CHAPTER 4

INFORMATION, CONTROL AND PRIVACY

I. Introduction
This module discusses the importance of protecting the
information provided and available in the cyber space. It will also discuss
about the scope and delimitation
For Exclusive Use of privacy
of TSU Studentsin the virtual world. To obtain
these objective, constitutional laws/ republic acts will be included in this
module.
In perspective, this module will provide a fundamental
understanding about the laws that delimits the “absolute freedom” or “live-
and-let-live” mentality of the netizens. It is an enlightenment that
everyone has the freedom in using the internet but there must be
precaution, both on providing and using the information. Constitutional
laws were provided in protecting one’s information and respecting one’s
privacy while conveniently being part of the online community.

II. Learning Objectives

With the completion of this module, you should be able to
1. Students will have a fundamental knowledge about the laws of the
land that protects the intellectual properties.
2. Students will also be able to determine the boundaries of
accessing one’s privacy as protected by the constitution.
3. Students will have an idea about the Cybercrime protection Act of
2012 that encompasses almost every unnecessary act rampantly
conducted in the cyber space.
4. Students will have an understanding about the comparison and
contrast of Data Privacy Act of 2012 and Writ of Habeas Data.

III. Contents
a. Preparatory Activities
1. Read the case Digest provided in this module. (pages 8-21)

0|Page
 b. Developmental Activities
Topic 1: Introduction

TOPIC 1: Intellectual Property In The Philippines

Intellectual property refers to anything created by someone, including
but not limited to inventions, literary works, items created by artists (e.g. artwork
and musical pieces), symbols, designs, images, pictures, and even names that
For Exclusive Use of TSU Students
are used for commercial purposes.
All these creations are protected by the law, ensuring that the people
behind it are given due recognition or remuneration for their effort.
Republic Act No. 8293
An act prescribing the Intellectual Property Code and establishing the
Intellectual Property Office, providing for its powers and functions, and for other
purposes.
This Act shall be known as the “Intellectual Property Code of the
Philippines.” This act protects the intellectual property of an individual, a group,
organization, company or a corporation.
At the office of the Intellectual Property in the Philippines, there are
several categories wherein a creator or innovator can register their creation
under. Below are some categories:
Patent
A patent refers to the exclusive rights to a product or process, as well as
its improvements—granted that the product or process offers something new and
useful.
The inventor or creator with the patent has the right to choose as to who
can use, sell, or even make something similar during its 2-year validity period.
Throughout the entire duration, a patent’s information must be available
to the public, as the owner is given enough time to gain ample commercial
returns. Some examples of inventions or creations that can be filed as patents
include new and useful machines, products and processes (non-biological and
microbiological in nature); improvements of machines, products and processes;
and microorganisms.
The basic requirements for a creation to be considered patentable are
that the creation would have a novel idea, inventive, and can be applied in an
industrial setting.
Application Process
One needs to fill out a Request Form for a Grant of Philippine Patent, as
well as submit descriptions and drawings of the invention or process.
Once the application has been filed, it will be published in the IPO
Gazette. During the period of its publication, anyone can write in or contest the
application.

1|Page
 Corresponding filing fees amount to PHP 3,600 and PHP 1,800, for big
and small inventions, respectively.
Trademark
A trademark is a tool used to differentiate services and goods from one
another. It can be in the form of a word or a group of words; a sign, logo, or
symbol. It could even be a combination of those above.
Essential in marketing your products or services, a trademark will help
consumers identify your brand among the many others in the market. To protect
your business’ trademark, it is advisable to have it registered.
For Exclusive Use of TSU Students
This way, the owner of the trademark would have exclusive rights to
make use of the mark. Furthermore, it will ensure that no one else can use the
same or even a similar mark for the products or services of a similar nature.
Application Process
Similar to a patent, you need to apply or file for the exclusive rights of the
mark you wish to use for business purposes. As the rights to a mark are granted
to the first person who filed with the IPO, it is imperative that one would conduct
a search within the IPO’s Database to avoid redundancies in applications.
For filing purposes, one needs to fill out the Trademark Application Form,
as well as attach a drawing of the mark. Corresponding filing fees amount to PHP
2,160 and PHP 1,080, for big and small marks, respectively.
Copyright
A copyright refers to the protection given to the owner of an original work
covering literary works, musical pieces, paintings, and computer programs,
among others.
Under the copyright laws, the owner of the original work is entitled to
economic rights and moral rights. Economic rights enable the creator to receive
profit gains should his works be distributed by third parties. Moral rights, on the
other hand, protect the connection between the creator and his work.
Once the owner receives the rights to his work, unauthorized third parties
are prohibited from selling or distributing the works, especially for trade purposes.
Application Process
One needs to fill out an application form, attach a copy of their work, and
pay the basic filing fee of PHP 625 at the IPO.
The Madrid Protocol
The Madrid Protocol is an international treaty, allowing trademark
registration in the Philippines or any country—as long as they are part of the
Madrid Protocol.
One would only need to file a single application. Should your application
be ratified, the approved mark will be protected in all the countries that are part of
the Madrid Protocol.
By acceding to the Madrid Protocol, trademark owners in the Philippines
would have better platforms to secure protection for their respective marks. The
Madrid Protocol offers a simple and cost-effective solution that promotes

2|Page
transparency and enables entrepreneurs to secure their marks in a faster and
easier manner.
Moreover, it encourages opening up businesses in multiple countries, as
one can designate the countries where their marks would need protection. With
the Madrid Protocol, companies can widen their market segment while keeping
their interests in check.
With globalization, gaps between countries are now bridged easily.
Businesspeople can now partake in business dealings around the world without
having to worry about infringement of information.
With the help of all For Exclusive Use of TSU Students
these intellectual property laws, information now
becomes a boon to society.
Criminal Penalties
SECTION 217 of RA 8293 - Criminal Penalties
217.1. Any person infringing any right secured by provisions of Part IV of this Act
or aiding or abetting such infringement shall be guilty of a crime punishable by:
(a) Imprisonment of one (1) year to three (3) years plus a fine ranging from
Fifty thousand pesos (P50,000) to One hundred fifty thousand pesos
(P150,000) for the first offense.
(b) Imprisonment of three (3) years and one (1) day to six (6) years plus a
fine ranging from One hundred fifty thousand pesos (P150,000) to Five
hundred thousand pesos (P500,000) for the second offense.
(c) Imprisonment of six (6) years and one (1) day to nine (9) years plus a fine
ranging from Five hundred thousand pesos (P500,000) to One million five
hundred thousand pesos (P1,500,000) for the third and subsequent
offenses.
(d) In all cases, subsidiary imprisonment in cases of insolvency.
217.2. In determining the number of years of imprisonment and the amount of
fine, the court shall consider the value of the infringing materials that the
defendant has produced or manufactured and the damage that the copyright
owner has suffered by reason of the infringement.
217.3. Any person who at the time when copyright subsists in a work has in his
possession an article which he knows, or ought to know, to be an infringing copy
of the work for the purpose of:
(a) Selling, letting for hire, or by way of trade offering or exposing for sale, or
hire, the article;
(b) Distributing the article for purpose of trade, or for any other purpose to an
extent that will prejudice the rights of the copyright owner in the work; or
(c) Trade exhibit of the article in public, shall be guilty of an offense and shall
be liable on conviction to imprisonment and fine as above mentioned.
(Sec. 29, P.D. No. 49a)

TOPIC 2: DATA PRIVACY ACT OF 2012

The Philippines has a growing and important business process
management and health information technology industry. Total IT spending
reached $4.4 billion in 2016, and the sector is expected to more than double by
2020. Filipinos are heavy social media users, 42.1 million are on Facebook, 13

3|Page
million on Twitter, and 3.5 million are LinkedIn users. The country is also in the
process of enabling free public Wi-Fi. In the context of the rapid growth of the
digital economy and increasing international trade of data, the Philippines has
strengthened its privacy and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012,

comprehensive and strict privacy legislation “to protect the fundamental human
right of privacy, of communication while ensuring free flow of information to
promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2). This
comprehensive privacy law also established a National Privacy Commission that
enforces and oversees it andFor is Exclusive
endowed Use ofwith rulemaking power. On September
TSU Students
9, 2016, the final implementing rules and regulations came into force, adding
specificity to the Privacy Act.

Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities
that process personal information, with some exceptions. The law has
extraterritorial application, applying not only to businesses with offices in the
Philippines, but when equipment based in the Philippines is used for processing.
The act further applies to the processing of the personal information of
Philippines citizens regardless of where they reside.

One exception in the act provides that the law does not apply to the
processing of personal information in the Philippines that was lawfully collected
from residents of foreign jurisdictions — an exception helpful for Philippines
companies that offer cloud services.

Approach
The Philippines law takes the approach that “The processing of personal
data shall be allowed subject to adherence to the principles of transparency,
legitimate purpose, and proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared,
specified, and legitimate purpose” and further provides that consent is required
prior to the collection of all personal data. It requires that when obtaining consent,
the data subject be informed about the extent and purpose of processing, and it
specifically mentions the “automated processing of his or her personal data for
profiling, or processing for direct marketing, and data sharing.” Consent is further
required for sharing information with affiliates or even mother companies.

PrivacyTraining_ad300x250.Promo1-01
Consent must be “freely given, specific, informed,” and the definition
further requires that consent to collection and processing be evidenced by
recorded means. However, processing does not always require consent.

