complex economic and privacy-related issues involved, the IRR may not be able to effectively address them within the deadline set by the law. INQ
For comments, please send your email to “rpalabrica@inquirer.com.ph.”