GIT Lecture 9 Cybercrime Laws in The Philippines

Cybercrime Laws
in the Philippines
Saint Louis University – SAMCIS - Computer Applications Department G.I.T. – Living in the IT Era
A brief retrospective view
How it all started
2
The ILOVEYOU worm
On the year 2000,

A Filipino named Onel De Guzman created a
worm that sent messages through email with
an attachment: “LOVE-LETTER-
FORYOU.txt.vbs”
▣ when opened, the file activates a code that sends
an instruction to forward the same email to all the
contacts of the user.
3
The ILOVEYOU worm
▣ The worm spread to e-mail accounts across the globe, affecting even the
accounts of U.S. Officials.
▣ This prompted the FBI to identify the source of the worm, which was then
traced back to the Philippines.
▣ It is believed that the estimated damages caused by the worm reached 10
billion USD.
4
Guide Questions
▣ Q 1.1: Upon the arrest of Onel De Guzman,

Were his actions illegal?
5
No
Onel De Guzman was caught but was released shortly afterwards
because there wasn’t any pre-existing laws in the country for which he
can be prosecuted.
6
Want big impact?
Use big image.
7
Beginnings of cybercrime in the philippines
▣ A serious threat was exposed due to Onel De Guzman’s actions.

▣ Prior to Onel De Guzman’s actions, there were no legal provision that
criminalizes cybercrimes in any way, providing a way for internet-users to be
exploited in a lot of different ways.
▣ Legislators scrammed to enact a law that would begin to cover this.
8
Philippine E-commerce Act of 2000
Republict Act 8792
9
▣ R.A. 8792 is an act providing for the recognition and use of electronic
commercial and non-commercial transactions and documents, penalties for
unlawful use thereof and for other purposes.
▣ In addition, R.A. 8792 was also used to define certain illegal activities
concerning the use of various devices in an effort to provide a legal
provision to deter future actions similar to what Onel De Guzman did.
10
Important provisions of R.A. 8792
▣ Ch. II. Sec 6. Legal Recognition of Data Messages.
□ Information shall not be denied legal effect, validity or enforceability

solely on the grounds that it is in the data message purporting to give
rise to such legal effect, or that it is merely referred to in that electronic
data message.
11
Important provisions of R.A. 8792
▣ Ch. II. Sec 6. Legal Recognition of Data Messages.
□ This provision gives text messages, e-mails, or any other similar modes
communication done through electronic means such as unaltered
screenshots, the same legal validity as physical messages.
12
▣ Ch. II. Sec 7. Legal Recognition of Electronic Documents.
□ Electronic documents shall have the legal effect, validity or

enforceability as any other document or legal writing.
□ For evidentiary purposes, an electronic document shall be the functional
equivalent of a written document under existing laws.
13
▣ Ch. II. Sec 7. Legal Recognition of Electronic Documents.
□ This provision gives softcopy of documents, the same legal validity as

physical documents.
□ These documents should be recognized for as long as their authenticity
is verified.
14
Prohibited acts: Hacking
▣ Hacking / Cracking
□ Unauthorized access into a computer system/server or information and
communication system;
□ Any access in order to corrupt, alter, steal, or destroy using a
computer, … , without the knowledge and consent of the owner [of
the computer system];
□ Introduction of computer viruses and the like, resulting in the
corruption, destruction, alteration, theft or loss of electronic data
messages or electronic document.
15
Prohibited acts: Hacking
▣ Hacking / Cracking
□ In order for anyone to be prosecuted for having performed these acts, it is

important to focus on the exact wording of the law, which requires
individual to:
access a computer or computer system, with the intention to corrupt,
alter, steal, or destroy.
□ It is important for these intentions to be present for someone to be
considered as “hacking” or “cracking”.
16
Prohibited acts: Piracy
▣ Piracy
□ Unauthorized copying, reproduction, storage, uploading, downloading,
communication, or broadcasting of protected material, … , through the
use of telecommunication networks, such as, but not limited to, the
internet, in a manner that infringes intellectual property rights.
17
▣ Penalties
□ Minimum fine of One Hundred Thousand Pesos (Php 100,000.00) and a

maximum commensurate to the damage incurred, and;
□ Mandatory imprisonment of 6 months to 3 years;
18
Guide Questions: R.A. 8792
▣ Does connecting to an open WiFi Network (WiFi with no

