Confidentiality of SIM data

Starting Dec. 27, all users of mobile phone services in the Philippines have 180 days from thereon to register their SIM (subscriber identity module) cards with their service providers or face deactivation.

Individual users have to give their full name, date of birth, sex, address and a copy of a valid government-issued ID with their photo. For business users, they have to give their business name, address and the name of their authorized signatory.

The three telecommunication companies have been tasked to get those information. They have to provide, at their expense, a mechanism for that purpose in their respective systems within the deadline set by the government.

This early, some quarters foresee possible problems in the registration process, e.g., difficulty in securing identity documents and verifying their genuineness.

The thing that is of most serious concern to the users is maintaining the confidentiality of the information they will give to the telcos or their right to privacy. It is an issue that affects their personal safety and security.

The law requires telcos to keep those data under lock and key under pain of penal sanctions.

That obligation of confidentiality, however, shall not apply: (a) if the disclosure is authorized under the Data Privacy Act of 2012; (b) when ordered by a court or in accordance with a legal process upon the finding of probable cause; (c) if the subscriber consents in writing; and (d) upon the issuance of a subpoena by a competent authority pursuant to an investigation being conducted.

With regard to the last exception, it is essential that the investigation is “based on a sworn complaint that a specific mobile number was or is being used in the commission of a crime or was utilized as a means to commit a malicious, fraudulent or unlawful act, and that the complainant is unable to ascertain the identity of the perpetrator.”

It’s a catch-all provision similar to the word “etc.” or the phrase “other analogous causes” often used in official government issuances to cover any items that may have been inadvertently overlooked in their preparation.

There is no issue about the validity of the purpose for which such investigation shall be conducted. That’s the raison d’être behind the registration requirement.

But what is unclear is the meaning or scope of the phrase “competent authority.” The law and the implementing regulations issued by the National Telecommunications Commission (NTC) did not define it or give any criteria for its interpretation.

That being the case, its meaning or scope may have to be determined on a case-to-case basis (or be subjective in character) which is not good for effective governance purposes because it could result in uneven application.

There is no problem if the subpoena is issued by the Philippine National Police, the National Bureau of Investigation or the Philippine Drug Enforcement Agency. They are law enforcement units tasked by law to take action on the crimes and acts mentioned earlier.

In the absence of clear parameters on who come within the coverage of “competent authority,” that subpoena power is susceptible to abuse or misuse by some government officials.

If, for example, a municipal mayor receives a malicious text message from an unknown number and, for sensitive political reasons, he or she decides to personally run after that sender without seeking the assistance of the PNP, can that mayor invoke the “competent authority” clause to compel a telco to disclose the identity of the user of that number?

And what would prevent a barangay chairperson who cites his or her responsibility to protect his or her constituents from malicious or fraudulent calls or text messages from claiming that he or she should be considered a competent authority, too?

This issue is not a trifling matter as it involves a person’s right to privacy. The ambiguity in the law could give rise to serious legal challenges if it is not cleared ahead of time. The NTC has six months from Dec. 27 to do that. INQ

For comments, please send your email to “rpalabrica@inquirer.com.ph.”

Read more...