Data Privacy Protection

Sim Card Registration and Data Privacy

It’s 8:07 in the evening, and you just sent a text message to your crush, asking him/her if she would like to go out with you. You feel giddy and nervous at the same time, like the protagonist of a shoujo anime who just confessed his/her love. You feel uneasy as minutes go by, waiting for that oh-so-sweet acceptance, but also nervous in anticipation of a painful rejection. You ponder whether she received the message. Is she thinking hard about it? Is she charging her battery right now and can’t respond to you? You start to lament your choice of even asking her to go out with you in the first place. You wonder whether you should just stay being friends and not risk losing what you both have now. Is there an unsend function in text messages? Suddenly, your phone beeps, and you are immediately filled with both excitement, and dread in case you get rejected. You unlock your phone and see this text:

“Ang Masuwerteng Bituin Ngayon Ay Ikaw, Neneng B. Q8bnYCngetE= I-claim ang iyong libreng 50 SLOT na oras at 3000 libreng bonus sa T1BET ngayon”

Last October 10, President Bongbong Marcos signed into law the SIM Card Registration Act which among others, makes mandatory that SIM Card owners register other personal information such as names, and addresses. The proliferation of scam and unwarranted text messages such as the one above is one of the reasons why such law was enacted. In this blog post, we explore the different aspects of this law and analyze whether it would be effective in curbing the unscrupulous practice of sending unwarranted spam text messages.

Why though?

As stated in the explanatory note of the law, the need for this piece of legislation stems from the sheer number of prepaid cellphone numbers circulating around the country. Unlike postpaid arrangements where Public Telecommunication Entities or PTE (such as Globe, Smart etc.) necessarily record personal data as part of their registration process, prepaid cellphones can be purchased and activated without divulging any personal details, with the end benefit of maintaining anonymity. In turn, this anonymity is exploited by the end-users for malicious intent. We are sure that you have received some form of advertisement in your cellphone numbers for things that you have not even given permission. The proliferation of scam text messages has truly become a serious problem, and which necessitated the call for enacting laws to protect users against it. The SIM Card Registration law aims to establish a form of accountability for prepaid users in an attempt to curb the ongoing practice of sending malicious text messages under a blanket of anonymity.

‘Cause I’m saving all my (personal details) for you

What happens when the law formally takes effect? Well, if you’re a current prepaid subscriber, you would have to register your SIM card within 180 days. An online module will be available where you can input your personal details and also upload a picture of your valid ID. If you’re planning to buy a prepaid sim, you would have to present valid identification first, in addition to accomplishing a control-numbered form with an attestation at the end that the documents you presented are true and correct and that the person who appeared in front of the direct seller and accomplished and signed the form, are one and the same person. This must be submitted within 15 days to the concerned PTE.

For your eyes only

The law imposes a strict confidentiality policy in regard to the personal data obtained by the PTEs. All information obtained in the registration process shall be treated absolutely confidential and shall not be disclosed to any person. Disclosure may only be allowed:

In compliance with any law obligating the PTE to disclose such information in accordance with the provisions of this Act and the Data Privacy Act.
In compliance with a court order or legal process upon finding probable cause
Upon subpoena by a competent authority pursuant to an investigation based on a sworn complaint.
With the written consent of the subscriber, provided that the waiver of absolute confidentiality shall not be made as a condition for the approval of subscription agreements with the PTE.

There are also several provisions for breach of confidentiality, for breach of confidentiality due to negligence, for providing false or fictitious information, or for using fictitious identities or fraudulent identification documents to register a SIM, for sale or transfer without complying with the required registration, and sale of a stolen SIM card. Overall, the law provides for protections in place in order to avoid possible unauthorized disclosure of the personal data obtained by the subscribers.

Smile! You’re on Surveillance.

The most cited reason of people against the implementation of the law is its data privacy implications. In a report by the Philippine Star, Ivy Grace Villasoto said that the mandatory registration requirements and the manner by which the same will be actually implemented may result in the intrusion on an individual’s fundamental right to privacy. Specifically, this may lead to a heightened risk of the occurrence of personal data breaches and unauthorized processing of personal data. In a report by Business World, Asia Internet Coalition (AIC) argues that information collected as part of mandatory registration, kept for an indefinite period, used for various purposes, and applied for secondary uses, including biometric databases, put individuals in particular vulnerable groups “at risk of tracking and targeting, increasing the chances of their private information being misused.”

High on Data Breach

This might seem premature, but a lot of data breaches have already occurred in the country and the vicinity. Last April 2022, a Smartmatic data breach has been reported just before the conduct of the 2022 elections. Techwire Asia reported last May 7, 2021, that in Southeast Asia (SEA) – considered the fastest-growing region in the world with burgeoning economies like Indonesia, Singapore, Vietnam, Malaysia, Thailand, and the Philippines – reported incidences of data breaches have shot up exponentially in the past year, marking the region for the biggest increase in reported data breaches worldwide. In addition, it seems that each database will be maintained by the PTEs themselves. While this makes the impact of data breach lesser than if a centralized database will be implemented, it also creates an inequality in the type and quality of data protection that each database will possess, without any concrete standards present in the law.

Is SIM Card registration really necessary?

The writer of this post believes in the negative. Even the National Privacy Commission (NPC) maintains that mandatory SIM-card registration will succeed only under a framework of guaranteed privacy protection for mobile users. At present, we have that framework in place to protect citizens’ privacy and ensure that data privacy rights of mobile users are upheld and that is the Data Privacy Act (DPA) of 2012. Like the NPC, I believe that there is a need first to strengthen the Data Privacy Laws. In this rapidly growing digital age, the acquisition of a personal data through the internet has become a commodity that gives rise to a market where personal information can be sold for the right price. As a result, there is considerably less protection of personal information in the digital space. Thus, there is a need for the government to intervene and strengthen these privacy laws first. I think it is wrong to attribute the sudden rise in spam texts because of the prepaid sim being used as blanket anonymity and lack of accountability. Prepaid sims have always been here ever since cellphones were introduced in the country. The sudden rise in these types of activities is not because of prepaid sims that have been already existing for the longest time, but because of the unauthorized release of cellphone numbers. Indeed, there are only a few instances that we divulge our cellphone numbers to others. Suddenly receiving spam text messages then means that someone released our numbers to the public without our permission, which is an issue of data privacy, not subscriber accountability. While setting up accountability for people who unscrupulously send spam text messages is a laudable act, it does not address the concern properly, and introduces more risks in the process.

Has your privacy been breached? Let our lawyers who are data privacy officers assist you in your legal concerns regarding violations under our privacy laws. Book a consultation now.