1
EN BANC a. To reduce costs and thereby lessen the financial burden on both the government and the
G.R. No. 167798 April 19, 2006
KILUSANG MAYO UNO, NATIONAL FEDERATION OF LABOR UNIONS-KILUSANG MAYO UNO (NAFLU-
KMU), JOSELITO V. USTAREZ, EMILIA P. DAPULANG, SALVADOR T. CARRANZA, MARTIN T. CUSTODIO,
JR. and ROQUE M. TAN, Petitioners,
vs.
THE DIRECTOR-GENERAL, NATIONAL ECONOMIC DEVELOPMENT AUTHORITY, and THE SECRETARY,
DEPARTMENT OF BUDGET and MANAGEMENT, Respondents.
DECISION
CARPIO, J.:
This case involves two consolidated petitions for certiorari, prohibition, and mandamus under Rule 65 of
the Rules of Court, seeking the nullification of Executive Order No. 420 (EO 420) on the ground that it is
unconstitutional.
EO 420, issued by President Gloria Macapagal-Arroyo on 13 April 2005, reads:
REQUIRING ALL GOVERNMENT AGENCIES AND GOVERNMENT-OWNED AND CONTROLLED
CORPORATIONS TO STREAMLINE AND HARMONIZE THEIR IDENTIFICATION (ID) SYSTEMS, AND
AUTHORIZING FOR SUCH PURPOSE THE DIRECTOR-GENERAL, NATIONAL ECONOMIC AND DEVELOPMENT
AUTHORITY TO IMPLEMENT THE SAME, AND FOR OTHER PURPOSES
WHEREAS, good governance is a major thrust of this Administration;
WHEREAS, the existing multiple identification systems in government have created unnecessary and
costly redundancies and higher costs to government, while making it inconvenient for individuals to be
holding several identification cards;
WHEREAS, there is urgent need to streamline and integrate the processes and issuance of identification
cards in government to reduce costs and to provide greater convenience for those transacting business
with government;
WHEREAS, a unified identification system will facilitate private businesses, enhance the integrity and
reliability of government-issued identification cards in private transactions, and prevent violations of
laws involving false names and identities.
NOW, THEREFORE, I, GLORIA MACAPAGAL-ARROYO, President of the Republic of the Philippines by
virtue of the powers vested in me by law, do hereby direct the following:
Section 1. Adoption of a unified multi-purpose identification (ID) system for government.1avvphil.net –
All government agencies, including government-owned and controlled corporations, are hereby directed
to adopt a unified multi-purpose ID system to ensure the attainment of the following objectives:
public brought about by the use of multiple ID cards and the maintenance of redundant
database containing the same or related information;
b. To ensure greater convenience for those transacting business with the government and
those availing of government services;
c. To facilitate private businesses and promote the wider use of the unified ID card as
provided under this executive order;
d. To enhance the integrity and reliability of government-issued ID cards; and
e. To facilitate access to and delivery of quality and effective government service.
Section 2. Coverage – All government agencies and government-owned and controlled corporations
issuing ID cards to their members or constituents shall be covered by this executive order.
Section 3. Data requirement for the unified ID system – The data to be collected and recorded by the
participating agencies shall be limited to the following:
Name, Home Address, Sex, Picture, Signature, Date of Birth, Place of Birth, Marital Status,
Names of Parents, Height, Weight, Two index fingers and two thumbmarks, Any prominent
distinguishing features like moles and others, Tax Identification Number (TIN)
Provided that a corresponding ID number issued by the participating agency and a common reference
number shall form part of the stored ID data and, together with at least the first five items listed above,
including the print of the right thumbmark, or any of the fingerprints as collected and stored, shall
appear on the face or back of the ID card for visual verification purposes.
Section 4. Authorizing the Director-General, National Economic and Development Authority, to
Harmonize All Government Identification Systems. – The Director-General, National Economic
Development Authority, is hereby authorized to streamline and harmonize all government ID systems.
Section 5. Functions and responsibilities of the Director-General, National Economic and Development
Authority. – In addition to his organic functions and responsibilities, the Director-General, National
Economic and Development Authority, shall have the following functions and responsibilities:
a. Adopt within sixty (60) days from the effectivity of this executive order a unified
government ID system containing only such data and features, as indicated in Section 3
above, to validly establish the identity of the card holder:
b. Enter into agreements with local governments, through their respective leagues of
governors or mayors, the Commission on Elections (COMELEC), and with other branches or
instrumentalities of the government, for the purpose of ensuring government-wide adoption
of and support to this effort to streamline the ID systems in government;
 2

b. Call on any other government agency or institution, or create sub–committees or technical Petitioners in G.R. No. 167798 allege that EO 420 is unconstitutional because it constitutes usurpation of
working groups, to provide such assistance as may be necessary or required for the effective legislative functions by the executive branch of the government. Furthermore, they allege that EO 420
performance of its functions; and infringes on the citizen’s right to privacy.1

d. Promulgate such rules or regulations as may be necessary in pursuance of the objectives of
this executive order.
Section 6. Safeguards. – The Director-General, National Economic and Development Authority, and the
pertinent agencies shall adopt such safeguard as may be necessary and adequate to ensure that the right
to privacy of an individual takes precedence over efficient public service delivery. Such safeguards shall,
as a minimum, include the following:
a. The data to be recorded and stored, which shall be used only for purposes of establishing
the identity of a person, shall be limited to those specified in Section 3 of this executive order;
b. In no case shall the collection or compilation of other data in violation of a person’s right to
privacy shall be allowed or tolerated under this order;
Petitioners in G.R. No. 167930 allege that EO 420 is void based on the following grounds:
1. EO 420 is contrary to law. It completely disregards and violates the decision of this
Honorable Court in Ople v. Torres et al., G.R. No. 127685, July 23, 1998. It also violates RA
8282 otherwise known as the Social Security Act of 1997.
2. The Executive has usurped the legislative power of Congress as she has no power to issue
EO 420. Furthermore, the implementation of the EO will use public funds not appropriated by
Congress for that purpose.
3. EO 420 violates the constitutional provisions on the right to privacy
(i) It allows access to personal confidential data without the owner’s consent.

c. Stringent systems of access control to data in the identification system shall be instituted;
(ii) EO 420 is vague and without adequate safeguards or penalties for any violation
of its provisions.
d. Data collected and stored for this purpose shall be kept and treated as strictly confidential
and a personal or written authorization of the Owner shall be required for access and
(iii) There are no compelling reasons that will legitimize the necessity of EO 420.
disclosure of data;

4. Granting without conceding that the President may issue EO 420, the Executive Order was
e. The identification card to be issued shall be protected by advanced security features and
issued without public hearing.
cryptographic technology; and

5. EO 420 violates the Constitutional provision on equal protection of laws and results in the
f. A written request by the Owner of the identification card shall be required for any
discriminatory treatment of and penalizes those without ID.2
correction or revision of relevant data, or under such conditions as the participating agency
issuing the identification card shall prescribe.
Issues
Section 7. Funding. – Such funds as may be recommended by the Department of Budget and
Management shall be provided to carry out the objectives of this executive order. Essentially, the petitions raise two issues. First, petitioners claim that EO 420 is a usurpation of legislative
power by the President. Second, petitioners claim that EO 420 infringes on the citizen’s right to privacy.
Section 8. Repealing clause. – All executive orders or issuances, or portions thereof, which are
inconsistent with this executive order, are hereby revoked, amended or modified accordingly. Respondents question the legal standing of petitioners and the ripeness of the petitions. Even assuming
that petitioners are bereft of legal standing, the Court considers the issues raised under the
circumstances of paramount public concern or of transcendental significance to the people. The
Section 9. Effectivity. – This executive order shall take effect fifteen (15) days after its publication in two
petitions also present a justiciable controversy ripe for judicial determination because all government
(2) newspapers of general circulation.
entities currently issuing identification cards are mandated to implement EO 420, which petitioners claim
is patently unconstitutional. Hence, the Court takes cognizance of the petitions.
DONE in the City of Manila, this 13th day of April, in the year of Our Lord, Two Thousand and Five.
The Court’s Ruling
Thus, under EO 420, the President directs all government agencies and government-owned and
controlled corporations to adopt a uniform data collection and format for their existing identification (ID)
The petitions are without merit.
systems.

On the Alleged Usurpation of Legislative Power


Section 2 of EO 420 provides, "Coverage. – All government agencies and government-owned and
controlled corporations issuing ID cards to their members or constituents shall be covered by this
executive order." EO 420 applies only to government entities that issue ID cards as part of their functions
under existing laws. These government entities have already been issuing ID cards even prior to EO 420.
Examples of these government entities are the GSIS,3 SSS,4 Philhealth,5 Mayor’s Office,6 LTO,7 PRC,8 and
similar government entities.
Section 1 of EO 420 directs these government entities to "adopt a unified multi-purpose ID system."
Thus, all government entities that issue IDs as part of their functions under existing laws are required to
adopt a uniform data collection and format for their IDs. Section 1 of EO 420 enumerates the purposes of
the uniform data collection and format, namely:
a. To reduce costs and thereby lessen the financial burden on both the government and the
public brought about by the use of multiple ID cards and the maintenance of redundant
database containing the same or related information;
b. To ensure greater convenience for those transacting business with the government and
those availing of government services;
c. To facilitate private businesses and promote the wider use of the unified ID card as
provided under this executive order;
d. To enhance the integrity and reliability of government-issued ID cards; and
e. To facilitate access to and delivery of quality and effective government service.
In short, the purposes of the uniform ID data collection and ID format are to reduce costs, achieve
efficiency and reliability, insure compatibility, and provide convenience to the people served by
government entities.
Section 3 of EO 420 limits the data to be collected and recorded under the uniform ID system to only 14
specific items, namely: (1) Name; (2) Home Address; (3) Sex; (4) Picture; (5) Signature; (6) Date of Birth;
(7) Place of Birth; (8) Marital Status; (9) Name of Parents; (10) Height; (11) Weight; (12) Two index fingers
and two thumbmarks; (13) Any prominent distinguishing features like moles or others; and (14) Tax
Identification Number.
These limited and specific data are the usual data required for personal identification by government
entities, and even by the private sector. Any one who applies for or renews a driver’s license provides to
the LTO all these 14 specific data.
At present, government entities like LTO require considerably more data from applicants for
identification purposes. EO 420 will reduce the data required to be collected and recorded in the ID
databases of the government entities. Government entities cannot collect or record data, for
identification purposes, other than the 14 specific data.
Various laws allow several government entities to collect and record data for their ID systems, either
expressly or impliedly by the nature of the functions of these government entities. Under their existing
3
ID systems, some government entities collect and record more data than what EO 420 allows. At
present, the data collected and recorded by government entities are disparate, and the IDs they issue
are dissimilar.
In the case of the Supreme Court,9 the IDs that the Court issues to all its employees, including the
Justices, contain 15 specific data, namely: (1) Name; (2) Picture; (3) Position; (4) Office Code Number; (5)
ID Number; (6) Height; (7) Weight; (8) Complexion; (9) Color of Hair; (10) Blood Type; (11) Right
Thumbmark; (12) Tax Identification Number; (13) GSIS Policy Number; (14) Name and Address of Person
to be Notified in Case of Emergency; and (15) Signature. If we consider that the picture in the ID can
generally also show the sex of the employee, the Court’s ID actually contains 16 data.
In contrast, the uniform ID format under Section 3 of EO 420 requires only "the first five items listed" in
Section 3, plus the fingerprint, agency number and the common reference number, or only eight specific
data. Thus, at present, the Supreme Court’s ID contains far more data than the proposed uniform ID for
government entities under EO 420. The nature of the data contained in the Supreme Court ID is also far
more financially sensitive, specifically the Tax Identification Number.
Making the data collection and recording of government entities unified, and making their ID formats
uniform, will admittedly achieve substantial benefits. These benefits are savings in terms of procurement
of equipment and supplies, compatibility in systems as to hardware and software, ease of verification
and thus increased reliability of data, and the user-friendliness of a single ID format for all government
entities.
There is no dispute that government entities can individually limit the collection and recording of their
data to the 14 specific items in Section 3 of EO 420. There is also no dispute that these government
entities can individually adopt the ID format as specified in Section 3 of EO 420. Such an act is certainly
within the authority of the heads or governing boards of the government entities that are already
authorized under existing laws to issue IDs.
A unified ID system for all these government entities can be achieved in either of two ways. First, the
heads of these existing government entities can enter into a memorandum of agreement making their
systems uniform. If the government entities can individually adopt a format for their own ID pursuant to
their regular functions under existing laws, they can also adopt by mutual agreement a uniform ID
format, especially if the uniform format will result in substantial savings, greater efficiency, and optimum
compatibility. This is purely an administrative matter, and does not involve the exercise of legislative
power.
Second, the President may by executive or administrative order direct the government entities under the
Executive department to adopt a uniform ID data collection and format. Section 17, Article VII of the
1987 Constitution provides that the "President shall have control of all executive departments, bureaus
and offices." The same Section also mandates the President to "ensure that the laws be faithfully
executed."
Certainly, under this constitutional power of control the President can direct all government entities, in
the exercise of their functions under existing laws, to adopt a uniform ID data collection and ID format to
achieve savings, efficiency, reliability, compatibility, and convenience to the public. The President’s
constitutional power of control is self-executing and does not need any implementing legislation.