Consent is not required for processing where the data subject is party to a
contractual agreement, for purposes of fulfilling that contract. The exceptions of
compliance with a legal obligation upon the data controller, protection of the vital
interests of the data subject, and response to a national emergency are also
available.

4|Page
 An exception to consent is allowed where processing is necessary to
pursue the legitimate interests of the data controller, except where overridden by
the fundamental rights and freedoms of the data subject.

Required agreements
The law requires that when sharing data, the sharing be covered by an
agreement that provides adequate safeguards for the rights of data subjects, and
that these agreements are subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

For Exclusive Use of TSU Students
The law defines sensitive personal information as being:

About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
About an individual’s health, education, genetic or sexual life of a person, or to
any proceeding or any offense committed or alleged to have committed;
Issued by government agencies “peculiar” (unique) to an individual, such as
social security number;
Marked as classified by executive order or act of Congress.
All processing of sensitive and personal information is prohibited except in
certain circumstances. The exceptions are:

Consent of the data subject;

Pursuant to law that does not require consent;
Necessity to protect life and health of a person;
Necessity for medical treatment;
Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.
Surveillance
Interestingly, the Philippines law states that the country’s Human Security Act of
2007 (a major anti-terrorism law that enables surveillance) must comply with the
Privacy Act.

Privacy program required

The law requires that any entity involved in data processing and subject
to the act must develop, implement and review procedures for the collection of
personal data, obtaining consent, limiting processing to defined purposes, access
management, providing recourse to data subjects, and appropriate data retention
policies. These requirements necessitate the creation of a privacy program.
Requirements for technical security safeguards in the act also mandate that an
entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as
related to the principles of notice, choice, access, accuracy and integrity of data.
The Philippines law appears to contain a “right to be forgotten” in the form
of a right to erasure or blocking, where the data subject may order the removal of
his or her personal data from the filing system of the data controller. Exercising
this right requires “substantial proof,” the burden of producing which is placed on
the data subject. This right is expressly limited by the fact that continued

5|Page
publication may be justified by constitutional rights to freedom of speech,
expression and other rights.

Notably, the law provides a private right of action for damages for
inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use
of personal data.
A right to data portability is also provided.

""
Mandatory personal information breach notification
The law defines “security incident” andUse“personal
For Exclusive data breach” ensuring that the
of TSU Students
two are not confused. A “security incident” is an event or occurrence that affects
or tends to affect data protection, or may compromise availability, integrity or
confidentiality. This definition includes incidents that would result in a personal
breach, if not for safeguards that have been put in place.

A “personal data breach,” on the other hand, is a subset of a security

breach that actually leads to “accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transmitted, stored, or
otherwise processed.

Requirement to notify
The law further provides that not all “personal data breaches” require
notification., which provides several bases for not notifying data subjects or the
data protection authority. Section 38 of the IRRs provides the requirements of
breach notification:

The breached information must be sensitive personal information, or information

that could be used for identity fraud, and
There is a reasonable belief that unauthorized acquisition has occurred, and
The risk to the data subject is real, and
The potential harm is serious.
The law provides that the Commission may determine that notification to data
subjects is unwarranted after taking into account the entity’s compliance with the
Privacy Act, and whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy
Commission as well as affected data subjects within 72 hours of knowledge of, or
reasonable belief by the data controller of, a personal data breach that requires
notification.
It is unclear at present whether the commission would allow a delay in
notification of data subjects to allow the commission to determine whether a
notification is unwarranted. By the law, this would appear to be a gamble.

Notification contents
The contents of the notification must at least:

Describe the nature of the breach;

The personal data possibly involved;
The measures taken by the entity to address the breach;

6|Page
The measures take to reduce the harm or negative consequence of the breach;
The representatives of the personal information controller, including their contact
details;
Any assistance to be provided to the affected data subjects.
Penalties
The law provides separate penalties for various violations, most of which also
include imprisonment. Separate counts exist for unauthorized processing,
processing for unauthorized purposes, negligent access, improper disposal,
unauthorized access or intentional breach, concealment of breach involving
sensitive personal information, unauthorized disclosure, and malicious
disclosure. For Exclusive Use of TSU Students

Any combination or series of acts may cause the entity to be subject to

imprisonment ranging from three to six years as well as a fine of approximately
$20,000 to $100,000.

Notably, there is also the previously mentioned private right of action for
damages, which would apply.

Penalties for failure to notify

Persons having knowledge of a security breach involving sensitive personal
information and of the obligation to notify the commission of same, and who fail
to do so, may be subject to penalty for concealment, including imprisonment for 1
1/2 to five years of imprisonment, and a fine of approximately $10,000 - $20,000.

Depending upon the circumstances additional violations might apply.

TOPIC 3: Cybercrime Prevention Act of 2012

7|Page
16 Cybercrimes covered under Cybercrime Prevention Act – Republic Act
10175
By Janette Toral

Republic Act 10175 – Cybercrime Prevention Act was signed into law last
September 12, 2012. This law is already in effect as the Supreme Court uphold
its constitutionality (February 18, 2014). Although some provisions were deemed
as unconstitutional (struck down) particularly Sections 4(c)(3), 7, 12, and 19.
It is a law consideredFortoExclusive
be 11 Useyears in the making as various groups,
of TSU Students
organizations, and personalities lobbied for its passage. It took awhile for the law
to be passed as legislators and various stakeholders need to understand the
magnitude of cybercrime and whether the penalty provisions indicated in the E-
Commerce Law – Republic Act 8792 is sufficient or not.
At a PTV4 Forum on Anti-Cybercrime Law, Department of Justice
Assistant Secretary Geronimo Sy explained that laws on cybercrime are
considered as the 3rd building block of legislations necessary to protect the
people from crimes committed in cyberspace and use of ICT.
I always look at cybercrime as something under the 2nd block or special
penal laws (where I think the E-Commerce Law is in). Although it seems there is
now a set of laws in place that are already in that 3rd block and increasing further
(which may already include the E-Commerce Law as it is the first policy in place
against hacking and online piracy).
As we use and integrate ICT and Internet in our lives, perhaps it is
possible that new forms of crimes can happen online and where broader or
special legislation will have to be created (that provides mandate for resource
allotment too). Nevertheless, that perspective, whether agreeable or not, brings
the importance of having more organized groups of netizens who can interact
with policy makers proactively on Internet / ICT related policies and do its share
of stakeholder consultation.

1. Penalizes (section 8) sixteen types of cybercrime (Section 4). They are:

Types of Cybercrime Penalty

1. Illegal access
Unauthorized access (without right) to a computer system or application.
Prision mayor (imprisonment of six years and 1 day up to 12 years) or a
fine of at least Two hundred thousand pesos (P200,000) up to a maximum
amount commensurate to the damage incurred or BOTH.
If committed against critical infrastructure:
***Reclusion temporal (imprisonment for twelve years and one day up to
twenty years) or a fine of at least Five hundred thousand pesos (P500,000) up to
a maximum amount commensurate to the damage incurred or BOTH

2. Illegal interception
Unauthorized interception of any non-public transmission of computer
data to, from, or within a computer system.
***same as above

8|Page
3. Data Interference
Unauthorized alteration, damaging, deletion or deterioration of computer
data, electronic document, or electronic data message, and including the
introduction or transmission of viruses. Authorized action can also be covered by
this provision if the action of the person went beyond agreed scope resulting to
damages stated in this provision.
***same as above

4. System Interference
Unauthorized hindering or interference with the functioning of a computer
or computer network by inputting, transmitting,
For Exclusive damaging, deleting, deteriorating,
Use of TSU Students
altering or suppressing computer data or program, electronic document, or
electronic data messages, and including the introduction or transmission of
viruses. Authorized action can also be covered by this provision if the action of
the person went beyond agreed scope resulting to damages stated in this
provision.
***same as above

5. Misuse of devices
The unauthorized use, possession, production, sale, procurement,
importation, distribution, or otherwise making available, of devices, computer
program designed or adapted for the purpose of committing any of the offenses
stated in Republic Act 10175.Unauthorized use of computer password, access
code, or similar data by which the whole or any part of a computer system is
capable of being accessed with intent that it be used for the purpose of
committing any of the offenses under Republic Act 10175.
***same as above except fine should be no more than Five hundred
thousand pesos (P500,000).

6. Cyber-squatting
Acquisition of domain name over the Internet in bad faith to profit,
mislead, destroy reputation, and deprive others from the registering the same.
This includes those existing trademark at the time of registration; names of
persons other than the registrant; and acquired with intellectual property interests
in it.Those who get domain names of prominent brands and individuals which in
turn is used to damage their reputation – can be sued under this provision.Note
that freedom of expression and infringement on trademarks or names of person
are usually treated separately. A party can exercise freedom of expression
without necessarily violating the trademarks of a brand or names of persons.
–
***same as above

7. Computer-related Forgery
Unauthorized input, alteration, or deletion of computer data resulting to
inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic, regardless whether or not the data is directly
readable and intelligible; orThe act of knowingly using computer data which is the
product of computer-related forgery as defined here, for the purpose of
perpetuating a fraudulent or dishonest design.

9|Page
 ***Prison mayor (imprisonment of six years and 1 day up to 12 years) or a
fine of at least Two hundred thousand pesos (P200,000) up to a maximum
amount commensurate to the damage incurred or BOTH.

