August 15, 2016 was an extra special day for my advocacies on several levels. It was the day when I got to debut a very new and hot topic for the UP IAJ [through the urging of the wonderful Ms. Mabel Perez] in their Mandatory Continuing Legal Education (MCLE) seminar series. This lecture, which I entitled “Trends and Issues in the Prosecution of Cyber Privacy Predators and Personal Information Thieves” is in all probability, the first time that would be tackled by any MCLE lecturer in the Philippines. The National Privacy Commission (NPC) was just established last March 8, 2016, despite the fact that the law (R.A. 10173) creating it was passed in 2012, and up to now, the lmplementing Rules and Regulations (I.R.R.) that the NPC was tasked to promulgate is still in the process of being finalized.
I went through many essential concepts that are unique to the Data Privacy law, for a very attentive and receptive audience (none of whom slept during my lecture): from the right of informational privacy that was developed in Europe after the Second World War and the right to informational self-determination which was first recognized as a constitutionally guaranteed right in 1983 by the German Constitutional Court; to the explication of the right to be forgotten, and the relevance of our very own writ of habeas data in enforcing this right; to the right of portability and how that right had been enforced in some jurisdictions; to the right of transmissibility and my own advocacy for the establishment of a Digital Inheritance Law in the Philippines which would give access to the heirs of a decedent, and the police and prosecutors to e-data, particularly emails and social media e-data, that can give a clue to any foul play or crime that was perpetrated on the decedent; to the different types of identity theft, impersonation and misappropriation of personal information; to the role of encryption in securing our privacy; to the electronic means of stealing personal information like spamming and ransomware; to the types of electronic evidence that prosecutors should recognize and present in court as incriminating evidence; and everything in between.
One of the most important concepts I discussed at some length is the extra-territorial application of R.A. 10173, as well as the Cybercrime Prevention Act (R.A. 10175). Prior to these laws, law students and lawyers were only taught criminal laws are primarily territorial in application, and the only way that courts can have jurisdiction over the person of the accused would be through the latter’s arrest, voluntary surrender or arraignment appearance.
The two laws changed all previous conceptions of the territorial application of Philippine criminal laws by broadening their scope. R.A. 10175 made it easier to file any cybercrime case in a Philippine cybercrime court, even if the offender is not in the Philippines so long as any of these jurisdictional requirements are met: if the computer system which was used to commit the crime is situated wholly or partially in the Philippines; or when the offender is a Philippine citizen; or when any of the elements were committed in the Philippines; or when the offended party, natural or juridical, was in the Philippines when the offense was committed and experienced damage here.
In a similar manner, R.A. 10173 and its proposed I.R.R. made filing a cybercrime case for any unlawful data processing of the personal information of a data subject apparently simpler, by requiring the fulfilment of any of these conditions: the data wrongfully processed belongs to a Philippine citizen or resident; or the data processor [personal information controller or personal information processor] has a Philippine link. The linkage can be through the fact that the data processor processes personal information in the Philippines; or carries business in the Philippines; or uses equipment located in the country, or maintains an office, branch or agency in the Philippines for processing of personal data; or has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information. If the data processor processes the personal information outside the Philippines, it could still be held liable as long as the information is about Philippine citizens or residents. Other links include the data processor having entered into a contract in the Philippines; or if it’s not incorporated in the Philippines, it somehow “has central management and control in the country”.
While these jurisdictional “links” or anchors that Philippine prosecutors can now use to go after cybercriminals in other countries legally exist, I gave a cautionary note in their enforcement. In this “cloud” era, incriminating or offending data can easily be transferred to different servers in different countries and the challenge for the prosecution is how to have access to these data, present them in a Philippine court and bring the criminals to justice. In the controversial and recently decided case involving the US government against Microsoft, Microsoft refused to honor and moved for the quashal of the search warrant issued by District Judge Francis of the Southern District Court of New York that would have given the US DOJ and FBI access to the electronically stored data of a person under investigation for drug charges. Microsoft’s refusal was based on the fact that the data which belonged to one of its customers is physically stored in a server located in Dublin, Northern Ireland. The case was elevated to the Chief Judge of the same District Court of New York who affirmed the findings of Judge Francis.