Of course, the President’s power of control is limited to the Executive branch of government and does
not extend to the Judiciary or to the independent constitutional commissions. Thus, EO 420 does not
apply to the Judiciary, or to the COMELEC which under existing laws is also authorized to issue voter’s ID
cards.10 This only shows that EO 420 does not establish a national ID system because legislation is
needed to establish a single ID system that is compulsory for all branches of government.
The Constitution also mandates the President to ensure that the laws are faithfully executed. There are
several laws mandating government entities to reduce costs, increase efficiency, and in general, improve
public services.11 The adoption of a uniform ID data collection and format under EO 420 is designed to
reduce costs, increase efficiency, and in general, improve public services. Thus, in issuing EO 420, the
President is simply performing the constitutional duty to ensure that the laws are faithfully executed.
Clearly, EO 420 is well within the constitutional power of the President to promulgate. The President has
not usurped legislative power in issuing EO 420. EO 420 is an exercise of Executive power – the
President’s constitutional power of control over the Executive department. EO 420 is also compliance by
the President of the constitutional duty to ensure that the laws are faithfully executed.
Legislative power is the authority to make laws and to alter or repeal them. In issuing EO 420, the
President did not make, alter or repeal any law but merely implemented and executed existing laws. EO
420 reduces costs, as well as insures efficiency, reliability, compatibility and user-friendliness in the
implementation of current ID systems of government entities under existing laws. Thus, EO 420 is simply
an executive issuance and not an act of legislation.
The act of issuing ID cards and collecting the necessary personal data for imprinting on the ID card does
not require legislation. Private employers routinely issue ID cards to their employees. Private and public
schools also routinely issue ID cards to their students. Even private clubs and associations issue ID cards
to their members. The purpose of all these ID cards is simply to insure the proper identification of a
person as an employee, student, or member of a club. These ID cards, although imposed as a condition
for exercising a privilege, are voluntary because a person is not compelled to be an employee, student or
member of a club.
What require legislation are three aspects of a government maintained ID card system. First, when the
implementation of an ID card system requires a special appropriation because there is no existing
appropriation for such purpose. Second, when the ID card system is compulsory on all branches of
government, including the independent constitutional commissions, as well as compulsory on all citizens
whether they have a use for the ID card or not. Third, when the ID card system requires the collection
and recording of personal data beyond what is routinely or usually required for such purpose, such that
the citizen’s right to privacy is infringed.
In the present case, EO 420 does not require any special appropriation because the existing ID card
systems of government entities covered by EO 420 have the proper appropriation or funding. EO 420 is
not compulsory on all branches of government and is not compulsory on all citizens. EO 420 requires a
very narrow and focused collection and recording of personal data while safeguarding the confidentiality
of such data. In fact, the data collected and recorded under EO 420 are far less than the data collected
and recorded under the ID systems existing prior to EO 420.
EO 420 does not establish a national ID card system. EO 420 does not compel all citizens to have an ID
card. EO 420 applies only to government entities that under existing laws are already collecting data and
issuing ID cards as part of their governmental functions. Every government entity that presently issues an
4
ID card will still issue its own ID card under its own name. The only difference is that the ID card will
contain only the five data specified in Section 3 of EO 420, plus the fingerprint, the agency ID number,
and the common reference number which is needed for cross-verification to ensure integrity and
reliability of identification.
This Court should not interfere how government entities under the Executive department should
undertake cost savings, achieve efficiency in operations, insure compatibility of equipment and systems,
and provide user-friendly service to the public. The collection of ID data and issuance of ID cards are day-
to-day functions of many government entities under existing laws. Even the Supreme Court has its own
ID system for employees of the Court and all first and second level courts. The Court is even trying to
unify its ID system with those of the appellate courts, namely the Court of Appeals, Sandiganbayan and
Court of Tax Appeals.
There is nothing legislative about unifying existing ID systems of all courts within the Judiciary. The same
is true for government entities under the Executive department. If government entities under the
Executive department decide to unify their existing ID data collection and ID card issuance systems to
achieve savings, efficiency, compatibility and convenience, such act does not involve the exercise of any
legislative power. Thus, the issuance of EO 420 does not constitute usurpation of legislative power.
On the Alleged Infringement of the Right to Privacy
All these years, the GSIS, SSS, LTO, Philhealth and other government entities have been issuing ID cards
in the performance of their governmental functions. There have been no complaints from citizens that
the ID cards of these government entities violate their right to privacy. There have also been no
complaints of abuse by these government entities in the collection and recording of personal
identification data.
In fact, petitioners in the present cases do not claim that the ID systems of government entities prior to
EO 420 violate their right to privacy. Since petitioners do not make such claim, they even have less basis
to complain against the unified ID system under EO 420. The data collected and stored for the unified ID
system under EO 420 will be limited to only 14 specific data, and the ID card itself will show only eight
specific data. The data collection, recording and ID card system under EO 420 will even require less data
collected, stored and revealed than under the disparate systems prior to EO 420.
Prior to EO 420, government entities had a free hand in determining the kind, nature and extent of data
to be collected and stored for their ID systems. Under EO 420, government entities can collect and
record only the 14 specific data mentioned in Section 3 of EO 420. In addition, government entities can
show in their ID cards only eight of these specific data, seven less data than what the Supreme Court’s ID
shows.
Also, prior to EO 420, there was no executive issuance to government entities prescribing safeguards on
the collection, recording, and disclosure of personal identification data to protect the right to privacy.
Now, under Section 5 of EO 420, the following safeguards are instituted:
a. The data to be recorded and stored, which shall be used only for purposes of establishing
the identity of a person, shall be limited to those specified in Section 3 of this executive order;

b. In no case shall the collection or compilation of other data in violation of a person’s right to
privacy be allowed or tolerated under this order;
c. Stringent systems of access control to data in the identification system shall be instituted;
d. Data collected and stored for this purpose shall be kept and treated as strictly confidential
and a personal or written authorization of the Owner shall be required for access and
disclosure of data;
e. The identification card to be issued shall be protected by advanced security features and
cryptographic technology;
f. A written request by the Owner of the identification card shall be required for any
correction or revision of relevant data, or under such conditions as the participating agency
issuing the identification card shall prescribe.
On its face, EO 420 shows no constitutional infirmity because it even narrowly limits the data that can be
collected, recorded and shown compared to the existing ID systems of government entities. EO 420
further provides strict safeguards to protect the confidentiality of the data collected, in contrast to the
prior ID systems which are bereft of strict administrative safeguards.
The right to privacy does not bar the adoption of reasonable ID systems by government entities. Some
one hundred countries have compulsory national ID systems, including democracies such as Spain,
France, Germany, Belgium, Greece, Luxembourg, and Portugal. Other countries which do not have
national ID systems, like the United States, Canada, Australia, New Zealand, Ireland, the Nordic Countries
and Sweden, have sectoral cards for health, social or other public services. 12 Even with EO 420, the
Philippines will still fall under the countries that do not have compulsory national ID systems but allow
only sectoral cards for social security, health services, and other specific purposes.
Without a reliable ID system, government entities like GSIS, SSS, Philhealth, and LTO cannot perform
effectively and efficiently their mandated functions under existing laws. Without a reliable ID system,
GSIS, SSS, Philhealth and similar government entities stand to suffer substantial losses arising from false
names and identities. The integrity of the LTO’s licensing system will suffer in the absence of a reliable ID
system.
The dissenting opinion cites three American decisions on the right to privacy, namely, Griswold v.
Connecticut,13U.S. Justice Department v. Reporters Committee for Freedom of the Press,14 and Whalen v.
Roe.15 The last two decisions actually support the validity of EO 420, while the first is inapplicable to the
present case.
In Griswold, the U.S. Supreme Court declared unconstitutional a state law that prohibited the use and
distribution of contraceptives because enforcement of the law would allow the police entry into the
bedrooms of married couples. Declared the U.S. Supreme Court: "Would we allow the police to search
the sacred precincts of the marital bedrooms for telltale signs of the use of contraceptives? The very idea
is repulsive to the notions of privacy surrounding the marriage relationship." Because the facts and the
issue involved in Griswold are materially different from the present case, Griswold has no persuasive
bearing on the present case.
5
In U.S. Justice Department, the issue was not whether the State could collect and store information on
individuals from public records nationwide but whether the State could withhold such information from
the press. The premise of the issue in U.S. Justice Department is that the State can collect and store in a
central database information on citizens gathered from public records across the country. In fact, the law
authorized the Department of Justice to collect and preserve fingerprints and other criminal
identification records nationwide. The law also authorized the Department of Justice to exchange such
information with "officials of States, cities and other institutions." The Department of Justice treated
such information as confidential. A CBS news correspondent and the Reporters Committee demanded
the criminal records of four members of a family pursuant to the Freedom of Information Act. The U.S.
Supreme Court ruled that the Freedom of Information Act expressly exempts release of information that
would "constitute an unwarranted invasion of personal privacy," and the information demanded falls
under that category of exempt information.
With the exception of the 8 specific data shown on the ID card, the personal data collected and recorded
under EO 420 are treated as "strictly confidential" under Section 6(d) of EO 420. These data are not only
strictly confidential but also personal matters. Section 7, Article III of the 1987 Constitution grants the
"right of the people to information on matters of public concern." Personal matters are exempt or
outside the coverage of the people’s right to information on matters of public concern. The data treated
as "strictly confidential" under EO 420 being private matters and not matters of public concern, these
data cannot be released to the public or the press. Thus, the ruling in U.S. Justice Department does not
collide with EO 420 but actually supports the validity EO 420.
Whalen v. Roe is the leading American case on the constitutional protection for control over information.
In Whalen, the U.S. Supreme Court upheld the validity of a New York law that required doctors to furnish
the government reports identifying patients who received prescription drugs that have a potential for
abuse. The government maintained a central computerized database containing the names and
addresses of the patients, as well as the identity of the prescribing doctors. The law was assailed because
the database allegedly infringed the right to privacy of individuals who want to keep their personal
matters confidential. The U.S. Supreme Court rejected the privacy claim, and declared:
Disclosures of private medical information to doctors, to hospital personnel, to insurance companies,
and to public health agencies are often an essential part of modern medical practice even when the
disclosure may reflect unfavorably on the character of the patient. Requiring such disclosures to
representatives of the State having responsibility for the health of the community does not automatically
amount to an impermissible invasion of privacy. (Emphasis supplied)
Compared to the personal medical data required for disclosure to the New York State in Whalen, the 14
specific data required for disclosure to the Philippine government under EO 420 are far less sensitive and
far less personal. In fact, the 14 specific data required under EO 420 are routine data for ID systems,
unlike the sensitive and potentially embarrassing medical records of patients taking prescription drugs.
Whalen, therefore, carries persuasive force for upholding the constitutionality of EO 420 as non-violative
of the right to privacy.
Subsequent U.S. Supreme Court decisions have reiterated Whalen. In Planned Parenthood of Central
Missouri v. Danforth,16 the U.S. Supreme Court upheld the validity of a law that required doctors
performing abortions to fill up forms, maintain records for seven years, and allow the inspection of such
records by public health officials. The U.S. Supreme Court ruled that "recordkeeping and reporting
requirements that are reasonably directed to the preservation of maternal health and that properly
respect a patient’s confidentiality and privacy are permissible."
 6

Again, in Planned Parenthood of Southeastern Pennsylvania v. Casey,17 the U.S. Supreme Court upheld a ISSUE: Whether or not the said EO is unconstitutional.
law that required doctors performing an abortion to file a report to the government that included the
doctor’s name, the woman’s age, the number of prior pregnancies and abortions that the woman had, HELD:
the medical complications from the abortion, the weight of the fetus, and the marital status of the
woman. In case of state-funded institutions, the law made such information publicly available. In Casey, No. Section 1 of EO 420 directs these government entities to “adopt a unified multi-purpose ID system.”
the U.S. Supreme Court stated: "The collection of information with respect to actual patients is a vital
Thus, all government entities that issue IDs as part of their functions under existing laws are required to
element of medical research, and so it cannot be said that the requirements serve no purpose other than
to make abortion more difficult." adopt a uniform data collection and format for their IDs.