8. Computer-related Fraud
Unauthorized input, alteration, or deletion of computer data or program or
interference in the functioning of a computer system, causing damage thereby
with fraudulent intent.
***same as above. Provided, that if no damage has yet been caused, the
penalty imposed shall be one (1) degree lower.
For Exclusive Use of TSU Students
9. Computer-related Identity Theft
Unauthorized acquisition, use, misuse, transfer, possession, alteration or
deletion of identifying information belonging to another, whether natural or
juridical.
***same as above

10. Cybersex
Willful engagement, maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the
aid of a computer system, for favor or consideration.There is a discussion on this
matter if it involves “couples” or “people in relationship” who engage in cybersex.
For as long it is not done for favor or consideration, I don’t think it will be covered.
However, if one party (in a couple or relationship) sues claiming to be forced to
do cybersex, then it can be covered.
***Prison mayor (imprisonment of six years and 1 day up to 12 years) or a
fine of at least Two hundred thousand pesos (P200,000) but not exceeding One
million pesos (P1,000,000) or BOTH.

11. Child Pornography

Unlawful or prohibited acts defined and punishable by Republic Act No.
9775 or the Anti-Child Pornography Act of 2009, committed through a computer
system.
***Penalty to be imposed shall be one (1) degree higher than that
provided for in Republic Act 9775, if committed through a computer system.

****** Unsolicited Commercial Communications (SPAMMING)THIS PROVISION

WAS STRUCK DOWN BY THE SUPREME COURT AS UNCONSTITUTIONAL.

12. Libel
Unlawful or prohibited acts of libel as defined in Article 355 of the Revised
Penal Code, as amended committed through a computer system or any other
similar means which may be devised in the future.Revised Penal Code Art. 355
states Libel means by writings or similar means. — A libel committed by means
of writing, printing, lithography, engraving, radio, phonograph, painting, theatrical
exhibition, cinematographic exhibition, or any similar means, shall be punished
by prision correccional in its minimum and medium periods or a fine ranging from
200 to 6,000 pesos, or both, in addition to the civil action which may be brought
by the offended party.The Cybercrime Prevention Act strengthened libel in terms
of penalty provisions.The electronic counterpart of libel has been recognized
since the year 2000 when the E-Commerce Law was passed. The E-Commerce

10 | P a g e
Law empowered all existing laws to recognize its electronic counterpart whether
commercial or not in nature.
***Penalty to be imposed shall be one (1) degree higher than that
provided for by the Revised Penal Code, as amended, and special laws, as the
case may be.

13. Aiding or Abetting in the commission of cybercrime –

Any person who willfully abets or aids in the commission of any of the
offenses enumerated in this Act shall be held liable.
***Imprisonment of one (1) degree lower than that of the prescribed
penalty for the offense or aFor fine ofUseatof TSU
Exclusive least One hundred thousand pesos
Students
(P100,000) but not exceeding Five hundred thousand pesos (P500,000) or both.

14. Attempt in the commission of cybercrime

Any person who willfully attempts to commit any of the offenses
enumerated in this Act shall be held liable.
***same as above

15. All crimes defined and penalized by the Revised Penal Code, as amended,
and special laws, if committed by, through and with the use of information and
communications technologies shall be covered by the relevant provisions of this
Act.
***Penalty to be imposed shall be one (1) degree higher than that
provided for by the Revised Penal Code, as amended, and special laws, as the
case may be.

Although not exactly a cybercrime, I am including this here as penalties are also
imposed by the law.
16. Corporate Liability. (Section 9)
When any of the punishable acts herein defined are knowingly committed
on behalf of or for the benefit of a juridical person, by a natural person acting
either individually or as part of an organ of the juridical person, who has a leading
position within, based on:(a) a power of representation of the juridical person
provided the act committed falls within the scope of such authority;(b) an
authority to take decisions on behalf of the juridical person. Provided, That the
act committed falls within the scope of such authority; or(c) an authority to
exercise control within the juridical person,It also includes commission of any of
the punishable acts made possible due to the lack of supervision or control.
***For sanctioned actions, Juridical person shall be held liable for a fine
equivalent to at least double the fines imposable in Section 7 up to a maximum of
Ten million pesos (P10,000,000).For neglect such as misuse of computer
resources that resulted to cybercrime committed in organization physical or
virtual premises or resources, juridical person shall be held liable for a fine
equivalent to at least double the fines imposable in Section 7 up to a maximum of
Five million pesos (P5,000,000).Criminal liability may still apply to the natural
person.
If you are going to include all provisions in the Revised Penal Code, there
can even be more than 16 types of cybercrime as a result.

2. Liability on other laws

11 | P a g e
Section 7 was struck down by Supreme Court as it violated the provision on
double jeopardy.

3. Jurisdiction
(a) The Regional Trial Court designated special cybercrime courts shall
have jurisdiction over any violation of the provisions of this Act including any
violation committed by a Filipino national regardless of the place of commission.
Jurisdiction shall lie if any of the elements was committed within the Philippines
or committed with the use of any computer system wholly or partly situation in the
country, or when by such commission any damage is caused to a natural or
juridical person who, at theFor time
Exclusivethe
Use ofoffense
TSU Studentswas committed, was in the
Philippines. (section 21)
(b) For international and trans-national cybercrime investigation and
prosecution, all relevant international instruments on international cooperation in
criminal maters, arrangements agreed on the basis of uniform or reciprocal
legislation, and domestic laws, to the widest extent possible for the purposes of
investigations or proceedings concerning criminal offenses related to computer
systems and data, or for the collection of evidence in electronic form of a criminal
offense shall be given full force and effect. (section 21)
This gives the Philippines the ability to participate in treaties and of
mutual cooperation with countries that have counterpart legislation effectively –
especially – on cybercrime cases that have team members or victims residing in
the Philippines.

4. Responsibilities of the Philippine National Police (PNP) and National

Bureau of Investigation (NBI)

The law gave police authorities the mandate it needs to initiate an

investigation to process the various complaints/report it gets from citizens. There
are instances of online attacks, done anonymously, where victims approach
police authorities for help. They often find themselves lost in getting investigation
assistance as police authorities can’t effectively initiate an investigation (only do
special request) – as their legal authority to request for logs or data does not
exist at all unless a case is already filed. (which in case of anonymously done –
will be hard to initiate)

I truly believe in giving citizen victims, regardless of stature, the

necessary investigation assistance they deserve. This law – gave our police
authorities just that.

The PNP and NBI shall be responsible for the enforcement of this law.
This includes:

(a) The PNP and NBI are mandated to organize a cybercrime unit or
center manned by special investigators to exclusively handle cases involving
violations of this Act. (Section 10).
(b) The PNP and NBI are required to submit timely and regular reports
including pre-operation, post-operation, and investigation results and such other
documents as may be required to the Department of Justice for review and
monitoring. (Section 11)

12 | P a g e
 (c) THE SUPREME COURT STRUCK DOWN SECTION 12 THAT IS
SUPPOSED TO authorize law enforcement authorities, without a court warrant,
to collect or record by technical or electronic means traffic data in real-time
associated with specified communications transmitted by means of a computer
system. (Section 12) Getting a COURT WARRANT is a must.
(d) May order a one-time extension of another six (6) months on
computer data requested for preservation. Provided, That once computer data
preserved, transmitted or stored by a service provider is used as evidence in a
case, the mere furnishing to such service provider of the transmittal document to
the Office of the Prosecutor shall be deemed a notification to preserve the
computer data until the termination of the
For Exclusive case.
Use of (Section 13)
TSU Students
(e) Carry out search and seizure warrants on computer data. (section 15)
Once done, turn-over custody in a sealed manner to courts within 48 hours
(section 16) unless an extension for no more than 30 days was given by the
courts (section 15).
(f) Upon expiration of time required to preserve data, police authorities
shall immediately and completely destroy the computer data subject of a
preservation and examination. (section 17)

5. The responsibility of service providers (SP)

Service provider refers any public or private entity that provides to users of its
service the ability to communicate by means of a computer system, and
processes or stores computer data on behalf of such communication service or
users of such service. (Section 3(n).

(a) SP upon receipt of a court warrant from police authorities to disclose or

submit subscriber’s information, traffic data or relevant data in its possession or
control shall comply within seventy-two (72) hours from receipt of the order in
relation to a valid complaint officially docketed and assigned for investigation and
the disclosure is necessary and relevant for the purpose of investigation. (section
14)

(b) The integrity of traffic data and subscriber information relating to

communication services provided by a service provider shall be preserved for a
minimum of six (6) months period from the date of the transaction. Content data
shall be similarly preserved for six (6) months from the date of receipt of the
order from law enforcement authorities requiring its preservation. (Section 13)

(c) Once computer data preserved, transmitted or stored by a service provider is

used as evidence in a case, the mere furnishing to such service provider of the
transmittal document to the Office of the Prosecutor shall be deemed a
notification to preserve the computer data until the termination of the case.
(Section 13)

(d) Upon expiration of time required to preserve data, SP shall immediately and
completely destroy the computer data subject of a preservation and examination.
(section 17)

(e) Failure to comply with the provisions of Chapter IV specifically the orders from
law enforcement authorities shall be punished as a violation of Presidential

13 | P a g e
Decree No. 1829 with imprisonment of prision correccional in its maximum period
or a fine of One hundred thousand pesos (P100,000) or both for each and every
non-compliance with an order issued by law enforcement authorities.

