Watch this IAPP keynote where Apple and Google privacy officers discuss the contact tracing app. Several months after the COVID-19 pandemic and there are still a lot of countries grappling with ever-increasing number of infections. Understandably, we are turning to technology-based solutions to optimize contact tracing efforts. Apple and Google teamed up to create a contact-tracing approach based on Bluetooth technology. In this video, they discuss how the project came about, addressing the tension between efficacy and privacy, and how they employed the privacy-by-design approach.
The International Committee of the Red Cross will be launching the second edition of its Handbook on Data Protection in Humanitarian Action with a series of panels on issues relating to technology and data protection. The day-long event, dubbed Follow the Sun (events are hosted across different countries, in order of the sunrise--from Tokyo, Japan to Bogota, Columbia). I'm looking into two panels that I might attend: Panel 1 (Digital Identity and Biometrics) and Panel 2 (Covid-19 and Contract Tracing Applications). I am quite stoked about Panel 1 because digital identity is a particularly thorny issue that we will need to resolve soon. For one, the Philippines' distribution of humanitarian aid for populations affected by COVID-19 would have been much more efficient if people had digital identities. Of course, the fact of a repressive government that is also ill-equipped to protect personal data complicates matters. Register for the event here.
Thanks to the fact that my friends know I work in Privacy, I am usually at the receiving end of random questions on data breaches. The other day, the question I got was: If a company-issued device containing personal data was stolen, is the company required to report the personal data breach to the National Privacy Commission (NPC)? Interesting question.
Here are our facts: Company A issues a laptop to Mr. Employee for his use while working from home during the Enhanced Community Quarantine period (the "lockdown"). Company A issues instructions to Mr. Employee that the device should be used exclusively for the performance of Mr. Employee's work, which does not involve the processing of personal data. However, Mr. Employee does not heed Company A's instructions. Mr. Employee uses the laptop for his personal transactions, storing scans of his government-issued IDs in the laptop. One day, Mr. Employee forgets the laptop in the backseat of his car and the laptop is stolen. Mr. Employee immediately report the theft to Company A and discloses that copies of his government-issued IDs are saved in the laptop.
Section 11 of NPC Circular No. 16-03 on Personal Data Breach Management (You will remember that we talked about this in a previous post.) sets the following requisites for mandatory reporting (Note: all requisites must be present):
The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
There is a reason to believe that the information may have been acquired by an unauthorized person; and
The PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
Since we know that government-issued IDs were stored in the laptop and that the laptop was stolen, we can say that the first and second requisites are present. For purposes of our discussion, we also assume that the theft would give rise to a real risk of serious harm to Mr. Employee. Given this, it appears that we can tick all the boxes for mandatory reporting.
Is Company A obligated to report the personal data breach to the NPC?
To answer this question, we go back to the Implementing Rules and Regulations of the Data Privacy Act (the "IRR"). Section 38 of the IRR states that it is the personal information controller (PIC) that notifies the NPC and affected data subjects of the personal data breach. The IRR defines PIC as "a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.
In this case, the personal data was not related to Mr. Employee's performance of his work functions. Company A did not instruct Mr. Employee to save his IDs to the laptop, and the processing of said personal data was not under Company A's control. In other words, Company A was not the PIC of said personal data of Mr. Employee. Considering that Section 38 of the IRR mandates the PIC to report and Company A is not the PIC of said personal data, I would say that Company A is not obligated to report the personal data breach to the NPC.
The New York Times reports that the former head of Uber's security team has been charged in a criminal case for concealing a 2016 personal data breach. The breach involved personal information of 57 million Uber drivers and passengers.
What's notable about the case is that, as the New York Times notes, is that "the charges drew an important distinction between failing to protect Uber’s computer network and failing to tell the authorities about it. Prosecutors said that Mr. Sullivan committed two felonies when he didn’t disclose the 2016 incident to federal investigators who were already investigating a similar data breach that had occurred two years earlier."
The Philippines' Data Privacy Act draws a similar distinction, as there is a specific criminal offense for failure to report a security breach involving sensitive personal information (see Section 30 of Republic Act No. 10173 [the "DPA"]). In a number of public statements, officials of the National Privacy Commission have stated that, as a general rule, personal information controllers would not be held liable if they are victimized by a data breach (subject to the usual caveats re accountability for protection the data, of course). However, these controllers may be prosecuted criminally if they fail to comply with the mandatory reporting requirements for personal data breaches.
Unlike in the United States, the parameters for mandatory reporting of personal data breaches in the Philippines are clear. As provided in Section 38 (b) of the Implementing Rules and Regulations of the DPA, reporting to the NPC is mandatory "when sensitive
personal information or any other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject." The report must be submitted to the NPC within 72 hours upon knowledge or reasonable belief that such a breach has occurred. Note that the data subject must be notified also within the same timeframe.
What is curious for me though is that the criminal offense for concealment under Section 30 refers to concealment of security breach involving sensitive personal information. However, the mandatory reporting requirement under Section 38(b) also refers to mandatory reporting when the subject of the breach is "any other information that may, under the circumstances, be used to enable identity fraud." This is a distinct reporting basis, as NPC Circular No. 16-03 on Personal Data Breach Management defines this "other information" as "shall include, but not be limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits."
Given the distinction, an argument can be made that failure to report a data breach involving other information that may be used to enable identity fraud would NOT give rise to criminal charges for concealment under Section 30 of the DPA. What do you think?