Section 1 of EO 420 enumerates the purposes of the uniform data collection and format. The President
Compared to the disclosure requirements of personal data that the U.S. Supreme Court have upheld in
may by executive or administrative order direct the government entities under the Executive
Whalen, Danforth and Casey as not violative of the right to privacy, the disclosure requirements under
EO 420 are far benign and cannot therefore constitute violation of the right to privacy. EO 420 requires department to adopt a uniform ID data collection and format. Sec 17, Article 7 of the 1987 Constitution
disclosure of 14 personal data that are routine for ID purposes, data that cannot possibly embarrass or provides that the “President shall have control of all executive departments, bureaus and offices.” The
humiliate anyone. same Section also mandates the President to “ensure that the laws be faithfully executed.” Certainly,
under this constitutional power of control the President can direct all government entities, in the
Petitioners have not shown how EO 420 will violate their right to privacy. Petitioners cannot show such exercise of their functions under existing laws, to adopt a uniform ID data collection and ID format to
violation by a mere facial examination of EO 420 because EO 420 narrowly draws the data collection, achieve savings, efficiency, reliability, compatibility, and convenience to the public.
recording and exhibition while prescribing comprehensive safeguards. Ople v. Torres18 is not authority to
hold that EO 420 violates the right to privacy because in that case the assailed executive issuance, The President’s constitutional power of control is self-executing and does not need any implementing
broadly drawn and devoid of safeguards, was annulled solely on the ground that the subject matter legislation. Of course, the President’s power of control is limited to the Executive branch of government
required legislation. As then Associate Justice, now Chief Justice Artemio V. Panganiban noted in his
and does not extend to the Judiciary or to the independent constitutional commissions. Thus, EO 420
concurring opinion in Ople v. Torres, "The voting is decisive only on the need for appropriate legislation,
and it is only on this ground that the petition is granted by this Court." does not apply to the Judiciary, or to the COMELEC which under existing laws is also authorized to issue
voter’s ID cards. This only shows that EO 420 does not establish a national ID system because legislation
is needed to establish a single ID system that is compulsory for all branches of government.
EO 420 applies only to government entities that already maintain ID systems and issue ID cards pursuant
to their regular functions under existing laws. EO 420 does not grant such government entities any
power that they do not already possess under existing laws. In contrast, the assailed executive issuance
in Ople v. Torres sought to establish a "National Computerized Identification Reference System,"19 a
national ID system that did not exist prior to the assailed executive issuance. Obviously, a national ID
card system requires legislation because it creates a new national data collection and card issuance
system where none existed before.

In the present case, EO 420 does not establish a national ID system but makes the existing sectoral card
systems of government entities like GSIS, SSS, Philhealth and LTO less costly, more efficient, reliable and
user-friendly to the public. Hence, EO 420 is a proper subject of executive issuance under the President’s
constitutional power of control over government entities in the Executive department, as well as under
the President’s constitutional duty to ensure that laws are faithfully executed.

WHEREFORE, the petitions are DISMISSED. Executive Order No. 420 is declared VALID.

SO ORDERED.

In 2005, Executive Order No. 420 was passed. This law sought to harmonize and streamline the country’s
id system. Kilusang Mayo Uno, Bayan Muna, and other concerned groups sought to enjoin the Director-
General from implementing the EO because they allege that the said EO is unconstitutional for it
infringes upon the right to privacy of the people and that the same is a usurpation of legislative power by
the president.

THIRD DIVISION
G.R. No. 202666 September 29, 2014
RHONDA AVE S. VIVARES and SPS. MARGARITA and DAVID SUZARA, Petitioners,
vs.
ST. THERESA'S COLLEGE, MYLENE RHEZA T. ESCUDERO, and JOHN DOES, Respondents.
DECISION
VELASCO, JR., J.:
The individual's desire for privacy is never absolute, since participation in society is an equally powerful
desire. Thus each individual is continually engaged in a personal adjustment process in which he
balances the desire for privacy with the desire for disclosure and communication of himself to others, in
light of the environmental conditions and social norms set by the society in which he lives.
- Alan Westin, Privacy and Freedom (1967)
The Case
Before Us is a Petition for Review on Certiorari under Rule 45 of the Rules of Court, in relation to Section
19 of A.M. No. 08-1-16-SC,1 otherwise known as the "Rule on the Writ of Habeas Data." Petitioners
herein assail the July 27, 2012 Decision2 of the Regional Trial Court, Branch 14 in Cebu City (RTC) in SP.
Proc. No. 19251-CEB, which dismissed their habeas data petition.
The Facts
Nenita Julia V. Daluz (Julia) and Julienne Vida Suzara (Julienne), both minors, were, during the period
material, graduating high school students at St. Theresa's College (STC), Cebu City. Sometime in January
2012, while changing into their swimsuits for a beach party they were about to attend, Julia and
Julienne, along with several others, took digital pictures of themselves clad only in their undergarments.
These pictures were then uploaded by Angela Lindsay Tan (Angela) on her Facebook3 profile.
Back at the school, Mylene Rheza T. Escudero (Escudero), a computer teacher at STC’s high school
department, learned from her students that some seniors at STC posted pictures online, depicting
themselves from the waist up, dressed only in brassieres. Escudero then asked her students if they knew
who the girls in the photos are. In turn, they readily identified Julia, Julienne, and Chloe Lourdes Taboada
(Chloe), among others.
Using STC’s computers, Escudero’s students logged in to their respective personal Facebook accounts
and showed her photos of the identified students, which include: (a) Julia and Julienne drinking hard
liquor and smoking cigarettes inside a bar; and (b) Julia and Julienne along the streets of Cebu wearing
articles of clothing that show virtually the entirety of their black brassieres. What is more, Escudero’s
students claimed that there were times when access to or the availability of the identified students’
photos was not confined to the girls’ Facebook friends,4but were, in fact, viewable by any Facebook
user.5
7
Upon discovery, Escudero reported the matter and, through one of her student’s Facebook page,
showed the photosto Kristine Rose Tigol (Tigol), STC’s Discipline-in-Charge, for appropriate action.
Thereafter, following an investigation, STC found the identified students to have deported themselves in
a manner proscribed by the school’s Student Handbook, to wit:
1. Possession of alcoholic drinks outside the school campus;
2. Engaging in immoral, indecent, obscene or lewd acts;
3. Smoking and drinking alcoholicbeverages in public places;
4. Apparel that exposes the underwear;
5. Clothing that advocates unhealthy behaviour; depicts obscenity; contains sexually
suggestive messages, language or symbols; and 6. Posing and uploading pictures on the
Internet that entail ample body exposure.
On March 1, 2012, Julia, Julienne, Angela, and the other students in the pictures in question, reported, as
required, to the office of Sr. Celeste Ma. Purisima Pe (Sr. Purisima), STC’s high school principal and
ICM6 Directress. They claimed that during the meeting, they were castigated and verbally abused by the
STC officials present in the conference, including Assistant Principal Mussolini S. Yap (Yap), Roswinda
Jumiller, and Tigol. What is more, Sr. Purisima informed their parents the following day that, as part of
their penalty, they are barred from joining the commencement exercises scheduled on March 30, 2012.
A week before graduation, or on March 23, 2012, Angela’s mother, Dr. Armenia M. Tan (Tan), filed a
Petition for Injunction and Damages before the RTC of Cebu City against STC, et al., docketed as Civil
Case No. CEB-38594.7In it, Tan prayed that defendants therein be enjoined from implementing the
sanction that precluded Angela from joining the commencement exercises.
On March 25, 2012,petitioner Rhonda Ave Vivares (Vivares), the mother of Julia, joined the fray as an
intervenor. On March 28, 2012, defendants inCivil Case No. CEB-38594 filed their memorandum,
containing printed copies of the photographs in issue as annexes. That same day, the RTC issued a
temporary restraining order (TRO) allowing the students to attend the graduation ceremony, to which
STC filed a motion for reconsideration.
Despite the issuance of the TRO,STC, nevertheless, barred the sanctioned students from participating in
the graduation rites, arguing that, on the date of the commencement exercises, its adverted motion for
reconsideration on the issuance ofthe TRO remained unresolved.
Thereafter, petitioners filed before the RTC a Petition for the Issuance of a Writ of Habeas Data,
docketed as SP. Proc. No. 19251-CEB8 on the basis of the following considerations:
1. The photos of their children in their undergarments (e.g., bra) were taken for posterity
before they changed into their swimsuits on the occasion of a birthday beach party;
2. The privacy setting of their children’s Facebook accounts was set at "Friends Only." They,
thus, have a reasonable expectation of privacy which must be respected.

3. Respondents, being involved in the field of education, knew or ought to have known of
laws that safeguard the right to privacy. Corollarily, respondents knew or ought to have
known that the girls, whose privacy has been invaded, are the victims in this case, and not the
offenders. Worse, after viewing the photos, the minors were called "immoral" and were
punished outright;
4. The photos accessed belong to the girls and, thus, cannot be used and reproduced without
their consent. Escudero, however, violated their rights by saving digital copies of the photos
and by subsequently showing them to STC’s officials. Thus, the Facebook accounts of
petitioners’ children were intruded upon;
5. The intrusion into the Facebook accounts, as well as the copying of information, data, and
digital images happened at STC’s Computer Laboratory; and
6. All the data and digital images that were extracted were boldly broadcasted by
respondents through their memorandum submitted to the RTC in connection with Civil Case
No. CEB-38594. To petitioners, the interplay of the foregoing constitutes an invasion of their
children’s privacy and, thus, prayed that: (a) a writ of habeas databe issued; (b) respondents
be ordered to surrender and deposit with the court all soft and printed copies of the
subjectdata before or at the preliminary hearing; and (c) after trial, judgment be rendered
declaring all information, data, and digital images accessed, saved or stored, reproduced,
spread and used, to have been illegally obtained inviolation of the children’s right to privacy.
Finding the petition sufficient in form and substance, the RTC, through an Order dated July 5, 2012,
issued the writ of habeas data. Through the same Order, herein respondents were directed to file their
verified written return, together with the supporting affidavits, within five (5) working days from service
of the writ.
In time, respondents complied with the RTC’s directive and filed their verified written return, laying
down the following grounds for the denial of the petition, viz: (a) petitioners are not the proper parties
to file the petition; (b) petitioners are engaging in forum shopping; (c) the instant case is not one where a
writ of habeas data may issue;and (d) there can be no violation of their right to privacy as there is no
reasonable expectation of privacy on Facebook.
Ruling of the Regional Trial Court
On July 27, 2012, the RTC rendered a Decision dismissing the petition for habeas data. The dispositive
portion of the Decision pertinently states:
WHEREFORE, in view of the foregoing premises, the Petition is hereby DISMISSED.
The parties and media must observe the aforestated confidentiality.
SO ORDERED.9
To the trial court, petitioners failed to prove the existence of an actual or threatened violation of the
minors’ right to privacy, one of the preconditions for the issuance of the writ of habeas data. Moreover,
8
the court a quoheld that the photos, having been uploaded on Facebook without restrictions as to who
may view them, lost their privacy in some way. Besides, the RTC noted, STC gathered the photographs
through legal means and for a legal purpose, that is, the implementation of the school’s policies and
rules on discipline.
Not satisfied with the outcome, petitioners now come before this Court pursuant to Section 19 of the
Rule on Habeas Data.10
The Issues
The main issue to be threshed out inthis case is whether or not a writ of habeas datashould be issued
given the factual milieu. Crucial in resolving the controversy, however, is the pivotal point of whether or
not there was indeed an actual or threatened violation of the right to privacy in the life, liberty, or
security of the minors involved in this case.
Our Ruling
We find no merit in the petition.
Procedural issues concerning the availability of the Writ of Habeas Data
The writ of habeas datais a remedy available to any person whose right to privacy in life, liberty or
security is violated or threatened by an unlawful act or omission of a public official or employee, or of a
private individual or entity engaged in the gathering, collecting or storing of data or information
regarding the person, family, home and correspondence of the aggrieved party.11 It is an independent
and summary remedy designed to protect the image, privacy, honor, information, and freedom of
information of an individual, and to provide a forum to enforce one’s right to the truth and to
informational privacy. It seeks to protect a person’s right to control information regarding oneself,
particularly in instances in which such information is being collected through unlawful means in order to
achieve unlawful ends.12
In developing the writ of habeas data, the Court aimed to protect an individual’s right to informational
privacy, among others. A comparative law scholar has, in fact, defined habeas dataas "a procedure
designed to safeguard individual freedom from abuse in the information age."13 The writ, however, will
not issue on the basis merely of an alleged unauthorized access to information about a person.Availment
of the writ requires the existence of a nexus between the right to privacy on the one hand, and the right
to life, liberty or security on the other.14 Thus, the existence of a person’s right to informational privacy
and a showing, at least by substantial evidence, of an actual or threatened violation of the right to
privacy in life, liberty or security of the victim are indispensable before the privilege of the writ may be
extended.15
Without an actionable entitlement in the first place to the right to informational privacy, a habeas
datapetition will not prosper. Viewed from the perspective of the case at bar,this requisite begs this
question: given the nature of an online social network (OSN)––(1) that it facilitates and promotes real-
time interaction among millions, if not billions, of users, sans the spatial barriers,16 bridging the gap
created by physical space; and (2) that any information uploaded in OSNs leavesan indelible trace in the
provider’s databases, which are outside the control of the end-users––is there a right to informational