Service Provider protection insofar as liability is a concern is already covered

under the E-Commerce Law.

6. Responsibility of individuals
(a) Individuals upon receipt of a court warrant being required to disclose or
submit subscriber’s information, traffic data or relevant data in his possession or
control shall comply within seventy-two (72)
For Exclusive Use of hours from receipt of the order in
TSU Students
relation to a valid complaint officially docketed and assigned for investigation and
the disclosure is necessary and relevant for the purpose of investigation.
(b) Failure to comply with the provisions of Chapter IV specifically the orders from
law enforcement authorities shall be punished as a violation of Presidential
Decree No. 1829 with imprisonment of prision correccional in its maximum period
or a fine of One hundred thousand pesos (P100,000) or both for each and every
non-compliance with an order issued by law enforcement authorities.

7. Inadmissible evidence
(a) Any evidence procured without a valid warrant or beyond the authority of the
same shall be inadmissible for any proceeding before any court or tribunal.
(section 18)

8. Access limitation
The Supreme Court struck down Section 19 of the law that gives the Department
of Justice powers to order the blocking of access to a site provided there is prima
facie evidence supporting it.

9. Cybercrime new authorities

(a) Office of Cybercrime within the DOJ designated as the central
authority in all matters relating to international mutual assistance and extradition.
(section 23)
(b) Cybercrime Investigation and Coordinating Center (CICC) an inter-
agency body to be created under the administrative supervision of the Office of
the President, for policy coordination among concerned agencies and for the
formulation and enforcement of the national cybersecurity plan. (section 24)
CICC will be headed by the Executive Director of the Information and
Communications Technology Office under the Department of Science and
Technology as Chairperson with the Director of the NBI as Vice Chairperson; the
Chief of the PNP, Head of the DOJ Office of Cybercrime; and one (1)
representative from the private sector and academe, as members. (section 25)
The CICC is the cybercrime czar tasked to ensure this law is effectively
implemented. (section 26)
Although the law specifically stated a fifty million pesos (P50,000,000) annual
budget, the determination as where it would go or allotted to, I assume shall be to
the CICC.

***DEBATE / DISPUTE on the Cybercrime Prevention Act.

14 | P a g e
In my discussion with lawyers, journalist, bloggers, among others, concerns were
raised on how the law can be in violation of the Constitution and other laws. This
includes:

1. Discrimination against online crime.

In crimes committed online, the law gives a higher penalty compared to
its offline counterpart. This is seen as a violation of principles within the E-
Commerce Law where both offline and online evidence is given equal weight. In
its implementing rules and regulations, it also indicated not to give special benefit
or penalty to electronic transactions just because it is committed online.
However, I note that perhaps theofreason
For Exclusive Use for this also is to increase the
TSU Students
penalties. The original Revised Penal Code, for example, gives a penalty for libel
in the amount of up to six thousand pesos (P6,000).

2. Did the Cybercrime Law criminalize online libel? Will it result to double
jeopardy?

Some see the Cybercrime Law as enabling criminalization of online libel. I

think that is not correct.
Libel is a criminal offense as defined under the Revised Penal Code.
The E-Commerce Law empowered all existing laws to recognize its
electronic counterpart. It recognized both commercial and non-commercial in
form. This made electronic documents (text message, email, web pages, blog
post, etc) admissible as evidence in court (and can’t be denied legal admissibility
just because it is electronic form and has the same primary evidence weight).
Existing penalties under the laws where offense fall in shall apply. That is why
the filing of libel cases committed electronically became possible in the past
years (and there were cases filed, some won, some lost, and some are ongoing).
Libel is already a criminal offense under the Revised Penal Code as is.
Then it got extended to its electronic form since 2000 (with the recognition of its
electronic form provided by the E-Commerce Law) with existing penalties
applying to it. With the Cybercrime Law, it increased the penalty further if
committed with the use of ICT.
According to Atty. Geronimo Sy (Department of Justice), during the PTV4
Forum on Anti-Cybercrime Law, a complaint on electronic libel will only have one
(1) case to be filed. The maximum penalty for electronic libel is 8 years.
Hitting the “Like” button on Facebook does not make you commit the act
of libel. In this ANC interview, Senator Ed Angara clarified that posting a
comment where you get to share your thoughts is covered under “protected
expression”.
The amount of penalty is still to be set by the DOJ as there is usually no
automatic degree scaling in special penal laws. If a person who got accused of
committing electronic libel also did the same in traditional (offline) form, only one
case shall be filed. It will be interesting to see how the DOJ will implement the
scaling in effect as a result of this.
The mention of libel in the Cybercrime Law is the most contested
provision in the law. The additional penalties is seen to curtail freedom of
expression. Most of the petitions against the Cybercrime Law focused on this
provision.
Numerous legislators are already expressing interest as well in amending
the Cybercrime Law and Revised Penal Code.

15 | P a g e
3. Real-time data access
I appreciate the need for real-time access to data, such as cellular traffic
data, especially in tracking scammers and any critical incident as it happens
(such as kidnapping and other in-progress crimes) where immediate access is
important.
However, the mining of this data for surveillance can be seen as subject
abuse. Furthermore, if no intervention such as a judge approval, comes first
before getting access where need can be justified.
Although I think this will slow down the process if anything needs court
approval first. But other parties believe
For Exclusive Use that
of TSU this is a must requirement. As the
Students
Supreme Court struck down Section 12, I hope processes will be set-up to assist
law enforcement with its investigation, to fasten court warrant issuance,
especially as it receives complaints from victims of cybercrime.

As the Cybercrime Law gets upheld by the Supreme Court, here are my personal
notes on the development of its implementing rules and regulations:
1. Ensure that procedures for police assistance and securing court orders
will be fair regardless whether complainants can afford a lawyer or not to assist
them.
2. Make the process for data access efficient so that text and online
scams culprits can be made accountable soon while ensuring that the data
collected won’t be abused.
I am glad that lobbying moves to strike down the whole Cybercrime
Prevention Act (Republic Act 10175) did not prosper. The law has greater
purposes and intentions that can be helpful in protecting the interest of
our netizens and country online.

TOPIC 4: WRIT OF HABEAS DATA

What is a Writ of Habeas Data?
The writ of habeas data is a remedy available to any person whose right
to privacy in life, liberty or security is violated or threatened by an unlawful act or
omission of a public official or employee, or of a private individual or entity
engaged in the gathering, collecting or storing of data or information regarding
the person, family, home and correspondence of the aggrieved party.
The rule was approved via A. M. No. 08-1-16-SC on January 2, 2008 and
took effect a month later.

Who can be subject to a writ of habeas data?

Any government employee or official
Any private individual
Any private entities such as corporations

What acts are subject to a writ of habeas data?

Gathering, collecting or storing of data or information regarding the
person, family, home and correspondence of the aggrieved party.

Who may file a Writ of Habeas Data?

As a general rule, only the person affected may file a petition for a writ of
habeas data.

16 | P a g e
 However in certain exceptions such as cases of extralegal killings and
enforced disappearances, the petition may be filed by:
Any member of the immediate family of the aggrieved party, namely: the
spouse, children and parents; or
Any ascendant, descendant or collateral relative of the aggrieved party
within the fourth civil degree of consanguinity or affinity, in default of those
mentioned in the preceding paragraph.

Where is the writ of habeas data enforceable?

The writ of habeas data
Forshall beUseenforceable
Exclusive of TSU Students anywhere in the Philippines.

Does a writ of habeas data prejudice the filing of separate criminal, civil or
administrative actions?
The filing of a petition for the writ of habeas data shall not preclude the
filing of separate criminal, civil or administrative actions.
So this means that a suit for a violation of RA 10173 (Data Privacy Act)
does not prejudice the filing of a writ of habeas data and vise-versa.
However, when a criminal action is filed subsequent to the filing of a
petition for the writ of habeas data, it shall be consolidated with the criminal
action.
When a criminal action and a separate civil action are filed subsequent to
a petition for a writ of habeas data, the petition shall be consolidated with the
criminal action.
When a criminal action has been commenced, no separate petition for the
writ of habeas data shall be filed. The relief under the writ shall be available to an
aggrieved party by motion in the criminal case.

Who has jurisdiction over a writ of habeas data?

Regional Trial Courts
Where petitioner and respondent resides or place where data was collected or
stored, at the option of the petitioner
Supreme Court
Court of Appeals
Sandiganbayan
When the action involves public data files of government offices
What should I put in my petition for a writ of habeas data?
A verified written petition for a writ of habeas data should contain:

The personal circumstances of the petitioner and the respondent;

The manner the right to privacy is violated or threatened and how it affects the
right to life, liberty or security of the aggrieved party;
The actions and recourses taken by the petitioner to secure the data or
information;
The location of the files, registers or databases, the government office, and the
person in charge, in possession or in control of the data or information, if known;
The reliefs prayed for, which may include the updating, rectification, suppression
or destruction of the database or information or files kept by the respondent.
In case of threats, the relief may include a prayer for an order enjoining the act
complained of; and
Such other relevant reliefs as are just and equitable.

17 | P a g e
Since the petition needs to be verified, the petitioner swears to the allegations,
demonstrating to a court that the plaintiff has investigated the charges against
the defendant and found them to be of substance and it to be true and correct
based on personal knowledge or based on authentic records.

Do I need to pay docket fees?

