Humanizing data privacy in the Philippines

Just recently, the National Privacy Commission (NPC) celebrated this year’s Privacy Awareness Week (PAW). This time around, the occasion focused on the rights of data subjects.

For those who attended the main activity, what was perhaps noticeable was the use of the Filipino language in the delivery by the speakers of their respective speeches. Why was that important? Because it seems that, in doing so, the NPC saw one of the key challenges to the implementation of the law—how to make it more relatable, more about to the data subjects—and decided to do something about it. They saw the need to humanize it.

In an article written by Brian Wesolowski in 2018, he stated: “[e]very day, our personal data is collected, used, and stored, but few of us fully understand what exactly happens to it. Sometimes data practices are secret, sometimes they are obscured in legal language, and sometimes they are directly harmful. When the media covers issues related to data and privacy, the human side is often left out, and instead the focus is on laws, procedures, and generalities.”

Today, one might say that this problem is very much prevalent here in the Philippines. It seems that too much focus is given to the way Personal Information Controllers (PICs) and Personal Information Processors (PIPs) should be complying with the Data Privacy Act of 2012 (DPA). Relegated to the background are the data subjects and their welfare, arguably the foundation upon which the law is built on and the very things the law was enacted to protect.

For critics, this is unacceptable. How are we going to ensure PICs and PIPs are really fulfilling their legal obligations when data subjects are not even aware of their rights or at least fail to understand them? With the tendency of PICs and PIPs to utilize legal jargon when drafting their privacy notices, consent forms, and contracts, all those rights afforded to people by the country’s data protection law will gradually erode into obscurity.

This is why there is a need to humanize the way the DPA is implemented. Just as there is a need to inform PICs and PIPs of their responsibilities, of equal importance is the need for data subjects to be made aware of their rights.

The question, though, is how exactly do we do it?

Part of the answer takes off from the NPC’s initiative during the recently-concluded PAW 2022: make sure data subjects do not only know their rights, but also understand what they’re all about. To do this, a critical step is to use language that is known them (i.e., local dialects). In the case of the Philippines and its roughly 7,100 islands, this is easier said than done. Its geography has given rise to many dialects which are as numerous as they are diverse. This has made the implementation of any policy challenging. In one seminar I recently conducted, a participant opined that once  data subjects see a lengthy consent form written in a language they are not fluent in, it’s not uncommon for some of them to refuse to proceed with a transaction or activity since they do not know or understand what may happen to their data. Avoiding scenarios like this requires breaking the language barrier and reaching out to the data subjects in a simple but effective manner. Props to the NPC for recognizing this.

Second: we need to start teaching or requiring PICs to use specific consent forms when obtaining the consent of data subjects. The current practice of using bundled consent forms (i.e., referring to multiple purposes) usually lead to lengthy forms that are hard to read, let alone understand.  They also allow PICs to employ so-called privacy “ dark patterns”, which are practices that deceive users into acting in a certain way despite them not intending to do so. They are often built within confusing user interfaces, causing users to have no understanding of what they are agreeing to. Specific consent forms make for shorter documents (although not always) that data subjects are more likely to read—and more importantly, understand.

Lastly, press conferences, media coverage, and other similar activities that take up privacy breaches should focus on the potential or actual harm they inflict on people. Today, most of them usually focus on the erring companies or government agencies, and any action the NPC or some other government authority may have taken as a response. What’s often missing is how a reported breach actually affects the people concerned. Because of this, they rarely capture the interest of data subjects and even the public at large. After all, they cannot relate to what is being discussed. This then reinforces the notion that privacy is merely a first-world country problem, while effectively shelving people’s interest in upholding their rights, which is the ultimate goal of data protection laws to begin with.

There are many ways to humanize privacy, but we can start with these small steps in our journey towards a culture of privacy in this country.