privacy in OSN activities of its users? Before addressing this point, We must first resolve the procedural
issues in this case.
a. The writ of habeas data is not only confined to cases of extralegal killings and enforced disappearances
Contrary to respondents’ submission, the Writ of Habeas Datawas not enacted solely for the purpose of
complementing the Writ of Amparoin cases of extralegal killings and enforced disappearances.
Section 2 of the Rule on the Writ of Habeas Data provides:
Sec. 2. Who May File. – Any aggrieved party may file a petition for the writ of habeas data. However, in
cases of extralegal killings and enforced disappearances, the petition may be filed by:
(a) Any member of the immediate family of the aggrieved party, namely: the spouse, children
and parents; or
(b) Any ascendant, descendant or collateral relative of the aggrieved party within the fourth
civil degreeof consanguinity or affinity, in default of those mentioned in the preceding
paragraph. (emphasis supplied)
Had the framers of the Rule intended to narrow the operation of the writ only to cases of extralegal
killings or enforced disappearances, the above underscored portion of Section 2, reflecting a variance of
habeas data situations, would not have been made.
Habeas data, to stress, was designed "to safeguard individual freedom from abuse in the information
age."17 As such, it is erroneous to limit its applicability to extralegal killings and enforced disappearances
only. In fact, the annotations to the Rule preparedby the Committee on the Revision of the Rules of
Court, after explaining that the Writ of Habeas Data complements the Writ of Amparo, pointed out that:
The writ of habeas data, however, can be availed of as an independent remedy to enforce one’s right to
privacy, more specifically the right to informational privacy. The remedies against the violation of such
right can include the updating, rectification, suppression or destruction of the database or information or
files in possession or in control of respondents.18 (emphasis Ours) Clearly then, the privilege of the Writ
of Habeas Datamay also be availed of in cases outside of extralegal killings and enforced disappearances.
b. Meaning of "engaged" in the gathering, collecting or storing of data or information
Respondents’ contention that the habeas data writ may not issue against STC, it not being an entity
engaged in the gathering, collecting or storing of data or information regarding the person, family, home
and correspondence of the aggrieved party, while valid to a point, is, nonetheless, erroneous.
To be sure, nothing in the Rule would suggest that the habeas data protection shall be available only
against abuses of a person or entity engaged in the businessof gathering, storing, and collecting of data.
As provided under Section 1 of the Rule:
9
Section 1. Habeas Data. – The writ of habeas datais a remedy available to any person whose right to
privacy in life, liberty or security is violated or threatened by an unlawful act or omission of a public
official or employee, or of a private individual or entity engaged in the gathering, collecting or storing of
data or information regarding the person, family, home and correspondence of the aggrieved party.
(emphasis Ours)
The provision, when taken in its proper context, as a whole, irresistibly conveys the idea that habeas
data is a protection against unlawful acts or omissions of public officials and of private individuals or
entities engaged in gathering, collecting, or storing data about the aggrieved party and his or her
correspondences, or about his or her family. Such individual or entity need not be in the business of
collecting or storing data.
To "engage" in something is different from undertaking a business endeavour. To "engage" means "to do
or take part in something."19 It does not necessarily mean that the activity must be done in pursuit of a
business. What matters is that the person or entity must be gathering, collecting or storing said data or
information about the aggrieved party or his or her family. Whether such undertaking carries the
element of regularity, as when one pursues a business, and is in the nature of a personal endeavour, for
any other reason or even for no reason at all, is immaterial and such will not prevent the writ from
getting to said person or entity.
To agree with respondents’ above argument, would mean unduly limiting the reach of the writ to a very
small group, i.e., private persons and entities whose business is data gathering and storage, and in the
process decreasing the effectiveness of the writ asan instrument designed to protect a right which is
easily violated in view of rapid advancements in the information and communications technology––a
right which a great majority of the users of technology themselves are not capable of protecting.
Having resolved the procedural aspect of the case, We now proceed to the core of the controversy.
The right to informational privacy on Facebook
a. The Right to Informational Privacy
The concept of privacyhas, through time, greatly evolved, with technological advancements having an
influential part therein. This evolution was briefly recounted in former Chief Justice Reynato S. Puno’s
speech, The Common Right to Privacy,20 where he explained the three strands of the right to privacy, viz:
(1) locational or situational privacy;21(2) informational privacy; and (3) decisional privacy.22 Of the three,
what is relevant to the case at bar is the right to informational privacy––usually defined as the right of
individuals to control information about themselves.23
With the availability of numerous avenues for information gathering and data sharing nowadays, not to
mention each system’s inherent vulnerability to attacks and intrusions, there is more reason that every
individual’s right to control said flow of information should be protected and that each individual should
have at least a reasonable expectation of privacy in cyberspace. Several commentators regarding privacy
and social networking sites, however, all agree that given the millions of OSN users, "[i]n this [Social
Networking] environment, privacy is no longer grounded in reasonable expectations, but rather in some
theoretical protocol better known as wishful thinking."24

It is due to this notion that the Court saw the pressing need to provide for judicial remedies that would
allow a summary hearing of the unlawful use of data or information and to remedy possible violations of
the right to privacy.25 In the same vein, the South African High Court, in its Decision in the landmark case,
H v. W,26promulgated on January30, 2013, recognized that "[t]he law has to take into account the
changing realities not only technologically but also socially or else it will lose credibility in the eyes of the
people. x x x It is imperative that the courts respond appropriately to changing times, acting cautiously
and with wisdom." Consistent with this, the Court, by developing what may be viewed as the Philippine
model of the writ of habeas data, in effect, recognized that, generally speaking, having an expectation of
informational privacy is not necessarily incompatible with engaging in cyberspace activities, including
those that occur in OSNs.
The question now though is up to whatextent is the right to privacy protected in OSNs? Bear in mind that
informational privacy involves personal information. At the same time, the very purpose of OSNs is
socializing––sharing a myriad of information,27 some of which would have otherwise remained personal.
b. Facebook’s Privacy Tools: a response to the clamor for privacy in OSN activities
Briefly, the purpose of an OSN is precisely to give users the ability to interact and to stay connected to
other members of the same or different social media platform through the sharing of statuses, photos,
videos, among others, depending on the services provided by the site. It is akin to having a room filled
with millions of personal bulletin boards or "walls," the contents of which are under the control of each
and every user. In his or her bulletin board, a user/owner can post anything––from text, to pictures, to
music and videos––access to which would depend on whether he or she allows one, some or all of the
other users to see his or her posts. Since gaining popularity, the OSN phenomenon has paved the way to
the creation of various social networking sites, includingthe one involved in the case at bar,
www.facebook.com (Facebook), which, according to its developers, people use "to stay connected with
friends and family, to discover what’s going on in the world, and to share and express what matters to
them."28
Facebook connections are established through the process of "friending" another user. By sending a
"friend request," the user invites another to connect their accounts so that they can view any and all
"Public" and "Friends Only" posts of the other.Once the request is accepted, the link is established and
both users are permitted to view the other user’s "Public" or "Friends Only" posts, among others.
"Friending," therefore, allows the user to form or maintain one-to-one relationships with other users,
whereby the user gives his or her "Facebook friend" access to his or her profile and shares certain
information to the latter.29
To address concerns about privacy,30 but without defeating its purpose, Facebook was armed with
different privacy tools designed to regulate the accessibility of a user’s profile31 as well as information
uploaded by the user. In H v. W,32 the South Gauteng High Court recognized this ability of the users to
"customize their privacy settings," but did so with this caveat: "Facebook states in its policies that,
although it makes every effort to protect a user’s information, these privacy settings are not foolproof."33
For instance, a Facebook user canregulate the visibility and accessibility of digital images(photos), posted
on his or her personal bulletin or "wall," except for the user’sprofile picture and ID, by selecting his or
her desired privacy setting:
(a) Public - the default setting; every Facebook user can view the photo;
10
(b) Friends of Friends - only the user’s Facebook friends and their friends can view the photo;
(b) Friends - only the user’s Facebook friends can view the photo;
(c) Custom - the photo is made visible only to particular friends and/or networks of the
Facebook user; and
(d) Only Me - the digital image can be viewed only by the user.
The foregoing are privacy tools, available to Facebook users, designed to set up barriers to broaden or
limit the visibility of his or her specific profile content, statuses, and photos, among others, from another
user’s point of view. In other words, Facebook extends its users an avenue to make the availability of
their Facebook activities reflect their choice as to "when and to what extent to disclose facts about
[themselves] – and to put others in the position of receiving such confidences."34 Ideally, the selected
setting will be based on one’s desire to interact with others, coupled with the opposing need to withhold
certain information as well as to regulate the spreading of his or her personal information. Needless to
say, as the privacy setting becomes more limiting, fewer Facebook users can view that user’s particular
post.
STC did not violate petitioners’ daughters’ right to privacy
Without these privacy settings, respondents’ contention that there is no reasonable expectation of
privacy in Facebook would, in context, be correct. However, such is not the case. It is through the
availability of said privacy tools that many OSN users are said to have a subjective expectation that only
those to whomthey grant access to their profile will view the information they post or upload thereto.35
This, however, does not mean thatany Facebook user automatically has a protected expectation of
privacy inall of his or her Facebook activities.
Before one can have an expectation of privacy in his or her OSN activity, it is first necessary that said
user, in this case the children of petitioners,manifest the intention to keepcertain posts private, through
the employment of measures to prevent access thereto or to limit its visibility.36 And this intention can
materialize in cyberspace through the utilization of the OSN’s privacy tools. In other words, utilization of
these privacy tools is the manifestation,in cyber world, of the user’s invocation of his or her right to
informational privacy.37
Therefore, a Facebook user who opts to make use of a privacy tool to grant or deny access to his or her
post orprofile detail should not be denied the informational privacy right which necessarily accompanies
said choice.38Otherwise, using these privacy tools would be a feckless exercise, such that if, for instance,
a user uploads a photo or any personal information to his or her Facebook page and sets its privacy level
at "Only Me" or a custom list so that only the user or a chosen few can view it, said photo would still be
deemed public by the courts as if the user never chose to limit the photo’s visibility and accessibility.
Such position, if adopted, will not only strip these privacy tools of their function but it would also
disregard the very intention of the user to keep said photo or information within the confines of his or
her private space.
We must now determine the extent that the images in question were visible to other Facebook users
and whether the disclosure was confidential in nature. In other words, did the minors limit the disclosure

of the photos such that the images were kept within their zones of privacy? This determination is
necessary in resolving the issue of whether the minors carved out a zone of privacy when the photos
were uploaded to Facebook so that the images will be protected against unauthorized access and
disclosure.
Petitioners, in support of their thesis about their children’s privacy right being violated, insist that
Escudero intruded upon their children’s Facebook accounts, downloaded copies ofthe pictures and
showed said photos to Tigol. To them, this was a breach of the minors’ privacy since their Facebook
accounts, allegedly, were under "very private" or "Only Friends" setting safeguarded with a
password.39 Ultimately, they posit that their children’s disclosure was only limited since their profiles
were not open to public viewing. Therefore, according to them, people who are not their Facebook
friends, including respondents, are barred from accessing said post without their knowledge and
consent. Aspetitioner’s children testified, it was Angelawho uploaded the subjectphotos which were only
viewable by the five of them,40 although who these five are do not appear on the records.
Escudero, on the other hand, stated in her affidavit41 that "my students showed me some pictures of
girls cladin brassieres. This student [sic] of mine informed me that these are senior high school [students]
of STC, who are their friends in [F]acebook. x x x They then said [that] there are still many other photos
posted on the Facebook accounts of these girls. At the computer lab, these students then logged into
their Facebook account [sic], and accessed from there the various photographs x x x. They even told me
that there had been times when these photos were ‘public’ i.e., not confined to their friends in
Facebook."
In this regard, We cannot give muchweight to the minors’ testimonies for one key reason: failure to
question the students’ act of showing the photos to Tigol disproves their allegation that the photos were
viewable only by the five of them. Without any evidence to corroborate their statement that the images
were visible only to the five of them, and without their challenging Escudero’s claim that the other
students were able to view the photos, their statements are, at best, self-serving, thus deserving scant
consideration.42
It is well to note that not one of petitioners disputed Escudero’s sworn account that her students, who
are the minors’ Facebook "friends," showed her the photos using their own Facebook accounts. This only
goes to show that no special means to be able to viewthe allegedly private posts were ever resorted to
by Escudero’s students,43 and that it is reasonable to assume, therefore, that the photos were, in reality,
viewable either by (1) their Facebook friends, or (2) by the public at large.
Considering that the default setting for Facebook posts is"Public," it can be surmised that the
photographs in question were viewable to everyone on Facebook, absent any proof that petitioners’
children positively limited the disclosure of the photograph. If suchwere the case, they cannot invoke the
protection attached to the right to informational privacy. The ensuing pronouncement in US v. Gines-
Perez44 is most instructive:
[A] person who places a photograph on the Internet precisely intends to forsake and renounce all privacy
rights to such imagery, particularly under circumstances suchas here, where the Defendant did not
employ protective measures or devices that would have controlled access to the Web page or the
photograph itself.45
11
Also, United States v. Maxwell46 held that "[t]he more open the method of transmission is, the less
privacy one can reasonably expect. Messages sent to the public at large inthe chat room or e-mail that is
forwarded from correspondent to correspondent loses any semblance of privacy."
That the photos are viewable by "friends only" does not necessarily bolster the petitioners’ contention.
In this regard, the cyber community is agreed that the digital images under this setting still remain to be
outside the confines of the zones of privacy in view of the following:
(1) Facebook "allows the world to be more open and connected by giving its users the tools to
interact and share in any conceivable way;"47
(2) A good number of Facebook users "befriend" other users who are total strangers;48
(3) The sheer number of "Friends" one user has, usually by the hundreds; and
(4) A user’s Facebook friend can "share"49 the former’s post, or "tag"50 others who are not
Facebook friends with the former, despite its being visible only tohis or her own Facebook
friends.
It is well to emphasize at this point that setting a post’s or profile detail’s privacy to "Friends" is no
assurance that it can no longer be viewed by another user who is not Facebook friends with the source
of the content. The user’s own Facebook friend can share said content or tag his or her own Facebook
friend thereto, regardless of whether the user tagged by the latter is Facebook friends or not with the
former. Also, when the post is shared or when a person is tagged, the respective Facebook friends of the
person who shared the post or who was tagged can view the post, the privacy setting of which was set at
"Friends."
To illustrate, suppose A has 100 Facebook friends and B has 200. A and B are not Facebook friends. If C,
A’s Facebook friend, tags B in A’s post, which is set at "Friends," the initial audience of 100 (A’s own
Facebook friends) is dramatically increased to 300 (A’s 100 friends plus B’s 200 friends or the public,
depending upon B’s privacy setting). As a result, the audience who can view the post is effectively
expanded––and to a very large extent.
This, along with its other features and uses, is confirmation of Facebook’s proclivity towards user
interaction and socialization rather than seclusion or privacy, as it encourages broadcasting of individual
user posts. In fact, it has been said that OSNs have facilitated their users’ self-tribute, thereby resulting
into the "democratization of fame."51Thus, it is suggested, that a profile, or even a post, with visibility set
at "Friends Only" cannot easily, more so automatically, be said to be "very private," contrary to
petitioners’ argument.
As applied, even assuming that the photos in issue are visible only to the sanctioned students’ Facebook
friends, respondent STC can hardly be taken to task for the perceived privacy invasion since it was the
minors’ Facebook friends who showed the pictures to Tigol. Respondents were mere recipients of what
were posted. They did not resort to any unlawful means of gathering the information as it was
voluntarily given to them by persons who had legitimate access to the said posts. Clearly, the fault, if
any, lies with the friends of the minors. Curiously enough, however, neither the minors nor their parents
imputed any violation of privacy against the students who showed the images to Escudero.