Yes. Unless you are considered an indigent petitioner.
An indigent, according to Rule 141 Sec. 19 of the Rules of Court, is a
person whose gross income and that of family members do not exceed an
amount double the minimum wage of an employee and that they do not own real
property with a fair market value of more
For Exclusive than
Use of TSU three hundred thousand pesos
Students
(Php 300,000) as indicated in the tax declaration of the said property.
Falsification of one’s indigent status shall be a ground for the outright
dismissal of the petition.
The indigent petitioner shall submit his proof of indigency not later than
fifteen (15) days from the filing of the petition.

How long does it take for a writ of habeas data to be issued and served?
Usually the court will order the issuance of the writ upon the filing of the
petition, then the court shall serve it within three (3) days from issuance.
However, the court may also issue the writ immediately and deputize a
person to serve the writ.

When is the summary hearing for the writ of habeas data?

The court shall set the time and data of the summary hearing not later
than ten (10) days from its issuance.

What is the manner of service of the writ of habeas data?

It shall be served by a judicial officer or a person duly authorized by the
court.

In the event that the writ cannot be served, substituted service shall
apply.

If I was a respondent to a writ of habeas data what should my written return

contain?
The return shall, among other things, contain the following:

The lawful defenses such as national security, state secrets, privileged

communications, confidentiality of the source of information of media and others;
In case of respondent in charge, in possession or in control of the data or
information subject of the petition;
A disclosure of the data or information about the petitioner, the nature of
such data or information, and the purpose for its collection;
he steps or actions taken by the respondent to ensure the security and
confidentiality of the data or information; and,
the currency and accuracy of the data or information held; and,
Other allegations relevant to the resolution of the proceeding.
A general denial of the allegations in the petition shall not be allowed.

18 | P a g e
 If the respondent raises the defense of national security or state secrets
then his defense may be heard in the judges chambers

How long must the respondent respond to the writ of habeas data?
The respondent shall file a verified written return together with supporting
affidavits within five (5) working days from service of the writ, which period may
be reasonably extended by the Court for justifiable reasons
Failure to file a return shall constitute contempt of court and the case shall
proceed ex parte.

How long does the judgement usually

For Exclusive Use oftake from the time of submission of
TSU Students
the petition for decision?
The court shall render judgment within ten (10) days from the time the
petition is submitted for decision.

What are possible actions once a writ of habeas data is granted and how
long shall it be enforced?
If the allegations in the petition are proven by substantial evidence, the
court shall enjoin the act complained of.
The court can also order the deletion, destruction, or rectification of the
erroneous data or information and grant other relevant reliefs as may be just and
equitable.
Upon its finality, the judgment shall be enforced by the sheriff or any
lawful officers as may be designated by the court, justice or judge within five (5)
working days.

***CASE DIGEST***
Republic of the Philippines
SUPREME COURT
Manila
THIRD DIVISION
G.R. No. 202666               September 29, 2014
RHONDA AVE S. VIVARES and SPS. MARGARITA and DAVID
SUZARA, Petitioners,
vs.
ST. THERESA'S COLLEGE, MYLENE RHEZA T. ESCUDERO, and JOHN
DOES, Respondents.
DECISION
VELASCO, JR., J.:
The individual's desire for privacy is never absolute, since participation in society is
an equally powerful desire. Thus each individual is continually engaged in a personal
adjustment process in which he balances the desire for privacy with the desire for
disclosure and communication of himself to others, in light of the environmental
conditions and social norms set by the society in which he lives.
- Alan Westin, Privacy and Freedom (1967)
The Case
Before Us is a Petition for Review on Certiorari under Rule 45 of the Rules of Court,
in relation to Section 19 of A.M. No. 08-1-16-SC,  otherwise known as the "Rule on
1

the Writ of Habeas Data." Petitioners herein assail the July 27, 2012 Decision  of the
2

19 | P a g e
Regional Trial Court, Branch 14 in Cebu City (RTC) in SP. Proc. No. 19251-CEB,
which dismissed their habeas data petition.
The Facts
Nenita Julia V. Daluz (Julia) and Julienne Vida Suzara (Julienne), both minors, were,
during the period material, graduating high school students at St. Theresa's College
(STC), Cebu City. Sometime in January 2012, while changing into their swimsuits for
a beach party they were about to attend, Julia and Julienne, along with several
others, took digital pictures of themselves clad only in their undergarments. These
pictures were then uploaded by Angela Lindsay Tan (Angela) on her
Facebook  profile.
3

Back at the school, Mylene Rheza T. Escudero

For Exclusive (Escudero), a computer teacher at
Use of TSU Students
STC’s high school department, learned from her students that some seniors at STC
posted pictures online, depicting themselves from the waist up, dressed only in
brassieres. Escudero then asked her students if they knew who the girls in the
photos are. In turn, they readily identified Julia, Julienne, and Chloe Lourdes
Taboada (Chloe), among others.
Using STC’s computers, Escudero’s students logged in to their respective personal
Facebook accounts and showed her photos of the identified students, which include:
(a) Julia and Julienne drinking hard liquor and smoking cigarettes inside a bar; and
(b) Julia and Julienne along the streets of Cebu wearing articles of clothing that show
virtually the entirety of their black brassieres. What is more, Escudero’s students
claimed that there were times when access to or the availability of the identified
students’ photos was not confined to the girls’ Facebook friends,  but were, in fact,
4

viewable by any Facebook user. 5

Upon discovery, Escudero reported the matter and, through one of her student’s
Facebook page, showed the photosto Kristine Rose Tigol (Tigol), STC’s Discipline-
in-Charge, for appropriate action. Thereafter, following an investigation, STC found
the identified students to have deported themselves in a manner proscribed by the
school’s Student Handbook, to wit:
1. Possession of alcoholic drinks outside the school campus;
2. Engaging in immoral, indecent, obscene or lewd acts;
3. Smoking and drinking alcoholicbeverages in public places;
4. Apparel that exposes the underwear;
5. Clothing that advocates unhealthy behaviour; depicts obscenity; contains
sexually suggestive messages, language or symbols; and 6. Posing and
uploading pictures on the Internet that entail ample body exposure.
On March 1, 2012, Julia, Julienne, Angela, and the other students in the pictures in
question, reported, as required, to the office of Sr. Celeste Ma. Purisima Pe (Sr.
Purisima), STC’s high school principal and ICM  Directress. They claimed that during
6

the meeting, they were castigated and verbally abused by the STC officials present
in the conference, including Assistant Principal Mussolini S. Yap (Yap), Roswinda
Jumiller, and Tigol. What is more, Sr. Purisima informed their parents the following
day that, as part of their penalty, they are barred from joining the commencement
exercises scheduled on March 30, 2012.
A week before graduation, or on March 23, 2012, Angela’s mother, Dr. Armenia M.
Tan (Tan), filed a Petition for Injunction and Damages before the RTC of Cebu City
against STC, et al., docketed as Civil Case No. CEB-38594.  In it, Tan prayed that
7

defendants therein be enjoined from implementing the sanction that precluded

Angela from joining the commencement exercises.

20 | P a g e
On March 25, 2012,petitioner Rhonda Ave Vivares (Vivares), the mother of Julia,
joined the fray as an intervenor. On March 28, 2012, defendants inCivil Case No.
CEB-38594 filed their memorandum, containing printed copies of the photographs in
issue as annexes. That same day, the RTC issued a temporary restraining order
(TRO) allowing the students to attend the graduation ceremony, to which STC filed a
motion for reconsideration.
Despite the issuance of the TRO,STC, nevertheless, barred the sanctioned students
from participating in the graduation rites, arguing that, on the date of the
commencement exercises, its adverted motion for reconsideration on the issuance
ofthe TRO remained unresolved.
Thereafter, petitioners filed before the RTC
For Exclusive a Petition
Use of TSU Students for the Issuance of a Writ of
Habeas Data, docketed as SP. Proc. No. 19251-CEB  on the basis of the following
8

considerations:
1. The photos of their children in their undergarments (e.g., bra) were taken
for posterity before they changed into their swimsuits on the occasion of a
birthday beach party;
2. The privacy setting of their children’s Facebook accounts was set at
"Friends Only." They, thus, have a reasonable expectation of privacy which
must be respected.
3. Respondents, being involved in the field of education, knew or ought to
have known of laws that safeguard the right to privacy. Corollarily,
respondents knew or ought to have known that the girls, whose privacy has
been invaded, are the victims in this case, and not the offenders. Worse,
after viewing the photos, the minors were called "immoral" and were
punished outright;
4. The photos accessed belong to the girls and, thus, cannot be used and
reproduced without their consent. Escudero, however, violated their rights by
saving digital copies of the photos and by subsequently showing them to
STC’s officials. Thus, the Facebook accounts of petitioners’ children were
intruded upon;
5. The intrusion into the Facebook accounts, as well as the copying of
information, data, and digital images happened at STC’s Computer
Laboratory; and
6. All the data and digital images that were extracted were boldly
broadcasted by respondents through their memorandum submitted to the
RTC in connection with Civil Case No. CEB-38594. To petitioners, the
interplay of the foregoing constitutes an invasion of their children’s privacy
and, thus, prayed that: (a) a writ of habeas databe issued; (b) respondents be
ordered to surrender and deposit with the court all soft and printed copies of
the subjectdata before or at the preliminary hearing; and (c) after trial,
judgment be rendered declaring all information, data, and digital images
accessed, saved or stored, reproduced, spread and used, to have been
illegally obtained inviolation of the children’s right to privacy.
Finding the petition sufficient in form and substance, the RTC, through an Order
dated July 5, 2012, issued the writ of habeas data. Through the same Order, herein
respondents were directed to file their verified written return, together with the
supporting affidavits, within five (5) working days from service of the writ.
In time, respondents complied with the RTC’s directive and filed their verified written
return, laying down the following grounds for the denial of the petition, viz: (a)
petitioners are not the proper parties to file the petition; (b) petitioners are engaging
in forum shopping; (c) the instant case is not one where a writ of habeas data may

