Right to be forgotten
An individual may compel a search engine, like Google, to remove or delete links containing “inadequate, irrelevant… or excessive” data or information about him or her through the exercise of the “right to be forgotten,” also known as the “right to have an imperfect past.”
So ruled the Court of Justice of the European Union in the 2014 case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos. The European Court based its judgment from the “Directive on Data Protection” issued by the European Community in 1995. Thus, some European countries, like Germany, now consider the right to be forgotten a constitutional right.
But will it be enforceable here, given that it was rendered by a foreign tribunal? My short answer is “Yes.”
Article continues after this advertisementTrue, the European Court is credited with its popularization. Nonetheless, the origins of the right antedated the European Court’s judgment. Almost nine decades earlier, Justice Louis Brandeis of the US Supreme Court recognized it with another name, “the right to be left alone,” in his dissenting opinion in the 1928 case of Olmstead v. United States.
More importantly for us, our Supreme Court, in the 1968 case of Morfe v. Mutuc, declared this right (which it christened as “the right to privacy”) as “fully deserving of constitutional protection.”
In fact, the Philippines is more advanced in safeguarding personal information. On Jan. 22, 2008, the Court promulgated the writ of habeas data “to protect a person’s right to privacy and allow a person to control any information concerning” him or her.
Article continues after this advertisementOn May 3, the Court issued the writ in favor of the National Union of Peoples’ Lawyers on its claim that its members’ right to life, liberty and security were being violated by the military, and that it be provided “with copies of all the facts, information, statements, records, photographs, and other evidence, documentary or otherwise, pertaining to [its members in the military’s files].”
On the legislative front, Congress enacted the Data Privacy Act (DPA) in 2012 “to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth.”
“Personal information” covers any data that may identify a natural person (a juridical person like a corporation is not covered by the DPA’s protection). For example, though the name of the person may have been redacted, a medical record may still be protected by this law when it contains other identifiers like the patient’s gender, age, address, date of admission and date of discharge.
The DPA accords extra protection and imposes heavier penalties for the “processing” of “sensitive” personal information, including an individual’s (1) personal circumstances, i.e. “race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliation;” (2) “health, education, genetic or sexual life of a person, or any proceeding for any offense, committed or alleged to have been committed by such person, the disposal of such proceedings or the sentence of any court in such proceedings;” and (3) issuances of the government “peculiar to an individual [including] social security numbers, previous or current health records, licenses [or the denial, suspension or revocation thereof], and tax returns;” and (4) those “specifically established by an executive order or act of Congress to be kept classified.”
The DPA created the National Privacy Commission (NPC) to administer and implement the law. To discharge its duties, the NPC imposed five basic obligations on all firms engaged in data processing: (1) to appoint a data processing officer, (2) to conduct a “privacy impact assessment” to determine the appropriate level of security that must be observed in their respective data processing activities, (3) to establish a robust data protection infrastructure, (4) to show how policies are actually operationalized, and (5) to determine what steps or protocols to observe when a data breach occurs.
For those interested, the NPC’s implementation of the DPA is detailed by Dr. Ivy D. Patdu and lawyer Jamael A. Jacob in the recent issue (Vol. 63, No. 1) of the Ateneo Law Journal, with Angelo Francesco F. Herbosa as lead editor.
Comments to [email protected]