Furthermore, petitioners failed to prove their contention that respondents reproduced and broadcasted
the photographs. In fact, what petitioners attributed to respondents as an act of offensive disclosure was
no more than the actuality that respondents appended said photographs in their memorandum
submitted to the trial court in connection with Civil Case No. CEB-38594.52 These are not tantamount to a
violation of the minor’s informational privacy rights, contrary to petitioners’ assertion.
In sum, there can be no quibbling that the images in question, or to be more precise, the photos of
minor students scantily clad, are personal in nature, likely to affect, if indiscriminately circulated, the
reputation of the minors enrolled in a conservative institution. However, the records are bereft of any
evidence, other than bare assertions that they utilized Facebook’s privacy settings to make the photos
visible only to them or to a select few. Without proof that they placed the photographs subject of this
case within the ambit of their protected zone of privacy, they cannot now insist that they have an
expectation of privacy with respect to the photographs in question.
Had it been proved that the access tothe pictures posted were limited to the original uploader, through
the "Me Only" privacy setting, or that the user’s contact list has been screened to limit access to a select
few, through the "Custom" setting, the result may have been different, for in such instances, the
intention to limit access to the particular post, instead of being broadcasted to the public at large or all
the user’s friends en masse, becomes more manifest and palpable.
On Cyber Responsibility
It has been said that "the best filter is the one between your children’s ears."53 This means that self-
regulation on the part of OSN users and internet consumers ingeneral is the best means of avoiding
privacy rights violations.54 As a cyberspace communitymember, one has to be proactive in protecting his
or her own privacy.55 It is in this regard that many OSN users, especially minors, fail.Responsible social
networking or observance of the "netiquettes"56 on the part of teenagers has been the concern of many
due to the widespreadnotion that teenagers can sometimes go too far since they generally lack the
people skills or general wisdom to conduct themselves sensibly in a public forum.57
Respondent STC is clearly aware of this and incorporating lessons on good cyber citizenship in its
curriculum to educate its students on proper online conduct may be mosttimely. Too, it is not only STC
but a number of schools and organizations have already deemed it important to include digital literacy
and good cyber citizenshipin their respective programs and curricula in view of the risks that the children
are exposed to every time they participate in online activities.58 Furthermore, considering the complexity
of the cyber world and its pervasiveness,as well as the dangers that these children are wittingly or
unwittingly exposed to in view of their unsupervised activities in cyberspace, the participation of the
parents in disciplining and educating their children about being a good digital citizen is encouraged by
these institutions and organizations. In fact, it is believed that "to limit such risks, there’s no substitute
for parental involvement and supervision."59
As such, STC cannot be faulted for being steadfast in its duty of teaching its students to beresponsible in
their dealings and activities in cyberspace, particularly in OSNs, whenit enforced the disciplinary actions
specified in the Student Handbook, absenta showing that, in the process, it violated the students’ rights.
OSN users should be aware of the risks that they expose themselves to whenever they engage
incyberspace activities.1âwphi1 Accordingly, they should be cautious enough to control their privacy and
to exercise sound discretion regarding how much information about themselves they are willing to give
up. Internet consumers ought to be aware that, by entering or uploading any kind of data or information
12
online, they are automatically and inevitably making it permanently available online, the perpetuation of
which is outside the ambit of their control. Furthermore, and more importantly, information, otherwise
private, voluntarily surrendered by them can be opened, read, or copied by third parties who may or
may not be allowed access to such.
It is, thus, incumbent upon internet users to exercise due diligence in their online dealings and activities
and must not be negligent in protecting their rights. Equity serves the vigilant. Demanding relief from the
courts, as here, requires that claimants themselves take utmost care in safeguarding a right which they
allege to have been violated. These are indispensable. We cannot afford protection to persons if they
themselves did nothing to place the matter within the confines of their private zone. OSN users must be
mindful enough to learn the use of privacy tools, to use them if they desire to keep the information
private, and to keep track of changes in the available privacy settings, such as those of Facebook,
especially because Facebook is notorious for changing these settings and the site's layout often.
In finding that respondent STC and its officials did not violate the minors' privacy rights, We find no
cogent reason to disturb the findings and case disposition of the court a quo.
In light of the foregoing, the Court need not belabor the other assigned errors.
WHEREFORE, premises considered, the petition is hereby DENIED. The Decision dated July 27, 2012 of
the Regional Trial Court, Branch 14 in Cebu City in SP. Proc. No. 19251-CEB is hereby AFFIRMED.
No pronouncement as to costs.
SO ORDERED.
Case Summary and Outcome
The right to privacy is not violated when a third party downloads images from an individual’s Facebook
page that are accessible by “friends” of the individual or by the public at large.
Facts:
Minors Nenita Julia V. Daluz and Julienne Vida Suzara, along with several others, took pictures of
themselves in their underwear, smoking cigarettes and drinking hard liquor. A third minor, Angela Tan,
uploaded them onto Facebook. A computer teacher at minors’ school, Mylene Rheza T. Escuedro,
discovered the pictures. The photos were reported to the Discipline in Charge and the girls were found
to have violated the Student Handbook.
The students were sent to the Principal’s office where they were chastised and verbally abused. They
were also banned from commencement. Angela’s mother filed a Petition for Injunction and Damages
asking that the school be denied from prohibiting the girls from attending commencement. A TRO was
granted allowing the girls to attend graduation and the Plaintiffs filed a writ of habeas data alleging an
invasion of their children’s privacy by the Defendant.
The Regional Trial Court dismissed the petition for habeas data because “petitioners failed to prove the
existence of an actual or threatened violation of the minors’ right to privacy.”

Decision Overview
The primary issue was “whether or not there was indeed an actual or threatened violation of the right to
privacy in the life, liberty, or security of the minors involved in the case.” A writ of habeas data protects
an individual’s right against invasion of informational privacy, and a nexus between the right to privacy
and the right to life, liberty or security must be proven.
In this case, the core issue was the right to informational privacy, defined as “the right of individuals to
control information about themselves.” To what extent should the right to privacy be protected in online
social networks whose sole purpose is sharing information over the web? The petitioners argued that the
privacy settings on Facebook limit who can see what information. This gives users a subjective
expectation of privacy. The Court agreed. However, the Court also ruled that before one can have an
expectation of privacy in her Facebook information, he or she must manifest an intention to keep that
information private by utilizing privacy tools. If someone posts something on Facebook and does not
limit who can see that information, there is no expectation of privacy. The photos in the case at hand
were all viewable by the friends of the girls or by the general public. Therefore, the Court ruled that the
Defendants did not violate the minors’ privacy rights by viewing and copying the pictures on the minors’
Facebook pages.
TOPIC: right to informational privacy, writ of habeas data
PONENTE: Velasco, Jr.
PREFATORY:
The individual’s desire for privacy is never absolute, since participation in society is an equally powerful
desire. Thus each individual is continually engaged in a personal adjustment process in which he
balances the desire for privacy with the desire for disclosure and communication of himself to others, in
light of the environmental conditions and social norms set by the society in which he lives.
– Alan Westin, Privacy and Freedom (1967)
FACTS:
Julia and Julienne, both minors, were graduating high school students at St. Theresa’s College
(STC), Cebu City. Sometime in January 2012, while changing into their swimsuits for a beach party they
were about to attend, Julia and Julienne, along with several others, took digital pictures of themselves
clad only in their undergarments. These pictures were then uploaded by Angela on her Facebook profile.
At STC, Mylene Escudero, a computer teacher at STC’s high school department, learned from her
students that some seniors at STC posted pictures online, depicting themselves from the waist up,
dressed only in brassieres. Escudero then asked her students if they knew who the girls in the photos
are. In turn, they readily identified Julia and Julienne, among others.
Using STC’s computers, Escudero’s students logged in to their respective personal
Facebook accounts and showed her photos of the identified students, which include: (a) Julia and
13
Julienne drinking hard liquor and smoking cigarettes inside a bar; and (b) Julia and Julienne along the
streets of Cebu wearing articles of clothing that show virtually the entirety of their black brassieres.
Also, Escudero’s students claimed that there were times when access to or the availability of the
identified students’ photos was not confined to the girls’ Facebook friends, but were, in fact, viewable by
any Facebook user.
Investigation ensued. Then Julia, Julienne and other students involved were barred from joining the
commencement exercises.
Petitioners, who are the respective parents of the minors, filed a Petition for the Issuance of a Writ of
Habeas Data. RTC dismissed the petition for habeas data on the following grounds:
1. Petitioners failed to prove the existence of an actual or threatened violation of the minors’ right to
privacy, one of the preconditions for the issuance of the writ of habeas data.
2. The photos, having been uploaded on Facebook without restrictions as to who may view them, lost their
privacy in some way.
3. STC gathered the photographs through legal means and for a legal purpose, that is, the implementation
of the school’s policies and rules on discipline.
ISSUE: Whether or not there was indeed an actual or threatened violation of the right to privacy in the
life, liberty, or security of the minors involved in this case. (Is there a right to informational privacy in
online social network activities of its users?)
HELD: (Note that you can skip the preliminary discussions and check the ruling at the latter part)
Nature of Writ of Habeas Data
It is a remedy available to any person whose right to privacy in life, liberty or security is violated or
threatened by an unlawful act or omission of a public official or employee, or of a private individual or
entity engaged in the gathering, collecting or storing of data or information regarding the person, family,
home and correspondence of the aggrieved party.
It is an independent and summary remedy designed to protect the image, privacy, honor, information,
and freedom of information of an individual, and to provide a forum to enforce one’s right to the truth
and to informational privacy. It seeks to protect a person’s right to control information regarding oneself,
particularly in instances in which such information is being collected through unlawful means in order
to achieveunlawful ends.
In developing the writ of habeas data, the Court aimed to protect an individual’s right to informational
privacy, among others. A comparative law scholar has, in fact, defined habeas data as “a procedure
designed to safeguard individual freedom from abuse in the information age.”
Issuance of writ of habeas data; requirements
1. The existence of a person’s right to informational privacy