21 | P a g e
issue;and (d) there can be no violation of their right to privacy as there is no
reasonable expectation of privacy on Facebook.
Ruling of the Regional Trial Court
On July 27, 2012, the RTC rendered a Decision dismissing the petition for habeas
data. The dispositive portion of the Decision pertinently states:
WHEREFORE, in view of the foregoing premises, the Petition is hereby DISMISSED.
The parties and media must observe the aforestated confidentiality.
xxxx
SO ORDERED. 9

To the trial court, petitioners failed to prove

For Exclusive Use ofthe existence of an actual or threatened
TSU Students
violation of the minors’ right to privacy, one of the preconditions for the issuance of
the writ of habeas data. Moreover, the court a quoheld that the photos, having been
uploaded on Facebook without restrictions as to who may view them, lost their
privacy in some way. Besides, the RTC noted, STC gathered the photographs
through legal means and for a legal purpose, that is, the implementation of the
school’s policies and rules on discipline.
Not satisfied with the outcome, petitioners now come before this Court pursuant to
Section 19 of the Rule on Habeas Data. 10

The Issues
The main issue to be threshed out inthis case is whether or not a writ of habeas
datashould be issued given the factual milieu. Crucial in resolving the controversy,
however, is the pivotal point of whether or not there was indeed an actual or
threatened violation of the right to privacy in the life, liberty, or security of the minors
involved in this case.
Our Ruling
We find no merit in the petition.
Procedural issues concerning the availability of the Writ of Habeas Data
The writ of habeas datais a remedy available to any person whose right to privacy in
life, liberty or security is violated or threatened by an unlawful act or omission of a
public official or employee, or of a private individual or entity engaged in the
gathering, collecting or storing of data or information regarding the person, family,
home and correspondence of the aggrieved party.  It is an independent and
11

summary remedy designed to protect the image, privacy, honor, information, and
freedom of information of an individual, and to provide a forum to enforce one’s right
to the truth and to informational privacy. It seeks to protect a person’s right to control
information regarding oneself, particularly in instances in which such information is
being collected through unlawful means in order to achieve unlawful ends. 12

In developing the writ of habeas data, the Court aimed to protect an individual’s right
to informational privacy, among others. A comparative law scholar has, in fact,
defined habeas dataas "a procedure designed to safeguard individual freedom from
abuse in the information age."  The writ, however, will not issue on the basis merely
13

of an alleged unauthorized access to information about a person.Availment of the

writ requires the existence of a nexus between the right to privacy on the one hand,
and the right to life, liberty or security on the other.  Thus, the existence of a person’s
14

right to informational privacy and a showing, at least by substantial evidence, of an

actual or threatened violation of the right to privacy in life, liberty or security of the
victim are indispensable before the privilege of the writ may be extended. 15

Without an actionable entitlement in the first place to the right to informational

privacy, a habeas datapetition will not prosper. Viewed from the perspective of the
case at bar,this requisite begs this question: given the nature of an online social

22 | P a g e
network (OSN)––(1) that it facilitates and promotes real-time interaction among
millions, if not billions, of users, sans the spatial barriers,  bridging the gap created
16

by physical space; and (2) that any information uploaded in OSNs leavesan indelible
trace in the provider’s databases, which are outside the control of the end-users––is
there a right to informational privacy in OSN activities of its users? Before addressing
this point, We must first resolve the procedural issues in this case.
a. The writ of habeas data is not only confined to cases of extralegal killings and
enforced disappearances
Contrary to respondents’ submission, the Writ of Habeas Datawas not enacted solely
for the purpose of complementing the Writ of Amparoin cases of extralegal killings
and enforced disappearances. For Exclusive Use of TSU Students
Section 2 of the Rule on the Writ of Habeas Data provides:
Sec. 2. Who May File. – Any aggrieved party may file a petition for the writ of habeas
data. However, in cases of extralegal killings and enforced disappearances, the
petition may be filed by:
(a) Any member of the immediate family of the aggrieved party, namely: the
spouse, children and parents; or
(b) Any ascendant, descendant or collateral relative of the aggrieved party
within the fourth civil degreeof consanguinity or affinity, in default of those
mentioned in the preceding paragraph. (emphasis supplied)
Had the framers of the Rule intended to narrow the operation of the writ only to cases
of extralegal killings or enforced disappearances, the above underscored portion of
Section 2, reflecting a variance of habeas data situations, would not have been
made.
Habeas data, to stress, was designed "to safeguard individual freedom from abuse in
the information age."  As such, it is erroneous to limit its applicability to extralegal
17

killings and enforced disappearances only. In fact, the annotations to the Rule
preparedby the Committee on the Revision of the Rules of Court, after explaining
that the Writ of Habeas Data complements the Writ of Amparo, pointed out that:
The writ of habeas data, however, can be availed of as an independent remedy to
enforce one’s right to privacy, more specifically the right to informational privacy. The
remedies against the violation of such right can include the updating, rectification,
suppression or destruction of the database or information or files in possession or in
control of respondents.  (emphasis Ours) Clearly then, the privilege of the Writ of
18

Habeas Datamay also be availed of in cases outside of extralegal killings and

enforced disappearances.
b. Meaning of "engaged" in the gathering, collecting or storing of data or information
Respondents’ contention that the habeas data writ may not issue against STC, it not
being an entity engaged in the gathering, collecting or storing of data or information
regarding the person, family, home and correspondence of the aggrieved party, while
valid to a point, is, nonetheless, erroneous.
To be sure, nothing in the Rule would suggest that the habeas data protection shall
be available only against abuses of a person or entity engaged in the businessof
gathering, storing, and collecting of data. As provided under Section 1 of the Rule:
Section 1. Habeas Data. – The writ of habeas datais a remedy available to any
person whose right to privacy in life, liberty or security is violated or threatened by an
unlawful act or omission of a public official or employee, or of a private individual or
entity engaged in the gathering, collecting or storing of data or information regarding
the person, family, home and correspondence of the aggrieved party. (emphasis
Ours)

23 | P a g e
The provision, when taken in its proper context, as a whole, irresistibly conveys the
idea that habeas data is a protection against unlawful acts or omissions of public
officials and of private individuals or entities engaged in gathering, collecting, or
storing data about the aggrieved party and his or her correspondences, or about his
or her family. Such individual or entity need not be in the business of collecting or
storing data.
To "engage" in something is different from undertaking a business endeavour. To
"engage" means "to do or take part in something."  It does not necessarily mean that
19

the activity must be done in pursuit of a business. What matters is that the person or
entity must be gathering, collecting or storing said data or information about the
aggrieved party or his or her family. Whether such undertaking carries the element of
For Exclusive Use of TSU Students
regularity, as when one pursues a business, and is in the nature of a personal
endeavour, for any other reason or even for no reason at all, is immaterial and such
will not prevent the writ from getting to said person or entity.
To agree with respondents’ above argument, would mean unduly limiting the reach of
the writ to a very small group, i.e., private persons and entities whose business is
data gathering and storage, and in the process decreasing the effectiveness of the
writ asan instrument designed to protect a right which is easily violated in view of
rapid advancements in the information and communications technology––a right
which a great majority of the users of technology themselves are not capable of
protecting.
Having resolved the procedural aspect of the case, We now proceed to the core of
the controversy.
The right to informational privacy on Facebook
a. The Right to Informational Privacy
The concept of privacyhas, through time, greatly evolved, with technological
advancements having an influential part therein. This evolution was briefly recounted
in former Chief Justice Reynato S. Puno’s speech, The Common Right to
Privacy,  where he explained the three strands of the right to privacy, viz: (1)
20

locational or situational privacy;  (2) informational privacy; and (3) decisional

21

privacy.  Of the three, what is relevant to the case at bar is the right to informational
22

privacy––usually defined as the right of individuals to control information about

themselves. 23

With the availability of numerous avenues for information gathering and data sharing
nowadays, not to mention each system’s inherent vulnerability to attacks and
intrusions, there is more reason that every individual’s right to control said flow of
information should be protected and that each individual should have at least a
reasonable expectation of privacy in cyberspace. Several commentators regarding
privacy and social networking sites, however, all agree that given the millions of OSN
users, "[i]n this [Social Networking] environment, privacy is no longer grounded in
reasonable expectations, but rather in some theoretical protocol better known as
wishful thinking."24

It is due to this notion that the Court saw the pressing need to provide for judicial
remedies that would allow a summary hearing of the unlawful use of data or
information and to remedy possible violations of the right to privacy.  In the same
25

vein, the South African High Court, in its Decision in the landmark case, H v.
W,  promulgated on January30, 2013, recognized that "[t]he law has to take into
26

account the changing realities not only technologically but also socially or else it will
lose credibility in the eyes of the people. x x x It is imperative that the courts respond
appropriately to changing times, acting cautiously and with wisdom." Consistent with
this, the Court, by developing what may be viewed as the Philippine model of the writ

