Last January 5, 2017, the National Privacy Commission (NPC) recommended the filing of criminal charges against COMELEC Chairman Andres Bautista in the aftermath of the “Comeleak” incident.
As of time of writing, the NPC has not yet released the full text of its decision. However, portions of the Commission’s reasoning can be read in an article on its official website.
According to the NPC, the COMELEC Chairman’s culpability lies in his failure to take adequate measures to secure the COMELEC’s voter registration databases, which contains what the law defines as personal and sensitive personal information. Quoting the decision, the online article reads:
[T]he wilful and intentional disregard of his duties as head of agency, which he should know or ought to know, is tantamount to gross negligence. The lack of a clear data governance policy, particularly in collecting and further processing of personal data, unnecessarily exposed personal and sensitive information of millions of Filipinos to unlawful access.
A head of agency making his acts depend on the recommendations of the Executive Director or the Information Technology Department amplifies the want of even slight care. The duty to obey the law should begin at the top and should not be frustrated simply because no employee recommended such action…
The decision is sanctioned under the NPC’s power under Section 7(b) of the Data Privacy Act to receive complaints and institute investigations, as well Section 7(i) of the said law, which allows the NPC to recommend to the Department of Justice (DOJ) the prosecution of any of the violations specified under the law.
It will still be up to the DOJ to conduct its own investigation and decide if there is sufficient evidence to support a formal charge. This assumes that such proceedings can proceed without first resolving preliminary questions like 1) the Chairman’s status as an impeachable officer and 2) if the statute, which is yet to be fully implemented, already imposed a positive duty at the time of the security breach. These along with other interesting questions may occupy the courts for some time before any determination of actual criminal liability.
This does not mean that the NPC’s move is empty or futile. As will be discussed further below, the decision is rational, strategic behavior for the NPC. This First Part of the article will explain how the NPC’s decisions fits with its enforcement posture. I will argue that that such posture is appropriate under the circumstances. I will also cover what this could mean for other organizations, such as private enterprises. The Second Part, to be released after full text of the NPC decision is released, will discuss the substance of the decision itself.
Paying the Price for Crime
Despite the law’s provenance with information and communications technology, the Data Privacy Act covers any processing of personal information, whether off- on online. The solo law practitioner keeping client records in folders. The spa asking its patrons to indicate medical issues in their intake forms. These activities involve data processing of some form and activate provisions of the law.
This means that the NPC’s remit extends to the information activities of just about any business. The sheer volume of regulated activity means that even a small percentage of violations could add up to a tremendous amount of damage. To prevent such violations, the government must, in addition to enacting the law, establish the apparatus for enforcement and compliance: The whole panoply of investigators, prosecutors, and adjudicative bodies. But any enforcement system has its limits. There would be increasing costs and decreasing marginal benefits for every additional unit of enforcement that the government is willing to spend on.
Crime may not pay, but there is certainly a price to committing it. This price is a function of the probability of conviction and the amount of penalty – that is, the length of a prison term, the amount of the fine, and the degree of other forms of pain (i.e., loss of reputation). Governments adjust this price by moving on both sides of the operation. It can increase the probability of conviction, by hiring more investigators, adjusting evidentiary thresholds, or loading the system against defendants, or acquiring new forensic technology. It can also increase the specified punishment, by passing new legislation with harsher penalties. Of course, the government faces constraints whenever it does one or the other. Resource allocations involve opportunity costs – hiring more policemen means fewer teachers. On the other hand, the government cannot increase penalties indefinitely. There is only so much pain and death the state can inflict on a single person. Besides, there are issues of fairness and proportionality to contend with. A death penalty on jay walking may be challenged for unconstitutionality, on due process grounds. The severity of the penalty compared to the harm of the offense may also make it unacceptable to the people.
Hanging an Admiral
Where does all this leave the NPC? Despite the enormity of its task – the new organization has few employees, and a relatively small budget. Obviously, it cannot go into every business, pushing people into compliance with the threat of punishment. On the other hand, it would still be untenable to allow even a small percentage of data privacy violations. Assuming that it does not acquire radically new forensic technology, then the probability of punishment it can threaten would remain correlated with its meager resources. On the other hand, the law already has set the maximum specified penalty for data privacy violation – the most severe penalty for violation of the law is six years (and the highest fine is 5 million pesos). The NPC cannot increase the penalty without going to Congress for another law. With the computed price for violations fixed at a relatively low level, how can the NPC achieve optimal levels of compliance
While the NPC cannot increase the absolute price of the crime, it can increase its relative impact – the subjective perception of pain for the organization or its leadership. Note that the computed price of the crime nominally stays the same. However, different people have different thresholds for pain, and would have variable willingness to risk paying the price of crime. The assumption underlying the NPC’s decision is that executives – CEO’s, Presidents, and Chairmen as in this case – would be less than willing to tolerate the probability of penalties. This appeals at an intuitive level. These people have more to lose than ordinary employees. Certainly, they are also in a better position to push their organizations toward compliance.
Independent of the merits of the case, the NPC’s decision is thus rational, strategic behavior for an agency with its constraints. Even with the modest price it can impose, the NPC can nevertheless maximize its enforcement powers by focusing on the leadership of prominent organizations. As Voltaire wrote on the execution of Admiral Byng: “In this country it is good to kill an admiral from time to time, in order to encourage the others.”
This strategy can also be employed against private sector companies, with a focus on data-oriented industries (technology, process outsourcing, medical services). Penalties for data privacy violations, such as a prohibition from further processing, will hurt industries in these sectors disproportionately. Even if the probability of conviction is low and no penalty is formally imposed, the reputational damage (coupled with the relative ease of customer flight) means that even an investigation and a recommendation for prosecution would be felt more keenly by data-oriented companies. The leadership of these organizations cannot risk that much.
Businesses, especially data-oriented ones, should not be lulled into thinking that this is random or exceptional. The legal risk is real and potentially costly. The logical end of the NPC’s approach is to spur self-enforcement by scaling up the relative price of violations. Cooperative behavior from businesses makes sense from a risk management perspective. At the same time, compliance can be a critical competitive advantage, especially for outsourcing firms who want to establish themselves as central to an industry.
As will be discussed in the next part of this article, which will cover the next part of the NPC’s findings and reasoning, compliance is not a product that one can simply purchase, pre-packaged and ready to go. It will require a hard look at the organization seeking compliance, its systems and practices. It needs the careful design of both technological and legal solutions. In Part Two of this article, I will explore further what the decision may require of organizations working towards compliance.