2. An actual or threatened violation of the right to privacy in life, liberty or security of the victim (proven by
at least substantial evidence)
Note that the writ will not issue on the basis merely of an alleged unauthorized access to
information about a person.
The writ of habeas data is not only confined to cases of extralegal killings and enforced disappearances
The writ of habeas data can be availed of as an independent remedy to enforce one’s right to privacy,
more specifically the right to informational privacy. The remedies against the violation of such right can
include the updating, rectification, suppression or destruction of the database or information or files in
possession or in control of respondents. Clearly then, the privilege of the Writ of Habeas Data may also
be availed of in cases outside of extralegal killings and enforced disappearances.
Meaning of “engaged” in the gathering, collecting or storing of data or information
Habeas data is a protection against unlawful acts or omissions of public officials and of private individuals
or entities engaged in gathering, collecting, or storing data about the aggrieved party and his or her
correspondences, or about his or her family. Such individual or entity need not be in the business of
collecting or storing data.
To “engage” in something is different from undertaking a business endeavour. To “engage” means “to
do or take part in something.” It does not necessarily mean that the activity must be done in pursuit of
a business. What matters is that the person or entity must be gathering, collecting or storing said data or
information about the aggrieved party or his or her family. Whether such undertaking carries the
element of regularity, as when one pursues a business, and is in the nature of a personal endeavour, for
any other reason or even for no reason at all, is immaterial and such will not prevent the writ from
getting to said person or entity.
As such, the writ of habeas data may be issued against a school like STC.
Right to informational privacy
Right to informational privacy is the right of individuals to control information about
themselves. Several commentators regarding privacy and social networking sites, however, all agree that
given the millions of OSN users, “in this Social Networking environment, privacy is no longer grounded in
reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.” So
the underlying question now is: Up to what extent is the right to privacy protected in OSNs?
Facebook Privacy Tools
To address concerns about privacy, but without defeating its purpose, Facebook was armed with
different privacy tools designed to regulate the accessibility of a user’s profile as well as information
uploaded by the user. In H v. W, the South Gauteng High Court recognized this ability of the users to
“customize their privacy settings,” but did so with this caveat: “Facebook states in its policies that,
although it makes every effort to protect a user’s information, these privacy settings are not foolproof.”
14
For instance, a Facebook user can regulate the visibility and accessibility of digital images (photos),
posted on his or her personal bulletin or “wall,” except for the user’s profile picture and ID, by selecting
his or her desired privacy setting:
1. Public – the default setting; every Facebook user can view the photo;
2. Friends of Friends – only the user’s Facebook friends and their friends can view the photo;
3. Friends – only the user’s Facebook friends can view the photo;
4. Custom – the photo is made visible only to particular friends and/or networks of the Facebook user; and
5. Only Me – the digital image can be viewed only by the user.
The foregoing are privacy tools, available to Facebook users, designed to set up barriers to broaden or
limit the visibility of his or her specific profile content, statuses, and photos, among others, from another
user’s point of view. In other words, Facebook extends its users an avenue to make the availability of
their Facebook activities reflect their choice as to “when and to what extent to disclose facts about
themselves – and to put others in the position of receiving such confidences.”
LONE ISSUE:
NONE. The Supreme Court held that STC did not violate petitioners’ daughters’ right to privacy as the
subject digital photos were viewable either by the minors’ Facebook friends, or by the public at large.
Without any evidence to corroborate the minors’ statement that the images were visible only to the five
of them, and without their challenging Escudero’s claim that the other students were able to view the
photos, their statements are, at best, self-serving, thus deserving scant consideration.
It is well to note that not one of petitioners disputed Escudero’s sworn account that her students, who
are the minors’ Facebook “friends,” showed her the photos using their own Facebook accounts. This only
goes to show that no special means to be able to view the allegedly private posts were ever resorted to
by Escudero’s students, and that it is reasonable to assume, therefore, that the photos were, in reality,
viewable either by (1) their Facebook friends, or (2) by the public at large.
Considering that the default setting for Facebook posts is “Public,” it can be surmised that the
photographs in question were viewable to everyone on Facebook, absent any proof that petitioners’
children positively limited the disclosure of the photograph. If such were the case, they cannot invoke
the protection attached to the right to informational privacy.
US v. Gines-Perez: A person who places a photograph on the Internet precisely intends to forsake and
renounce all privacy rights to such imagery, particularly under circumstances such as here, where the
Defendant did not employ protective measures or devices that would have controlled access to the Web
page or the photograph itself.
United States v. Maxwell: The more open the method of transmission is, the less privacy one can
reasonably expect. Messages sent to the public at large in the chat room or e-mail that is forwarded
from correspondent to correspondent loses any semblance of privacy.
The Honorable Supreme Court continued and held that setting a post’s or profile detail’s privacy to
“Friends” is no assurance that it can no longer be viewed by another user who is not Facebook friends
with the source of the content. The user’s own Facebook friend can share said content or tag his or her
 15

own Facebook friend thereto, regardless of whether the user tagged by the latter is Facebook friends or
not with the former. Also, when the post is shared or when a person is tagged, the respective Facebook
friends of the person who shared the post or who was tagged can view the post, the privacy setting of
which was set at “Friends.” Thus, it is suggested, that a profile, or even a post, with visibility set at
“Friends Only” cannot easily, more so automatically, be said to be “very private,” contrary to
petitioners’ argument.

No privacy invasion by STC; fault lies with the friends of minors

Respondent STC can hardly be taken to task for the perceived privacy invasion since it was the minors’
Facebook friends who showed the pictures to Tigol. Respondents were mere recipients of what were
posted. They did not resort to any unlawful means of gathering the information as it was voluntarily
given to them by persons who had legitimate access to the said posts. Clearly, the fault, if any, lies with
the friends of the minors. Curiously enough, however, neither the minors nor their parents imputed any
violation of privacy against the students who showed the images to Escudero.

Different scenario of setting is set on “Me Only” or “Custom”

Had it been proved that the access to the pictures posted were limited to the original uploader, through
the “Me Only” privacy setting, or that the user’s contact list has been screened to limit access to a select
few, through the “Custom” setting, the result may have been different, for in such instances, the
intention to limit access to the particular post, instead of being broadcasted to the public at large or all
the user’s friends en masse, becomes more manifest and palpable.

FIRST DIVISION
G.R. No. 203254 | October 8, 2014
DR. JOY MARGARTE LEE, Petitioner
vs.
P/SUPT. NERI A ILAGAN, Respondent
DECISION
PERLAS-BERNABE, J.:
Before the Court is a petition for review on certiorari1 assailing the Decision2 dated August 30, 2012 of
the Regional Trial Court of Quezon City, Branch 224 (RTC) in SP No. 12-71527, which extended the
privilege of the writ of habeas data in favor of respondent Police Superintendent Neri A. Ilagan (Ilagan).
The Facts
In his Petition for Issuance of the Writ of Habeas Data3 dated June 22, 2012, Ilagan alleged that he and
petitioner Dr. Joy Margate Lee (Lee) were former common law partners. Sometime in July 2011, he
visited Lee at the latter's condominium, rested for a while and thereafter, proceeded to his office. Upon
arrival, Ilagan noticed that his digital camera was missing.4 On August 23, 2011, Lee confronted Ilagan at
the latter's office regarding a purported sex video (subject video) she discovered from the aforesaid
camera involving Ilagan and another woman. Ilagan denied the video and demanded Lee to return the
camera, but to no avail.5 During the confrontation, Ilagan allegedly slammed Lee’s head against a wall
inside his office and walked away.6 Subsequently, Lee utilized the said video as evidence in filing various
complaints against Ilagan, namely: (a) a criminal complaint for violation of Republic Act No.
9262,7 otherwise known as the "Anti-Violence Against Women and Their Children Act of 2004," before
the Office of the City Prosecutor of Makati; and (b) an administrative complaint for grave misconduct
before the National Police Commission (NAPOLCOM).8 Ilagan claimed that Lee’s acts of reproducing the
subject video and threatening to distribute the same to the upper echelons of the NAPOLCOM and
uploading it to the internet violated not only his right to life, liberty, security, and privacy but also that of
the other woman, and thus, the issuance of a writ of habeas data in his favor is warranted.9
Finding the petition prima facie meritorious, the RTC issued a Writ of Habeas Data10 dated June 25, 2012,
directing Lee to appear before the court a quo, and to produce Ilagan’s digital camera, as well as the
negative and/or original of the subject video and copies thereof, and to file a verified written return
within five (5) working days from date of receipt thereof.
In her Verified Return11 dated July 2, 2012, Lee admitted that she indeed kept the memory card of the
digital camera and reproduced the aforesaid video but averred that she only did so to utilize the same as
evidence in the cases she filed against Ilagan. She also admitted that her relationship with Ilagan started
sometime in 2003 and ended under disturbing circumstances in August 2011, and that she only
happened to discover the subject video when Ilagan left his camera in her condominium. Accordingly,
Lee contended that Ilagan’s petition for the issuance of the writ of habeas data should be dismissed
because: (a) its filing was only aimed at suppressing the evidence against Ilagan in the cases she filed;
and (b) she is not engaged in the gathering, collecting, or storing of data regarding the person of Ilagan.12
16
The RTC Ruling
In a Decision13 dated August 30, 2012, the RTC granted the privilege of the writ of habeas data in Ilagan’s
favor, and accordingly, ordered the implementing officer to turn-over copies of the subject video to him,
and enjoined Lee from further reproducing the same.14
The RTC did not give credence to Lee’s defense that she is not engaged in the gathering, collecting or
storing of data regarding the person of Ilagan, finding that her acts of reproducing the subject video and
showing it to other people, i.e., the NAPOLCOM officers, violated the latter’s right to privacy in life and
caused him to suffer humiliation and mental anguish. In this relation, the RTC opined that Lee’s use of
the subject video as evidence in the various cases she filed against Ilagan is not enough justification for
its reproduction. Nevertheless, the RTC clarified that it is only ruling on the return of the aforesaid video
and not on its admissibility before other tribunals.15
Dissatisfied, Lee filed this petition.
The Issue Before the Court
The essential issue for the Court’s resolution is whether or not the RTC correctly extended the privilege
of the writ of habeas data in favor of Ilagan.
The Court’s Ruling
The petition is meritorious.
A.M. No. 08-1-16-SC, or the Rule on the Writ of Habeas Data (Habeas Data Rule), was conceived as a
response, given the lack of effective and available remedies, to address the extraordinary rise in the
number of killings and enforced disappearances.16 It was conceptualized as a judicial remedy enforcing
the right to privacy, most especially the right to informational privacy of individuals,17 which is defined
as "the right to control the collection, maintenance, use, and dissemination of data about oneself."18
As defined in Section 1 of the Habeas Data Rule, the writ of habeas data now stands as "a remedy
available to any person whose right to privacy in life, liberty or security is violated or threatened by an
unlawful act or omission of a public official or employee, or of a private individual or entity engaged in
the gathering, collecting or storing of data or information regarding the person, family, home, and
correspondence of the aggrieved party." Thus, in order to support a petition for the issuance of such
writ, Section 6 of the Habeas Data Rule essentially requires that the petition sufficiently alleges, among
others, "[t]he manner the right to privacy is violated or threatened and how it affects the right to life,
liberty or security of the aggrieved party." In other words, the petition must adequately show that there
exists a nexus between the right to privacy on the one hand, and the right to life, liberty or security on
the other.[[19]] Corollarily, the allegations in the petition must be supported by substantial
evidence showing an actual or threatened violation of the right to privacy in life, liberty or security of the
victim.20 In this relation, it bears pointing out that the writ of habeas data will not issue to protect purely
property or commercial concerns nor when the grounds invoked in support of the petitions therefor are
vague and doubtful.21
In this case, the Court finds that Ilagan was not able to sufficiently allege that his right to privacy in life,
liberty or security was or would be violated through the supposed reproduction and threatened
 17

dissemination of the subject sex video. While Ilagan purports a privacy interest in the suppression of this
video – which he fears would somehow find its way to Quiapo or be uploaded in the internet for public
consumption – he failed to explain the connection between such interest and any violation of his right to
life, liberty or security.1âwphi1 Indeed, courts cannot speculate or contrive versions of possible
transgressions. As the rules and existing jurisprudence on the matter evoke, alleging and eventually
proving the nexus between one’s privacy right to the cogent rights to life, liberty or security are crucial
in habeas data cases, so much so that a failure on either account certainly renders a habeas
data petition dismissible, as in this case.

In fact, even discounting the insufficiency of the allegations, the petition would equally be dismissible
due to the inadequacy of the evidence presented. As the records show, all that Ilagan submitted in
support of his petition was his self-serving testimony which hardly meets the substantial evidence
requirement as prescribed by the Habeas Data Rule. This is because nothing therein would indicate that
Lee actually proceeded to commit any overt act towards the end of violating Ilagan’s right to privacy in
life, liberty or security. Nor would anything on record even lead a reasonable mind to conclude22 that Lee
was going to use the subject video in order to achieve unlawful ends - say for instance, to spread it to the
public so as to ruin Ilagan' s reputation. Contrastingly, Lee even made it clear in her testimony that the
only reason why she reproduced the subject video was to legitimately utilize the same as evidence in the
criminal and administrative cases that she filed against Ilagan.23 Hence, due to the insufficiency of the
allegations as well as the glaring absence of substantial evidence, the Court finds it proper to reverse the
R TC Decision and dismiss the habeas data petition.

WHEREFORE, the petition is GRANTED. The Decision dated August 30, 2012 of the Regional Trial Court of
Quezon City, Branch 224 in SP No. 12-71527 is hereby REVERSED and SET ASIDE. Accordingly, the
Petition for Issuance of the Writ of Habeas Data filed by respondent P/Supt. Neri A. Ilagan
is DISMISSED for lack of merit.

SO ORDERED.