24 | P a g e
of habeas data, in effect, recognized that, generally speaking, having an expectation
of informational privacy is not necessarily incompatible with engaging in cyberspace
activities, including those that occur in OSNs.
The question now though is up to whatextent is the right to privacy protected in
OSNs? Bear in mind that informational privacy involves personal information. At the
same time, the very purpose of OSNs is socializing––sharing a myriad of
information,  some of which would have otherwise remained personal.
27

b. Facebook’s Privacy Tools: a response to the clamor for privacy in OSN activities
Briefly, the purpose of an OSN is precisely to give users the ability to interact and to
stay connected to other members of the same or different social media platform
through the sharing of statuses, photos,
For Exclusive Usevideos, among others, depending on the
of TSU Students
services provided by the site. It is akin to having a room filled with millions of
personal bulletin boards or "walls," the contents of which are under the control of
each and every user. In his or her bulletin board, a user/owner can post anything––
from text, to pictures, to music and videos––access to which would depend on
whether he or she allows one, some or all of the other users to see his or her posts.
Since gaining popularity, the OSN phenomenon has paved the way to the creation of
various social networking sites, includingthe one involved in the case at bar,
www.facebook.com (Facebook), which, according to its developers, people use "to
stay connected with friends and family, to discover what’s going on in the world, and
to share and express what matters to them." 28

Facebook connections are established through the process of "friending" another

user. By sending a "friend request," the user invites another to connect their
accounts so that they can view any and all "Public" and "Friends Only" posts of the
other.Once the request is accepted, the link is established and both users are
permitted to view the other user’s "Public" or "Friends Only" posts, among others.
"Friending," therefore, allows the user to form or maintain one-to-one relationships
with other users, whereby the user gives his or her "Facebook friend" access to his
or her profile and shares certain information to the latter. 29

To address concerns about privacy,  but without defeating its purpose, Facebook
30

was armed with different privacy tools designed to regulate the accessibility of a
user’s profile  as well as information uploaded by the user. In H v. W,  the South
31 32

Gauteng High Court recognized this ability of the users to "customize their privacy
settings," but did so with this caveat: "Facebook states in its policies that, although it
makes every effort to protect a user’s information, these privacy settings are not
foolproof."33

For instance, a Facebook user canregulate the visibility and accessibility of digital
images(photos), posted on his or her personal bulletin or "wall," except for the
user’sprofile picture and ID, by selecting his or her desired privacy setting:
(a) Public - the default setting; every Facebook user can view the photo;
(b) Friends of Friends - only the user’s Facebook friends and their friends can
view the photo;
(b) Friends - only the user’s Facebook friends can view the photo;
(c) Custom - the photo is made visible only to particular friends and/or
networks of the Facebook user; and
(d) Only Me - the digital image can be viewed only by the user.
The foregoing are privacy tools, available to Facebook users, designed to set up
barriers to broaden or limit the visibility of his or her specific profile content, statuses,
and photos, among others, from another user’s point of view. In other words,
Facebook extends its users an avenue to make the availability of their Facebook
activities reflect their choice as to "when and to what extent to disclose facts about

25 | P a g e
[themselves] – and to put others in the position of receiving such
confidences."  Ideally, the selected setting will be based on one’s desire to interact
34

with others, coupled with the opposing need to withhold certain information as well as
to regulate the spreading of his or her personal information. Needless to say, as the
privacy setting becomes more limiting, fewer Facebook users can view that user’s
particular post.
STC did not violate petitioners’ daughters’ right to privacy
Without these privacy settings, respondents’ contention that there is no reasonable
expectation of privacy in Facebook would, in context, be correct. However, such is
not the case. It is through the availability of said privacy tools that many OSN users
are said to have a subjective expectation
For Exclusive Usethat
of TSUonly those to whomthey grant access
Students
to their profile will view the information they post or upload thereto. 35

This, however, does not mean thatany Facebook user automatically has a protected
expectation of privacy inall of his or her Facebook activities.
Before one can have an expectation of privacy in his or her OSN activity, it is first
necessary that said user, in this case the children of petitioners,manifest the intention
to keepcertain posts private, through the employment of measures to prevent access
thereto or to limit its visibility.  And this intention can materialize in cyberspace
36

through the utilization of the OSN’s privacy tools. In other words, utilization of these
privacy tools is the manifestation,in cyber world, of the user’s invocation of his or her
right to informational privacy. 37

Therefore, a Facebook user who opts to make use of a privacy tool to grant or deny
access to his or her post orprofile detail should not be denied the informational
privacy right which necessarily accompanies said choice.  Otherwise, using these
38

privacy tools would be a feckless exercise, such that if, for instance, a user uploads a
photo or any personal information to his or her Facebook page and sets its privacy
level at "Only Me" or a custom list so that only the user or a chosen few can view it,
said photo would still be deemed public by the courts as if the user never chose to
limit the photo’s visibility and accessibility. Such position, if adopted, will not only strip
these privacy tools of their function but it would also disregard the very intention of
the user to keep said photo or information within the confines of his or her private
space.
We must now determine the extent that the images in question were visible to other
Facebook users and whether the disclosure was confidential in nature. In other
words, did the minors limit the disclosure of the photos such that the images were
kept within their zones of privacy? This determination is necessary in resolving the
issue of whether the minors carved out a zone of privacy when the photos were
uploaded to Facebook so that the images will be protected against unauthorized
access and disclosure.
Petitioners, in support of their thesis about their children’s privacy right being
violated, insist that Escudero intruded upon their children’s Facebook accounts,
downloaded copies ofthe pictures and showed said photos to Tigol. To them, this
was a breach of the minors’ privacy since their Facebook accounts, allegedly, were
under "very private" or "Only Friends" setting safeguarded with a
password.  Ultimately, they posit that their children’s disclosure was only limited
39

since their profiles were not open to public viewing. Therefore, according to them,
people who are not their Facebook friends, including respondents, are barred from
accessing said post without their knowledge and consent. Aspetitioner’s children
testified, it was Angelawho uploaded the subjectphotos which were only viewable by
the five of them,  although who these five are do not appear on the records.
40

26 | P a g e
Escudero, on the other hand, stated in her affidavit  that "my students showed me
41

some pictures of girls cladin brassieres. This student [sic] of mine informed me that
these are senior high school [students] of STC, who are their friends in [F]acebook. x
x x They then said [that] there are still many other photos posted on the Facebook
accounts of these girls. At the computer lab, these students then logged into their
Facebook account [sic], and accessed from there the various photographs x x x.
They even told me that there had been times when these photos were ‘public’ i.e.,
not confined to their friends in Facebook."
In this regard, We cannot give muchweight to the minors’ testimonies for one key
reason: failure to question the students’ act of showing the photos to Tigol disproves
their allegation that the photosForwere viewable only by the five of them. Without any
Exclusive Use of TSU Students
evidence to corroborate their statement that the images were visible only to the five
of them, and without their challenging Escudero’s claim that the other students were
able to view the photos, their statements are, at best, self-serving, thus deserving
scant consideration. 42

It is well to note that not one of petitioners disputed Escudero’s sworn account that
her students, who are the minors’ Facebook "friends," showed her the photos using
their own Facebook accounts. This only goes to show that no special means to be
able to viewthe allegedly private posts were ever resorted to by Escudero’s
students,  and that it is reasonable to assume, therefore, that the photos were, in
43

reality, viewable either by (1) their Facebook friends, or (2) by the public at large.
Considering that the default setting for Facebook posts is"Public," it can be surmised
that the photographs in question were viewable to everyone on Facebook, absent
any proof that petitioners’ children positively limited the disclosure of the photograph.
If suchwere the case, they cannot invoke the protection attached to the right to
informational privacy. The ensuing pronouncement in US v. Gines-Perez  is most 44

instructive:
[A] person who places a photograph on the Internet precisely intends to forsake and
renounce all privacy rights to such imagery, particularly under circumstances suchas
here, where the Defendant did not employ protective measures or devices that would
have controlled access to the Web page or the photograph itself. 45

Also, United States v. Maxwell  held that "[t]he more open the method of
46

transmission is, the less privacy one can reasonably expect. Messages sent to the
public at large inthe chat room or e-mail that is forwarded from correspondent to
correspondent loses any semblance of privacy."
That the photos are viewable by "friends only" does not necessarily bolster the
petitioners’ contention. In this regard, the cyber community is agreed that the digital
images under this setting still remain to be outside the confines of the zones of
privacy in view of the following:
(1) Facebook "allows the world to be more open and connected by giving its
users the tools to interact and share in any conceivable way;" 47

(2) A good number of Facebook users "befriend" other users who are total
strangers;
48

(3) The sheer number of "Friends" one user has, usually by the hundreds;
and
(4) A user’s Facebook friend can "share"  the former’s post, or "tag"  others
49 50

who are not Facebook friends with the former, despite its being visible only
tohis or her own Facebook friends.
It is well to emphasize at this point that setting a post’s or profile detail’s privacy to
"Friends" is no assurance that it can no longer be viewed by another user who is not
Facebook friends with the source of the content. The user’s own Facebook friend can

