Guidelines on consent to stop the abUSE of personal information
Credit card holders often receive unsolicited phone calls from individuals claiming to be representatives of their credit card company, offering loans or promotions. However, it’s important to note that these callers may not actually be employees of the credit card company itself. Instead, they could be affiliated with a marketing company or call center that has a partnership with products on behalf of the credit card company. It is an understatement to say these callers can be quite persistent.
A close relative of mine recently accompanied her mother to a doctor, for treatment of Alzheimer’s disease. However, following the visit, she began receiving unsolicited calls and messages from a group purporting to conduct research on Alzheimer’s. The group inquired whether the patient would be willing to participate by being interviewed and observed.
When my relative asked the doctor’s secretary if they had given out their personal information including the patient’s diagnosis, they responded with a curt message “Reply for Patient X: You were invited to participate in a clinical trial, funded by DOST-PCHRD, and duly approved by the hospital’s ethics committee. If you do not wish to participate, we will inform the researchers that you are not interested. Thank you.”
There are many other instances when people realize their information have been used or shared without their knowledge, or in a way that they did not expect.
Patients and credit card applicants may overlook data consent due to health concerns or lengthy terms. This is why there was a need for Congress to pass the Data Privacy Act of 2012 or Republic Act No. 10173 (DPA).
In data privacy, the most important criterion is informed consent.
Informed consent means it has been clearly explained to the data subject, referring to the person whose information is stored and used, about what information will be collected, how it will be used, who will have access to it and for what purpose. People should be made aware of their rights concerning data, including the right to access, correct or delete their data, and measures taken to protect their data.
Consent under the DPA and its implementing rules refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his information and this consent shall be evidenced by written, electronic or recorded means.
The DPA became effective on Sept. 8, 2012 and its Implementing Rules and Regulations (IRR) were issued in August 2016.
Recognizing the evolving landscape presents new challenges, the National Privacy Commission (NPC) has drafted Guidelines on Consent and has invited the public to submit their comments, suggestions, opinions and other inputs to the NPC. There will also be an online public consultation on 15 June 2023 at 10. am.
Some important developments under the guidelines are as follow:
The guidelines have added the principle of fairness to the principles of transparency, legitimate purpose and proportionality in data processing.
A PIC shall ensure that personal data is processed in a manner that is neither manipulative nor unduly oppressive to the data subject.
Processing of personal data for additional purposes other than those for which the personal data were initially collected may be allowed after the Information Controller (PIC) conducts a compatibility assessment to determine whether there is a clear and reasonable link between the original purposes and the purposes of the intended for further processing, the data subject’s reasonable expectations on further use, the nature of the personal data, the impact of further processing, and the existence of reasonable and appropriate security measures.
Essential elements of consent
The guidelines also provide the following essential elements for a valid consent to the processing of information: (a) consent freely given, (b) specific consent, (c) informed decision, (c) an indication of will, and (d) that the consent given is recorded by written or electronic means.
The guidelines require additional conditions for Contracts of Adhesion, where one party imposes a ready-made form of contract on the other party, for a valid consent.
Consent must also be granular when personal data is processed for multiple purposes such that there should be a list of purposes that allow the data subject to select which purposes they consent to as opposed to an all-inclusive consent.
Separate consents must be obtained for any additional processing on the collected personal information. Notably, a vague or blanket consent is prohibited and invalid.
It is also important that the disclosure of purpose and consent is in a language that will be easily understood by an average member of the target audience.
The guidelines recognize the concept of consent fatigue which happens when the data subject finds his or herself overwhelmed by numerous and lengthy forms and notices, such that the PIC must properly identify the lawful basis for processing prior to the collection of personal data.
Note that implied consents are not allowed and a non-response does not constitute valid consent
Withdrawal of consent
The guidelines reiterate that consent can be withdrawn at any time and without cost to the data subject and that the process of withdrawing consent shall be as easy as when consent was given.
Given the need of our regulations to adapt to evolving industry practices, the Guidelines also tackle specific topics such as deceptive methods, direct marketing, research and profiling and automated processing of information.
Deceptive methods such as design patterns or any form of coercion, compulsion, threat, intimidation or violence in obtaining consent are prohibited. Incentivizing consent by offering benefits to the data subject are not automatically be construed as a deceptive method.
The use of information provided for direct marketing, such as analyzing or predicting personal preferences, behavior and attitudes of the data subject to inform subsequent decision-making, tracking and profiling for direct marketing, behavioral advertisement, data brokering, location-based advertising, tracking-based digital market research, which may affect the rights and freedoms of a data subject must have specific consent.
Processing of personal data for research requires consent except when obtaining consent prior to data collection might affect research results then consent may be obtained within a reasonable time after data collection. Though no consent is required for observation of public behavior and research resulting in anonymized demographic data where personal data will not be disclosed.
With regards profiling and automated processing, data subjects must be informed and consent obtained for any profiling or automated processing of their information with the proper safeguards against discriminatory outcomes affecting, or unfair treatment of, data subjects particularly when there will be legal ramifications or significant impact on a data subject.
The law provides stiff sanctions in the form of prison time and hefty fines for negligent or unauthorized processing, access or disclosure of information.
Whether the Guidelines on Consent will adequately address some of the problem points on consent and use of the data and information remains to be seen. For those that may be interested in participating in the public consultation they may send an email to the NPC at firstname.lastname@example.org on or before 9 June 2023.
The author, Atty. John Philip C. Siao, is a practicing lawyer and founding Partner of Tiongco Siao Bello & Associates Law Offices, teaches law at the MLQU School of Law, and an Arbitrator of the Construction Industry Arbitration Commission of the Philippines. He may be contacted at email@example.com. The views expressed in this article belong to the author alone.