Republic of the Philippines
CONGRESS OF THE PHILIPPINES
Metro Manila
Fifteenth Congress
Second Regular Session
Begun and held in Metro Manila, on Monday, the twenty-fifth day of July, two thousand eleven.
REPUBLIC ACT NO. 10173
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS
PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES
Be it enacted, by the Senate and House of Representatives of the Philippines in Congress assembled:
CHAPTER I
GENERAL PROVISIONS
Section 1. Short Title. – This Act shall be known as the "Data Privacy Act of 2012″.
Section 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of
privacy, of communication while ensuring free flow of information to promote innovation and growth.
The State recognizes the vital role of information and communications technology in nation-building and
its inherent obligation to ensure that personal information in information and communications systems
in the government and in the private sector are secured and protected.
Section 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective
meanings hereafter set forth:
(a) Commission shall refer to the National Privacy Commission created by virtue of this Act.
(b) Consent of the data subject refers to any freely given, specific, informed indication of will,
whereby the data subject agrees to the collection and processing of personal information
about and/or relating to him or her. Consent shall be evidenced by written, electronic or
recorded means. It may also be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so.
(c) Data subject refers to an individual whose personal information is processed.
(d) Direct marketing refers to communication by whatever means of any advertising or
marketing material which is directed to particular individuals.
(e) Filing system refers to any act of information relating to natural or juridical persons to the
extent that, although the information is not processed by equipment operating automatically
18
in response to instructions given for that purpose, the set is structured, either by reference to
individuals or by reference to criteria relating to individuals, in such a way that specific
information relating to a particular person is readily accessible.
(f) Information and Communications System refers to a system for generating, sending,
receiving, storing or otherwise processing electronic data messages or electronic documents
and includes the computer system or other similar device by or which data is recorded,
transmitted or stored and any procedure related to the recording, transmission or storage of
electronic data, electronic message, or electronic document.
(g) Personal information refers to any information whether recorded in a material form or
not, from which the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.
(h) Personal information controller refers to a person or organization who controls the
collection, holding, processing or use of personal information, including a person or
organization who instructs another person or organization to collect, hold, process, use,
transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another
person or organization; and
(2) An individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.
(i) Personal information processor refers to any natural or juridical person qualified to act as
such under this Act to whom a personal information controller may outsource the processing
of personal data pertaining to a data subject.
(j) Processing refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data.
(k) Privileged information refers to any and all forms of data which under the Rides of Court
and other pertinent laws constitute privileged communication.
(l) Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in such
proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records, licenses or
its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.
Section 4. Scope. – This Act applies to the processing of all types of personal information and to any
natural and juridical person involved in personal information processing including those personal
information controllers and processors who, although not found or established in the Philippines, use
equipment that are located in the Philippines, or those who maintain an office, branch or agency in the
Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section
5 are complied with.
This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government
institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government
institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the
individual; and
(4) The name of the individual on a document prepared by the individual in the
course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a
government institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance of those
services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting
of a license or permit given by the government to an individual, including the name of the
individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the independent, central
monetary authority and law enforcement and regulatory agencies of their constitutionally
and statutorily mandated functions. Nothing in this Act shall be construed as to have
amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank
19
Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act;
and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of
the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with
Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-
Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable data privacy
laws, which is being processed in the Philippines.
Section 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be construed as
to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors
or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection
from being compelled to reveal the source of any news report or information appearing in said
publication which was related in any confidence to such publisher, editor, or reporter.
Section 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in and
outside of the Philippines by an entity if:
(a) The act, practice or processing relates to personal information about a Philippine citizen or
a resident;
(b) The entity has a link with the Philippines, and the entity is processing personal information
in the Philippines or even if the processing is outside the Philippines as long as it is about
Philippine citizens or residents such as, but not limited to, the following:
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the Philippines but has central management
and control in the country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal information;
and
(c) The entity has other links in the Philippines such as, but not limited to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by an entity in the Philippines.
CHAPTER II
THE NATIONAL PRIVACY COMMISSION

Section 7. Functions of the National Privacy Commission. – To administer and implement the provisions
of this Act, and to monitor and ensure compliance of the country with international standards set for
data protection, there is hereby created an independent body to be known as the National Privacy
Commission, winch shall have the following functions:
(a) Ensure compliance of personal information controllers with the provisions of this Act;
(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints
through the use of alternative dispute resolution processes, adjudicate, award indemnity on
matters affecting any personal information, prepare reports on disposition of complaints and
resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any
such report: Provided, That in resolving any complaint or investigation (except where
amicable settlement is reached by the parties), the Commission shall act as a collegial body.
For this purpose, the Commission may be given access to personal information that is subject
of any complaint and to collect the information necessary to perform its functions under this
Act;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of
personal information, upon finding that the processing will be detrimental to national security
and public interest;
(d) Compel or petition any entity, government agency or instrumentality to abide by its orders
or take action on a matter affecting data privacy;
(e) Monitor the compliance of other government agencies or instrumentalities on their
security and technical measures and recommend the necessary action in order to meet
minimum standards for protection of personal information pursuant to this Act;
(f) Coordinate with other government agencies and the private sector on efforts to formulate
and implement plans and policies to strengthen the protection of personal information in the
country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(h) Publish a compilation of agency system of records and notices, including index and other
finding aids;
(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of
penalties specified in Sections 25 to 29 of this Act;
(j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by
personal information controllers: Provided, That the privacy codes shall adhere to the
underlying data privacy principles embodied in this Act: Provided, further, That such privacy
codes may include private dispute resolution mechanisms for complaints against any
participating personal information controller. For this purpose, the Commission shall consult
with relevant regulatory agencies in the formulation and administration of privacy codes
applying the standards set out in this Act, with respect to the persons, entities, business
activities and business sectors that said regulatory bodies are authorized to principally
20
regulate pursuant to the law: Provided, finally. That the Commission may review such privacy
codes and require changes thereto for purposes of complying with this Act;
(k) Provide assistance on matters relating to privacy or data protection at the request of a
national or local agency, a private entity or any person;
(l) Comment on the implication on data privacy of proposed national or local statutes,
regulations or procedures, issue advisory opinions and interpret the provisions of this Act and
other data privacy laws;
(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data
protection as may be necessary;
(n) Ensure proper and effective coordination with data privacy regulators in other countries
and private accountability agents, participate in international and regional initiatives for data
privacy protection;
(o) Negotiate and contract with other data privacy authorities of other countries for cross-
border application and implementation of respective privacy laws;
(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data
protection laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of
data privacy protection.
Section 8. Confidentiality. – The Commission shall ensure at all times the confidentiality of any personal
information that comes to its knowledge and possession.
Section 9. Organizational Structure of the Commission. – The Commission shall be attached to the
Department of Information and Communications Technology (DICT) and shall be headed by a Privacy
Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be
assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems
and one to be responsible for Policies and Planning. The Privacy Commissioner and the two (2) Deputy
Privacy Commissioners shall be appointed by the President of the Philippines for a term of three (3)
years, and may be reappointed for another term of three (3) years. Vacancies in the Commission shall be
filled in the same manner in which the original appointment was made.
The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral character,
unquestionable integrity and known probity, and a recognized expert in the field of information
technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges and
emoluments equivalent to the rank of Secretary.
The Deputy Privacy Commissioners must be recognized experts in the field of information and
communications technology and data privacy. They shall enjoy the benefits, privileges and emoluments
equivalent to the rank of Undersecretary.

The Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf or under
their direction, shall not be civilly liable for acts done in good faith in the performance of their duties.
However, he or she shall be liable for willful or negligent acts done by him or her which are contrary to
law, morals, public policy and good customs even if he or she acted under orders or instructions of
superiors: Provided, That in case a lawsuit is filed against such official on the subject of the performance
of his or her duties, where such performance is lawful, he or she shall be reimbursed by the Commission
for reasonable costs of litigation.
Section 10. The Secretariat. – The Commission is hereby authorized to establish a Secretariat. Majority of
the members of the Secretariat must have served for at least five (5) years in any agency of the
government that is involved in the processing of personal information including, but not limited to, the
following offices: Social Security System (SSS), Government Service Insurance System (GSIS), Land
Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation
(PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of
Justice (DOJ), and Philippine Postal Corporation (Philpost).
CHAPTER III
PROCESSING OF PERSONAL INFORMATION
Section 11. General Data Privacy Principles. – The processing of personal information shall be allowed,
subject to compliance with the requirements of this Act and other laws allowing disclosure of
information to the public and adherence to the principles of transparency, legitimate purpose and
proportionality.
Personal information must, be:
(a) Collected for specified and legitimate purposes determined and declared before, or as
soon as reasonably practicable after collection, and later processed in a way compatible with
such declared, specified and legitimate purposes only;
(b) Processed fairly and lawfully;
(c) Accurate, relevant and, where necessary for purposes for which it is to be used the
processing of personal information, kept up to date; inaccurate or incomplete data must be
rectified, supplemented, destroyed or their further processing restricted;
(d) Adequate and not excessive in relation to the purposes for which they are collected and
processed;
(e) Retained only for as long as necessary for the fulfillment of the purposes for which the
data was obtained or for the establishment, exercise or defense of legal claims, or for
legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the data were collected and processed: Provided, That personal
information collected for other purposes may lie processed for historical, statistical or
scientific purposes, and in cases laid down in law may be stored for longer periods: Provided,
further, That adequate safeguards are guaranteed by said laws authorizing their processing.
21
The personal information controller must ensure implementation of personal information processing
principles set out herein.
Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal
information shall be permitted only if not otherwise prohibited by law, and when at least one of the
following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a
contract with the data subject or in order to take steps at the request of the data subject prior
to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject,
including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the
personal information controller or by a third party or parties to whom the data is disclosed,
except where such interests are overridden by fundamental rights and freedoms of the data
subject which require protection under the Philippine Constitution.
Section 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive
personal information and privileged information shall be prohibited, except in the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to the
processing, or in the case of privileged information, all parties to the exchange have given
their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That
such regulatory enactments guarantee the protection of the sensitive personal information
and the privileged information: Provided, further, That the consent of the data subjects are
not required by law or regulation permitting the processing of the sensitive personal
information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another
person, and the data subject is not legally or physically able to express his or her consent prior
to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations: Provided, That such processing is only confined and

related to the bona fide members of these organizations or their associations: Provided,
further, That the sensitive personal information are not transferred to third parties: Provided,
finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical
practitioner or a medical treatment institution, and an adequate level of protection of
personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of
lawful rights and interests of natural or legal persons in court proceedings, or the
establishment, exercise or defense of legal claims, or when provided to government or public
authority.
Section 14. Subcontract of Personal Information. – A personal information controller may subcontract
the processing of personal information: Provided, That the personal information controller shall be
responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal
information processed, prevent its use for unauthorized purposes, and generally, comply with the
requirements of this Act and other laws for processing of personal information. The personal information
processor shall comply with all the requirements of this Act and other applicable laws.
Section 15. Extension of Privileged Communication. – Personal information controllers may invoke the
principle of privileged communication over privileged information that they lawfully control or process.
Subject to existing laws and regulations, any evidence gathered on privileged information is inadmissible.
CHAPTER IV
RIGHTS OF THE DATA SUBJECT
Section 16. Rights of the Data Subject. – The data subject is entitled to:
(a) Be informed whether personal information pertaining to him or her shall be, are being or
have been processed;
(b) Be furnished the information indicated hereunder before the entry of his or her personal
information into the processing system of the personal information controller, or at the next
practical opportunity:
(1) Description of the personal information to be entered into the system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized;
22
(6) The identity and contact details of the personal information controller or its
representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to
lodge a complaint before the Commission.
Any information supplied or declaration made to the data subject on these matters shall not
be amended without prior notification of data subject: Provided, That the notification under
subsection (b) shall not apply should the personal information be needed pursuant to
a subpoena or when the collection and processing are for obvious purposes, including when it
is necessary for the performance of or in relation to a contract or service or when necessary
or desirable in the context of an employer-employee relationship, between the collector and
the data subject, or when the information is being collected and processed as a result of legal
obligation;
(c) Reasonable access to, upon demand, the following:
(1) Contents of his or her personal information that were processed;
(2) Sources from which personal information were obtained;
(3) Names and addresses of recipients of the personal information;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the personal information to recipients;
(6) Information on automated processes where the data will or likely to be made
as the sole basis for any decision significantly affecting or will affect the data
subject;
(7) Date when his or her personal information concerning the data subject were
last accessed and modified; and
(8) The designation, or name or identity and address of the personal information
controller;
(d) Dispute the inaccuracy or error in the personal information and have the personal
information controller correct it immediately and accordingly, unless the request is vexatious
or otherwise unreasonable. If the personal information have been corrected, the personal
information controller shall ensure the accessibility of both the new and the retracted
information and the simultaneous receipt of the new and the retracted information by
recipients thereof: Provided, That the third parties who have previously received such