27 | P a g e
share said content or tag his or her own Facebook friend thereto, regardless of
whether the user tagged by the latter is Facebook friends or not with the former.
Also, when the post is shared or when a person is tagged, the respective Facebook
friends of the person who shared the post or who was tagged can view the post, the
privacy setting of which was set at "Friends."
To illustrate, suppose A has 100 Facebook friends and B has 200. A and B are not
Facebook friends. If C, A’s Facebook friend, tags B in A’s post, which is set at
"Friends," the initial audience of 100 (A’s own Facebook friends) is dramatically
increased to 300 (A’s 100 friends plus B’s 200 friends or the public, depending upon
B’s privacy setting). As a result, the audience who can view the post is effectively
expanded––and to a very largeFor extent.
Exclusive Use of TSU Students
This, along with its other features and uses, is confirmation of Facebook’s proclivity
towards user interaction and socialization rather than seclusion or privacy, as it
encourages broadcasting of individual user posts. In fact, it has been said that OSNs
have facilitated their users’ self-tribute, thereby resulting into the "democratization of
fame."  Thus, it is suggested, that a profile, or even a post, with visibility set at
51

"Friends Only" cannot easily, more so automatically, be said to be "very private,"

contrary to petitioners’ argument.
As applied, even assuming that the photos in issue are visible only to the sanctioned
students’ Facebook friends, respondent STC can hardly be taken to task for the
perceived privacy invasion since it was the minors’ Facebook friends who showed
the pictures to Tigol. Respondents were mere recipients of what were posted. They
did not resort to any unlawful means of gathering the information as it was voluntarily
given to them by persons who had legitimate access to the said posts. Clearly, the
fault, if any, lies with the friends of the minors. Curiously enough, however, neither
the minors nor their parents imputed any violation of privacy against the students
who showed the images to Escudero.
Furthermore, petitioners failed to prove their contention that respondents reproduced
and broadcasted the photographs. In fact, what petitioners attributed to respondents
as an act of offensive disclosure was no more than the actuality that respondents
appended said photographs in their memorandum submitted to the trial court in
connection with Civil Case No. CEB-38594.  These are not tantamount to a violation
52

of the minor’s informational privacy rights, contrary to petitioners’ assertion.

In sum, there can be no quibbling that the images in question, or to be more precise,
the photos of minor students scantily clad, are personal in nature, likely to affect, if
indiscriminately circulated, the reputation of the minors enrolled in a conservative
institution. However, the records are bereft of any evidence, other than bare
assertions that they utilized Facebook’s privacy settings to make the photos visible
only to them or to a select few. Without proof that they placed the photographs
subject of this case within the ambit of their protected zone of privacy, they cannot
now insist that they have an expectation of privacy with respect to the photographs in
question.
Had it been proved that the access tothe pictures posted were limited to the original
uploader, through the "Me Only" privacy setting, or that the user’s contact list has
been screened to limit access to a select few, through the "Custom" setting, the
result may have been different, for in such instances, the intention to limit access to
the particular post, instead of being broadcasted to the public at large or all the user’s
friends en masse, becomes more manifest and palpable.
On Cyber Responsibility
It has been said that "the best filter is the one between your children’s ears."  This
53

means that self-regulation on the part of OSN users and internet consumers

28 | P a g e
ingeneral is the best means of avoiding privacy rights violations.  As a cyberspace
54

communitymember, one has to be proactive in protecting his or her own privacy.  It 55

is in this regard that many OSN users, especially minors, fail.Responsible social
networking or observance of the "netiquettes"  on the part of teenagers has been the
56

concern of many due to the widespreadnotion that teenagers can sometimes go too
far since they generally lack the people skills or general wisdom to conduct
themselves sensibly in a public forum. 57

Respondent STC is clearly aware of this and incorporating lessons on good cyber
citizenship in its curriculum to educate its students on proper online conduct may be
mosttimely. Too, it is not only STC but a number of schools and organizations have
already deemed it important toForinclude digital literacy and good cyber citizenshipin
Exclusive Use of TSU Students
their respective programs and curricula in view of the risks that the children are
exposed to every time they participate in online activities.  Furthermore, considering
58

the complexity of the cyber world and its pervasiveness,as well as the dangers that
these children are wittingly or unwittingly exposed to in view of their unsupervised
activities in cyberspace, the participation of the parents in disciplining and educating
their children about being a good digital citizen is encouraged by these institutions
and organizations. In fact, it is believed that "to limit such risks, there’s no substitute
for parental involvement and supervision." 59

As such, STC cannot be faulted for being steadfast in its duty of teaching its students
to beresponsible in their dealings and activities in cyberspace, particularly in OSNs,
whenit enforced the disciplinary actions specified in the Student Handbook, absenta
showing that, in the process, it violated the students’ rights.
OSN users should be aware of the risks that they expose themselves to whenever
they engage incyberspace activities.  Accordingly, they should be cautious enough to
1âwphi1

control their privacy and to exercise sound discretion regarding how much
information about themselves they are willing to give up. Internet consumers ought to
be aware that, by entering or uploading any kind of data or information online, they
are automatically and inevitably making it permanently available online, the
perpetuation of which is outside the ambit of their control. Furthermore, and more
importantly, information, otherwise private, voluntarily surrendered by them can be
opened, read, or copied by third parties who may or may not be allowed access to
such.
It is, thus, incumbent upon internet users to exercise due diligence in their online
dealings and activities and must not be negligent in protecting their rights. Equity
serves the vigilant. Demanding relief from the courts, as here, requires that claimants
themselves take utmost care in safeguarding a right which they allege to have been
violated. These are indispensable. We cannot afford protection to persons if they
themselves did nothing to place the matter within the confines of their private zone.
OSN users must be mindful enough to learn the use of privacy tools, to use them if
they desire to keep the information private, and to keep track of changes in the
available privacy settings, such as those of Facebook, especially because Facebook
is notorious for changing these settings and the site's layout often.
In finding that respondent STC and its officials did not violate the minors' privacy
rights, We find no cogent reason to disturb the findings and case disposition of the
court a quo.
In light of the foregoing, the Court need not belabor the other assigned errors.
WHEREFORE, premises considered, the petition is hereby DENIED. The Decision
dated July 27, 2012 of the Regional Trial Court, Branch 14 in Cebu City in SP. Proc.
No. 19251-CEB is hereby AFFIRMED.
No pronouncement as to costs.

29 | P a g e
SO ORDERED.
PRESBITERO J. VELASCO, JR.
Associate Justice
WE CONCUR:
DIOSDADO M. PERALTA
Associate Justice
MARTIN S. VILLARAMA, JR. BIENVENIDO L. REYES
Associate Justice Associate Justice
FRANCIS H. JARDELEZA
Associate Justice
For Exclusive Use of TSU Students
AT T E S T A T I O N
I attest that the conclusions in the above Decision had been reached in consultation
before the case was assigned to the writer of the opinion of the Court's Division.
PRESBITERO J. VELASCO, JR.
Associate Justice
Chairperson
CERTIFICATION
Pursuant to Section 13, Article VIII of the Constitution and the Division Chairperson's
Attestation, I certify that the conclusions in the above Decision had been reached in
consultation before the case was assigned to the writer of the opinion of the Court's
Division.
ANTONIO T. CARPIO
Acting Chief Justice

IV. SYNTHESIS/GENERALIZATION

• Accessing the internet is a privilege. It could also be considered as a

power. As uncle Ben once said to Peter Parker (Spiderman), “With great
power comes great responsibilities.”
• Identity theft is always a threat to information and privacy
provided/uploaded online.
• Writ of Habeas Data is a “right”. Data Privacy Act of 2012 is a law.
• Busting cybercrimes will always be a collaborative effort of netizens, law
enforcers and government agencies.

V. EVALATION
Answer the following questions.
1. What are your personal actions online to protect your information
and privacy?
2. In what ways you think your personal information or privacy were
exploited online, if any?

30 | P a g e
 3. Create a poster/slogan criticizing any of the 16 crimes provided
under the Cyber-crime Prevention act of 2012.(You can use any
app from computers or smartphones).

VI. ASSIGNMENT
1. Search for (1) case digest in relation to the following laws:
a. Intellectual Property
For ExclusiveRights
Use of TSU Students
b. Data Privacy Act
C. Cybercrime Protection Act.
2. Provide the following information from each case digest
a. Persons Involved
b. Nature of the Case
c. Resolution
3. Arrange them in in a PowerPoint presentation.

VII. REFERENCES
-GovPh. (1997, June 6). Republic Act 8293. Official Gazzette.
-https://www.officialgazette.gov.ph/1997/06/06/republic-act-no-8293/
-FullSuite Team. (2015, September 14). The Beginner’s Guide To Intellectual
Property Laws In The Philippines. FullSuite.
https://www.full-suite.com/blog/beginners-guide-to-intellectual-property-laws-
philippines/
-Toral, J. (n.d.) 16 Cybercrimes covered under Cybercrime Prevention Act –
Republic Act 10175. DigitalFilipino. https://digitalfilipino.com/introduction-
cybercrime-prevention-act-republic-act-10175/
-Wall, A. (n.d.). Summary: Philippines Data Privacy Act and implementing
regulations. 20iapp. https://iapp.org/news/a/summary-philippines-data-protection-
act-and-implementing-regulations
-Conrad, A. (2018, June 9). The Writ of Habeas Data. Retrrieved from
-https://privacyph.net/2018/06/09/the-writ-of-habeas-data

31 | P a g e