A Way Forward

-- By SamanthaBeatriceKing - 09 Jan 2022


A recurring theme throughout the semester has been the idea that it isn't data that needs protecting; but rather, “the people.” The challenge is to articulate what, exactly, this means. What does it mean to protect the human being in the broader context of data protection? The general framework of data protection is to protect how your personal information is processed. Understood in this sense, data protection seems more concerned with the methodology of data processing rather than the substantive rights of those whose data is gathered.

As an example, the General Data Protection Regulation clearly outlines the rights of individuals in relation to his or her data. These rights include, among others, the rights to be informed, to rectification, to erasure, to restrict processing, to data portability. The Philippines’ Data Privacy Act recognizes similar data rights as well.

However, will simply declaring such rights protect the supposed rights holders? The bundle of recognized rights is premised on the assumption that you consent to your data being processed.

If we are to protect “the people” instead of their data, should that mean eradicating data collection? Is this even possible or practical? The scale of this inquiry, with its impact on government, health, and economic systems is too daunting for someone with my limited knowledge and exposure to entertain.

As a millennial, however, what I can do is examine my own online behavior. And as a lawyer, I can look at the possible remedial measures in the context of my own country.

On leaving traces

To see for myself how Google perceives my identity, I checked myactivity.google.com and visited Ad Settings. It’s one thing to read about it, but actually seeing how Google keeps track of your browsing history and ascribes an identity to you is mortifying. According to Google and its partnered advertisers, I am, among others, an unmarried, childless, 25- to 35-year-old female homeowner with a high household income rating, an ideal candidate to take out a mortgage, whose job industry is healthcare.

Hundreds of clicks and facts about my browsing history were diluted into categories. My interests and purchasing power are for advertisers to determine how much I am worth.

As such, in the eyes of Facebook, Google, etcetera, I am not a consumer. I am a product.

If my clicks determine the information that is fed to me, my browsing experience becomes a deterministic, endless loop where the things I searched in the past control what I see next. Now that I’ve checked under the bed, the result drives home the point that consent-based data protection will not truly safeguard privacy.

As a small countermeasure, I tried logging off and browsing Google on Guest mode. I did not realize that the simple act of refraining from using my Google account could significantly limit the platform’s ability to track my searching and reading behavior. I am taking more care to lessen my online footprint by experimenting with browser extensions, as well as being more deliberate in customizing the cookies on various websites I visit, instead of mindlessly clicking “accept.”

Reclaiming agency and consent

In terms of remedies, I can only draw on my own experience as a Philippine lawyer. Our own Data Privacy Act has no remedial provisions—only a list of penalties for unauthorized data processing, disclosure, access, and the like.

However, the writ of habeas data is available in the Philippines as a remedy promulgated by the Supreme Court pursuant to its constitutional rule-making powers. The writ of habeas data is designed to protect a person’s right to privacy in life, liberty, or security from public officials or private entities engaged in gathering information on such person.

While habeas data may be the youngest writ in the country, its relevance today trumps even that of habeas corpus, which is the Philippines’ only constitutionally-enshrined writ. In the context of President Rodrigo Duterte’s drug war, for example, police operations draw their supposed legitimacy from drug-related information concerning ordinary citizens. Habeas data aims to protect a person’s right to informational privacy by allowing an aggrieved citizen to compel respondents to release or destroy obtained information that may threaten her right to life, liberty, or security.

Among the reliefs covered by the writ are “the updating, rectification, suppression or destruction of the database or information or files kept by the respondent,” as well as an injunction order. Habeas data also gives courts the discretion to immediately issue relief if the petition is meritorious “on its face,” thus increasing its potency.

One limitation of habeas data in the Philippines is that the petition should detail previous attempts to secure the information, and should allege, “if known,” the location of the databases and the office or person in control of the data or information. Considering how big tech companies and intelligence-gathering agencies operate under a veil of secrecy, these conditions should be liberally construed.

Habeas data seems like a good jump-off point as a remedy to protect the rights holder. It certainly provides more agency to the data subject; protecting a person’s right over her own information instead of merely protecting how data is obtained, processed, and disseminated.

The problem, at least in the Philippines, is the high threshold for availing of habeas data—requiring a threat to one’s life, liberty, or security in relation to the information. In several Latin American countries where habeas data is a constitutional provision, the standard appears to be much lower. Moreover, many Latin American countries generally require express, opt-in consent from the data subject, which even extends to online first-party marketing. This means users can withhold consent and prevent data from being processed in the first place.

This framework can be explored in the Philippines. A lowered threshold, making the writ available for an individual if the data entries are simply “wrong or…illegitimately affecting his rights,” along with a requirement for opt-in consent, would go a long way in protecting the people, and not just the data.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.