The High Court Tackles Key Privacy Issues in a Tax Case
In The Philippine Stock Exchange Inc. v. Secretary of Finance, the Supreme Court struck down several issuances of the Bureau of Internal Revenue (BIR) and the Securities and Exchange Commission (SEC) for violating, among others, the right to privacy. In addition, the said case also gave the Supreme Court to discuss extensively the application of several provisions of the Data Privacy Act.
Background of the Case
Initially the BIR issued a regulation requiring withholding agents to submit a digital list of payees and income payments subject to withholding taxes. Specifically, the rules specified the following personal information: (a) the tax identification number (TIN); (b) the complete name of the payee; and, (c) the corresponding amount of income and withholding tax. The SEC followed suit and issued its own rules requiring the Philippine Depository and Trust Corporation (PDTC) and broker dealers to provide the said information to listed companies or their transfer agents. The SEC rules expanded coverage to include the following personal information of the relevant data subjects: (a) residence/nationality; (b) total shareholding in each account and sub-account; and, (c) birth date. Failure to comply with said requirement will subject the PDTC and broker dealers to administrative and penal sanctions. The rules effectively allow the listed companies to identify their shareholders at any given time since most of the investing public choose not to register their share ownership in the company’s books – whether for privacy reasons or convenience.
The Philippine Stock Exchange, Bankers Association of the Philippines, Philippine Association of Securities Brokers and Dealers, Inc., Fund Managers Association of the Philippines, Trust Officers Association of the Philippines, and Marmon Holdings, Inc. (Petitioners) filed a petition before the Supreme Court questioning the legality of the said issuances. The Petitioners assert that the issuances violate their right to privacy over their personal information under Republic Act No. 10173 or the Data Privacy Act, among others.
Application of the Third Party Standing Doctrine
One of the issues raised in this case is whether the Petitioners – all juridical entities – have legal standing to assert the right to privacy – a right which belongs only to individual data subjects not corporations.
Generally, a party has legal standing if he or she has a direct and personal interest in the case, such that he or she suffers or will suffer harm from the law or governmental action being challenged. Among the exceptions to this is the concept of third-party standing. As enunciated by the Court in White Light Corporation v. City of Manila, it is enough for one to bring an action on behalf of another if a) the litigant suffers an ‘injury-in-fact’ so as to give him/her sufficiently concrete interest in the outcome of the case; b) the litigant has a close relation to the third party; and c) there exists some hindrance to the third party’s ability to protect his or her own interest.
The Supreme Court found that the Petitioners have the third-party standing to pursue the suit on behalf of the unnamed shareholders. It states that: a) Petitioners’ businesses directly rely on the patronage of their investors whose activities appear to be directly affected by issuances; b) there is a likelihood that Petitioners will suffer an “injury-in-fact” because they will be subject to penal and administrative sanctions in case of noncompliance to the with the issuances – a “sufficiently concrete interest” in the outcome of the issue; and c) as stated in the case of White Light Corporation v. City of Manila, “the relative silence in constitutional litigation of such special interest groups in our nation such as the American Civil Liberties Union in the United States may also be construed as a hindrance for customers to bring suit.”
In short, the Supreme Court allowed a third party to bring suit to protect the privacy rights of data subjects. This opens the door for personal information controllers and processors to initiate litigation to protect the rights of data subjects whose personal information they have collected or processed.
The Issuances Violate the Constitutional Right to Privacy
According to the Supreme Court, “the right to privacy or the right to be left alone, in Philippine jurisdiction, is accorded recognition independent from the right to liberty xxx [and deserves] full constitutional protection. Xxx As such, regulations that are alleged to be violative of the right to privacy must be subject to strict scrutiny [which requires that] the State must show that the regulation not only serves a compelling interest, but is also narrowly drawn in order to prevent abuses.”
Applying the said test, the Supreme Court found that while the purpose of the issuances, which is the efficient and proper collection of taxes, serves a compelling state interest, the regulations were not narrowly drawn to prevent abuses. According to the Supreme Court, the government agencies have failed to show that the means to be employed under the regulations are the least restrictive for effecting the invoked interest. The investors are not assured that the information they will provide will be protected and will not be used for any other purpose.
The Applicability of the Data Privacy Act
Another matter raised in this case, in relation to the right to privacy is the applicability of the Data Privacy Act. This gave the Supreme Court the opportunity to discuss extensively and interpret several provisions of the Data Privacy Act. Its discussions are summarized below.
“Information Necessary to Carry Out Public Functions”
Section 4(e) of the Data Privacy Act excludes from its coverage “[i]nformation necessary in order to carry out the functions of public authority.” The Supreme Court in this case noted that Section 4(e) explicitly uses the word “necessary” which can be viewed in light of the second requirement of the strict scrutiny test – that the regulation should be narrowly drawn to fulfill the compelling public interest. The Court clarified that “the State cannot just use the exception of performance of mandated functions xxx to carry out actions that abridge the right to privacy; there must be a showing of necessity.” In short, the collection and processing of the information must not only be required by the law, it must be necessary.
In this case, the Supreme Court found that the collection of information mandated by the regulations was not necessary for the BIR to perform its functions. The BIR for its part, did not even allege any problems encountered in the collection of taxes that would require the need for more specific disclosure as sought by the regulations.
The Supreme Court also noted the stated purpose under RR 1-2014 which is the “creation of a taxpayer database to establish a simulation model, formulate an analytical framework for policy analysis, and institutionalize enforcement activities.” The Supreme Court explained that “[w]hile creating a tax database may be considered as part of the BIR’s function of tax collection, it would still be futile to state that the information sought are necessary for the BIR to effectively and efficiently perform its statutorily mandated functions.”
In short, while the BIR showed that it was mandated to collect personal information pursuant to its revenue mandate, the specific regulations failed the test of necessity.
Legal Basis for Processing Sensitive Personal Information
Having ruled that the regulations were not excluded by the Data Privacy Act, the Supreme Court further examined whether there was sufficient legal basis for the processing as mandated by the regulations. The Supreme Court explained that the information sought to be collected, including the TINs of the investors, constitute sensitive personal information, the processing of which must satisfy with Section 13(b), which provides that:
- The processing of the same is provided for by existing laws and regulations:
- Such regulations guarantee the protection of the sensitive personal information; and,:
- That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information.
In this case, however, the regulations failed to provide any safeguards for the protection of the sensitive personal information. The Court clarified that the issuances themselves must provide for the safeguards, and the government agency cannot rely on any other laws or regulations such as the Tax Code or the Securities Regulations Code.
Violations of the Data Privacy Act Implicate the Constitutional Right to Privacy
Finally, the Supreme Court noted the effect of noncompliance with the Data Privacy Act. According to the Supreme Court, “the Data Privacy Act is one of the State’s measures to enforce the right to privacy. Any noncompliance with the substantive provisions of this law (i.e., those pertaining to the processing of information) may well be treated as a violation of the right to privacy.” It is clear, therefore, that violations of the Data Privacy Act, which are tantamount to violations of the right to privacy, warrant the application of the strict scrutiny test.
See full text of Supreme Court decision here.