The District Court’s rulings were based on the appreciation of the nature of search warrants for cloud e-data. The court noted that it is a “hybrid order” that is “executed like a subpoena in that it is served on the ISP [Internet Service Provider] in possession of the information and does not involve government agents entering the premises of the ISP to search its servers and seize the email account in question.” The service of the warrant and the seizure of the e-data can be completed not from the physical location of the server but from any remote location by a certified Microsoft owned computer that has lawful access to, and control of the e-data. The relevant test is not one of location, but of control. In ruling like this, the District Court overturned the territorial principle in the application of search warrants outside of the U.S.
As expected, Microsoft appealed this decision to the U.S. Court of Appeals, and the Second Circuit of the Court of Appeals came out with a decision last July 14, 2016 reversing the District Court’s ruling, and vindicating the privacy rights of the subscribers of Microsoft’s cloud services. The Court of Appeals, through Judge Susan Carney, emphatically stated that the U.S. Stored Communications Act, under which the search warrant was issued, was intended by the U.S. Congress to apply only to information that is domestically stored in the U.S., and not to e-data that are physically located outside its boundaries. To decide in the manner of the District Judge would mean the abandonment of the time honoured territoriality principle which the Court of Appeals stated “(w)e are not at liberty to do so.” The Court of Appeals, among others, reversed the decision of the District Court and remanded the case back to it with instructions the quash the search warrant, insofar as it directs Microsoft to produce customer content outside of the U.S.
One comment that I have on this is that the US government pursued this process in order to evade the Data Privacy Law of Northern Ireland and bypass the Mutual Legal Assistance Treaty (MLAT) process it has with this country, as shortcuts. But it took them longer than they imagined. This case was brought to Judge Francis last 2013, and decided by the Court of Appeals in July 14, 2016. Had the U.S. Government gone through the MLAT process, it might have succeeded in getting the e-data it required in a shorter time, instead of having the lengthy litigation which proved futile for its cause, and the negative publication it received from the international diplomatic and business community.
Since R.A. 10175 expressly mentioned MLATs as a way of enforcing its provisions, it is my suggestion that this is a valuable tool in the arsenal of prosecutors, which they must master, in terms of going after criminals outside Philippine territory. Under the law (R.A. 10844) creating the Department of Communication Information Technology (DCIT), this agency was placed in charge of the Cybercrime Investigation and Coordination Center (CICC) which would be attached to it. The law specifically stated “(i) All powers and functions related to cybersecurity including, but not limited to the formulation of the National Cybersecurity Plan, establishment of the National Computer Emergency Response Team (CERT), and the facilitation of international cooperation on intelligence regarding cybersecurity matters are transferred to the Department”. Under this set-up, the DCIT will be engaged with the DOJ in terms of the international aspects of cybercrime. The DCIT must also be apprised with the MLATs, etc., so it can do its tasks well. The Philippines’ MLAT with the U.S. offers several measures that could effectively facilitate the production of evidence and even the forfeiture of the proceeds of the crimes committed against Philippine citizens by people or entities domiciled in the U.S. In fact, this could be used to go after the U.S. owners of the “wehaveyourdata.com” site which published the personal information of over 40 million registered Philippine voters in the massive breach of the Commission on Elections (COMELEC) e-database.
One of the reasons why I said this was an extra-special occasion for me is that I got to meet the former Vice President of the Philippines, who is a very distinguished lawyer himself, Atty. Jejomar C. Binay, and a host of several Ibanag lawyers who are brilliant in their own fields who attended my lecture. It was also on this event that Atty. Dan Adan, a multi-talented lawyer, presented me with his pencil sketch of my image while I was lecturing. That was truly a first!
Warmest gratitude to UP IAJ, Prof. Daway and all their truly supportive staff, and the splendid lawyers who gave me their undivided attention and genuine interest for the two hours that I spent with them! God Bless Us!