processed personal information shall he informed of its inaccuracy and its rectification upon
reasonable request of the data subject;
(e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal
information from the personal information controller’s filing system upon discovery and
substantial proof that the personal information are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are no longer necessary for the purposes for
which they were collected. In this case, the personal information controller may notify third
parties who have previously received such processed personal information; and
(f) Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal information.
Section 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns of the data
subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time
after the death of the data subject or when the data subject is incapacitated or incapable of exercising
the rights as enumerated in the immediately preceding section.
Section 18. Right to Data Portability. – The data subject shall have the right, where personal information
is processed by electronic means and in a structured and commonly used format, to obtain from the
personal information controller a copy of data undergoing processing in an electronic or structured
format, which is commonly used and allows for further use by the data subject. The Commission may
specify the electronic format referred to above, as well as the technical standards, modalities and
procedures for their transfer.
Section 19. Non-Applicability. – The immediately preceding sections are not applicable if the processed
personal information are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That
the personal information shall be held under strict confidentiality and shall be used only for the declared
purpose. Likewise, the immediately preceding sections are not applicable to processing of personal
information gathered for the purpose of investigations in relation to any criminal, administrative or tax
liabilities of a data subject.
CHAPTER V
SECURITY OF PERSONAL INFORMATION
Section 20. Security of Personal Information. – (a) The personal information controller must implement
reasonable and appropriate organizational, physical and technical measures intended for the protection
of personal information against any accidental or unlawful destruction, alteration and disclosure, as well
as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and appropriate measures to protect
personal information against natural dangers such as accidental loss or destruction, and human dangers
such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
(c) The determination of the appropriate level of security under this section must take into account the
nature of the personal information to be protected, the risks represented by the processing, the size of
the organization and complexity of its operations, current data privacy best practices and the cost of
23
security implementation. Subject to guidelines as the Commission may issue from time to time, the
measures implemented must include:
(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized
usage or interference with or hindering of their functioning or availability;
(2) A security policy with respect to the processing of personal information;
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and
(4) Regular monitoring for security breaches and a process for taking preventive, corrective
and mitigating action against security incidents that can lead to a security breach.
(d) The personal information controller must further ensure that third parties processing personal
information on its behalf shall implement the security measures required by this provision.
(e) The employees, agents or representatives of a personal information controller who are involved in
the processing of personal information shall operate and hold personal information under strict
confidentiality if the personal information are not intended for public disclosure. This obligation shall
continue even after leaving the public service, transfer to another position or upon termination of
employment or contractual relations.
(f) The personal information controller shall promptly notify the Commission and affected data subjects
when sensitive personal information or other information that may, under the circumstances, be used to
enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes (bat such unauthorized acquisition is likely to
give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe
the nature of the breach, the sensitive personal information possibly involved, and the measures taken
by the entity to address the breach. Notification may be delayed only to the extent necessary to
determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to
the information and communications system.
(1) In evaluating if notification is unwarranted, the Commission may take into account
compliance by the personal information controller with this section and existence of good
faith in the acquisition of personal information.
(2) The Commission may exempt a personal information controller from notification where, in
its reasonable judgment, such notification would not be in the public interest or in the
interests of the affected data subjects.
(3) The Commission may authorize postponement of notification where it may hinder the
progress of a criminal investigation related to a serious breach.
CHAPTER VI
ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION

Section 21. Principle of Accountability. – Each personal information controller is responsible for personal
information under its control or custody, including information that have been transferred to a third
party for processing, whether domestically or internationally, subject to cross-border arrangement and
cooperation.
(a) The personal information controller is accountable for complying with the requirements of
this Act and shall use contractual or other reasonable means to provide a comparable level of
protection while the information are being processed by a third party.
(b) The personal information controller shall designate an individual or individuals who are
accountable for the organization’s compliance with this Act. The identity of the individual(s)
so designated shall be made known to any data subject upon request.
CHAPTER VII
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
Section 22. Responsibility of Heads of Agencies. – All sensitive personal information maintained by the
government, its agencies and instrumentalities shall be secured, as far as practicable, with the use of the
most appropriate standard recognized by the information and communications technology industry, and
as recommended by the Commission. The head of each government agency or instrumentality shall be
responsible for complying with the security requirements mentioned herein while the Commission shall
monitor the compliance and may recommend the necessary action in order to satisfy the minimum
standards.
Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information. – (a)
On-site and Online Access – Except as may be allowed through guidelines to be issued by the
Commission, no employee of the government shall have access to sensitive personal information on
government property or through online facilities unless the employee has received a security clearance
from the head of the source agency.
(b) Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive
personal information maintained by an agency may not be transported or accessed from a location off
government property unless a request for such transportation or access is submitted and approved by
the head of the agency in accordance with the following guidelines:
(1) Deadline for Approval or Disapproval – In the case of any request submitted to the head of
an agency, such head of the agency shall approve or disapprove the request within two (2)
business days after the date of submission of the request. In case there is no action by the
head of the agency, then such request is considered disapproved;
(2) Limitation to One thousand (1,000) Records – If a request is approved, the head of the
agency shall limit the access to not more than one thousand (1,000) records at a time; and
(3) Encryption – Any technology used to store, transport or access sensitive personal
information for purposes of off-site access approved under this subsection shall be secured by
the use of the most secure encryption standard recognized by the Commission.
24
The requirements of this subsection shall be implemented not later than six (6) months after the date of
the enactment of this Act.
Section 24. Applicability to Government Contractors. – In entering into any contract that may involve
accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, an
agency shall require a contractor and its employees to register their personal information processing
system with the Commission in accordance with this Act and to comply with the other provisions of this
Act including the immediately preceding section, in the same manner as agencies and government
employees comply with such requirements.
CHAPTER VIII
PENALTIES
Section 25. Unauthorized Processing of Personal Information and Sensitive Personal Information. – (a)
The unauthorized processing of personal information shall be penalized by imprisonment ranging from
one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00)
but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process
personal information without the consent of the data subject, or without being authorized under this Act
or any existing law.
(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment
ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons
who process personal information without the consent of the data subject, or without being authorized
under this Act or any existing law.
Section 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. – (a)
Accessing personal information due to negligence shall be penalized by imprisonment ranging from one
(1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to
negligence, provided access to personal information without being authorized under this Act or any
existing law.
(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment
ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons
who, due to negligence, provided access to personal information without being authorized under this Act
or any existing law.
Section 27. Improper Disposal of Personal Information and Sensitive Personal Information. – (a) The
improper disposal of personal information shall be penalized by imprisonment ranging from six (6)
months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but
not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the personal information of an individual in an area
accessible to the public or has otherwise placed the personal information of an individual in its container
for trash collection.
b) The improper disposal of sensitive personal information shall be penalized by imprisonment ranging
from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos

(Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons
who knowingly or negligently dispose, discard or abandon the personal information of an individual in an
area accessible to the public or has otherwise placed the personal information of an individual in its
container for trash collection.
Section 28. Processing of Personal Information and Sensitive Personal Information for Unauthorized
Purposes. – The processing of personal information for unauthorized purposes shall be penalized by
imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than
Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00)
shall be imposed on persons processing personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws.
The processing of sensitive personal information for unauthorized purposes shall be penalized by
imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be
imposed on persons processing sensitive personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws.
Section 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from one
(1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system
where personal and sensitive personal information is stored.
Section 30. Concealment of Security Breaches Involving Sensitive Personal Information. – The penalty of
imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons who, after having knowledge of a security breach and of the obligation to notify the
Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security
breach.
Section 31. Malicious Disclosure. – Any personal information controller or personal information
processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses
unwarranted or false information relative to any personal information or personal sensitive information
obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than One million pesos (Php1,000,000.00).
Section 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information
processor or any of its officials, employees or agents, who discloses to a third party personal information
not covered by the immediately preceding section without the consent of the data subject, shall he
subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
(b) Any personal information controller or personal information processor or any of its officials,
employees or agents, who discloses to a third party sensitive personal information not covered by the
immediately preceding section without the consent of the data subject, shall be subject to imprisonment
ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00).
25
Section 33. Combination or Series of Acts. – Any combination or series of acts as defined in Sections 25 to
32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine
of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos
(Php5,000,000.00).
Section 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical person, the
penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by
their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the
court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in
addition to the penalties herein prescribed, be deported without further proceedings after serving the
penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts
penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed
herein, suffer perpetual or temporary absolute disqualification from office, as the case may be.
Section 35. Large-Scale. – The maximum penalty in the scale of penalties respectively provided for the
preceding offenses shall be imposed when the personal information of at least one hundred (100)
persons is harmed, affected or involved as the result of the above mentioned actions.
Section 36. Offense Committed by Public Officer. – When the offender or the person responsible for the
offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his or
her duties, an accessory penalty consisting in the disqualification to occupy public office for a term
double the term of criminal penalty imposed shall he applied.
Section 37. Restitution. – Restitution for any aggrieved party shall be governed by the provisions of the
New Civil Code.
CHAPTER IX
MISCELLANEOUS PROVISIONS
Section 38. Interpretation. – Any doubt in the interpretation of any provision of this Act shall be liberally
interpreted in a manner mindful of the rights and interests of the individual about whom personal
information is processed.
Section 39. Implementing Rules and Regulations (IRR). – Within ninety (90) days from the effectivity of
this Act, the Commission shall promulgate the rules and regulations to effectively implement the
provisions of this Act.
Section 40. Reports and Information. – The Commission shall annually report to the President and
Congress on its activities in carrying out the provisions of this Act. The Commission shall undertake
whatever efforts it may determine to be necessary or appropriate to inform and educate the public of
data privacy, data protection and fair information rights and responsibilities.
Section 41. Appropriations Clause. – The Commission shall be provided with an initial appropriation of
Twenty million pesos (Php20,000,000.00) to be drawn from the national government. Appropriations for
the succeeding years shall be included in the General Appropriations Act. It shall likewise receive Ten
million pesos (Php10,000,000.00) per year for five (5) years upon implementation of this Act drawn from
the national government.
 26

Section 42. Transitory Provision. – Existing industries, businesses and offices affected by the
implementation of this Act shall be given one (1) year transitory period from the effectivity of the IRR or
such other period as may be determined by the Commission, to comply with the requirements of this
Act.

In case that the DICT has not yet been created by the time the law takes full force and effect, the
National Privacy Commission shall be attached to the Office of the President.

Section 43. Separability Clause. – If any provision or part hereof is held invalid or unconstitutional, the
remainder of the law or the provision not otherwise affected shall remain valid and subsisting.

Section 44. Repealing Clause. – The provision of Section 7 of Republic Act No. 9372, otherwise known as
the "Human Security Act of 2007″, is hereby amended. Except as otherwise expressly provided in this
Act, all other laws, decrees, executive orders, proclamations and administrative regulations or parts
thereof inconsistent herewith are hereby repealed or modified accordingly.

Section 45. Effectivity Clause. – This Act shall take effect fifteen (15) days after its publication in at least
two (2) national newspapers of general circulation.

Approved,

(Sgd.) JUAN PONCE ENRILE (Sgd.) FELICIANO BELMONTE JR.

President of the Senate Speaker of the House of Representatives

This Act which is a consolidation of Senate Bill No. 2965 and House Bill No. 4115 was finally passed by
the Senate and the House of Representatives on June 6, 2012.

(Sgd.) EMMA LIRIO-REYES (Sgd.) MARILYN B. BARUA-YAP

Secretary of Senate Secretary General
House of Representatives

Approved: AUG 15 2012

(Sgd.) BENIGNO S. AQUINO III

President of the Philippines

A DEFINITION OF GDPR (GENERAL DATA PROTECTION REGULATION)
The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in
April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law
regulating how companies protect EU citizens' personal data. Companies that are already in compliance
with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it
becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the
deadline will be subject to stiff penalties and fines.
GDPR requirements apply to each member state of the European Union, aiming to create more
consistent protection of consumer and personal data across EU nations. Some of the key privacy and
data protection requirements of the GDPR include:
Requiring the consent of subjects for data processing
Anonymizing collected data to protect privacy
Providing data breach notifications
Safely handling the transfer of data across borders
Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data
to better safeguard the processing and movement of citizens’ personal data.
WHO IS SUBJECT TO GDPR COMPLIANCE?
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each
member state no longer needs to write its own data protection laws and laws are consistent across the
entire EU. In addition to EU members, it is important to note that any company that markets goods or
services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have
an impact on data protection requirements globally.
REQUIREMENTS OF GENERAL DATA PROTECTION REGULATION 2018
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles
that have the greatest potential impact on security operations:
Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that
is processed automatically. The result is that data subjects may transfer their personal data between
service providers more easily (also called the “right to portability”), and they may direct a controller to
erase their personal data under certain circumstances (also called the “right to erasure”).
Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection
measures to protect consumers’ personal data and privacy against loss or exposure.
27
Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies
requirements for single data breaches: controllers must notify SAs of a personal data breach within 72
hours of learning of the breach and must provide specific details of the breach such as the nature of it
and the approximate number of data subjects affected. Article 32 requires data controllers to notify data
subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high
risk.
Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact
Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those
risks are addressed.
Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any
company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious
beliefs, etc. must designate a data protection officer; these officers serve to advise companies about
compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some
companies may be subjected to this aspect of the GDPR simply because they collect personal
information about their employees as part of human resources processes.
Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in
ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
Article 45 – Article 45 extends data protection requirements to international companies that collect or
process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based
companies.
Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the
violating company’s global annual revenue depending on the nature of the violation.
GDPR ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-
compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard
across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and
corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance,
require companies to make specified improvements by prescribed deadlines, order data to be erased,
and block companies from transferring data to other countries. Data controllers and processors are
subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined
based on the circumstances of each case and the SA may choose whether to impose their corrective
powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines
may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
BEST PRACTICES FOR GDPR: AN IMPORTANT EU DATA PROTECTION LAW
 28

All organizations, including small to medium-sized companies and large enterprises, must be aware of all
GDPR requirements and be prepared to comply by May 2018. By beginning to implement data
protection policies and solutions now, companies will be in a much better position to achieve GDPR
compliance when it takes effect. For many of these companies, the first step in complying with GDPR is
to designate a data protection officer to build a data protection program that meets the GDPR
requirements.

The General Data Protection Regulation not only applies to businesses in the EU; all businesses
marketing services or goods to EU citizens should be preparing to comply with GDPR as well. By
complying with GDPR requirements, businesses will benefit from avoiding costly penalties while
improving customer data protection and trust.