password), without the consent of the owner of the network,
constitute to a violation of RA 8792?
19
No!
By merely accessing it, there was no clear intent to
“corrupt, alter, steal, or destroy”.
At least according to RA 8792, this is not illegal.
20
“
More recently, the following law is the most
comprehensive cybercrime law enacted in the
Philippines.
To date, this is the cornerstone of cybercrime
protection for citizens in the Philippines.
21
Cybercrime Prevention Act of 2012
Republict Act 10175
22
▣ R.A. 10175 is an act that adopts sufficient powers to effectively

prevent and combat cybercrime offenses by facilitating their
detection, investigation, and prosecution at both the domestic and
international levels, and by providing arrangements for fast and
reliable international cooperation.
23
DEFINTION
▣ A cybercrime is a crime committed with or through the use of
information and communication technologies such as radio,
television, cellular phone, computer and network, and other
communication device or application.
24
Three Types of Cybercrimes
1. Offenses against the confidentiality, integrity and availability
(CIA) of computer data and systems;
2. Computer-related offenses;
3. Content-related offenses;
** There is a fourth offense, which refers to “offenses related to infringements of copyright and
related rights”. This, however, is not included in the RA 10175 because a separate law is currently in
that punishes such offenses.
25
Jurisdiction of RA 10175
Who can be charged with violations of this law?
1. Any violation committed by a Filipino national regardless of the place of
commission.
2. Any of the elements was committed within the Philippines or committed with the use
of any computer system wholly or partly situated in the country.
3. When by such commission any damage is caused to a natural or juridical person
who, at the time the offense was committed, was in the Philippines.
26
Explanation
1. Pag isang Pilipino ang nagkasala, kahit nasaan pa siyang lupalop ng mundo, ay
pwedeng kasuhan ng paglabag sa RA 10175.
2. Kung may kahit na anong parte ng krimen na nangyari sa Pilipinas, kasama na ang
paggamit ng kahit na anong computer sa Pilipinas para sa gawaing maaaring
maparusahan ng paglabas sa bata s na ito.
3. Kung ang biktima, sa panahon na nangyari ang isang krimen, ay nasa loob ng
Pilipinas, ang sinumang gumawa ng krimen ay maaari din maparusahan.
27
▣ Ch. II. Sec 4 (a). CIA of Computer Data and Systems
1. Illegal Access
□ The access to the whole or any part of a computer system without right.
▪ Without right means having no consent from the owner of the computer
system.
▪ Access is the instruction, communication with, storing / retrieving data
from, or [making] use of any resources of a computer system or
communication network.
28
▣ Does connecting to an open WiFi Network (WiFi with no

password) without the consent of the owner of the network
constitute to a violation of RA 10175?
29
YES!
Illegal access is to “make use of any resources” without right (consent).
Even if this is not punishable under RA 8792, it is under RA 10175.
30
2. Illegal Interception
□ The interception made by technical means without right of any non-
public transmission of computer data.
□ Interception is listening to, recording, monitoring or surveillance of
the content of communications, (…), through the use of electronic
eavesdropping or tapping devices, at the same time that the
communication is occurring.
31
32
▣ Example:
□ Have you experienced receiving coming from “bpionline.com.ph” with
a subject line of “Update your security details now”?
□ These e-mails ask the recipients to go to a site to login by placing their
credentials.
□ Unknown to many, the purpose of those websites is to intercept or to
just get your user credentials so they can access your real online banking
accounts.
33
3. Data Interference
□ The intentional or reckless alteration, damaging, deletion or
deterioration of computer data, electronic document, or electronic data
message, without right, including the introduction or transmission of
viruses.
34
▣ Consider this situation:
□ You have a friend who will send a file to you through a flash drive.
□ Unknown to both of you, the flash drive has a virus in it.
□ After you copied the file you need from the flash drive of your friend,
you noticed that your files and folders suddenly disappeared and only a
shortcut icon appeared on your personal folder.
▣ Is your friend liable for any violation of RA 10175?
35
YES!
Data interference includes “the intentional or reckless alteration, damaging, deletion or deterioration
of computer data.” In the situation, even if you friend lent you his/her flash drive in good faith (has no
intentions to infect your computer with a virus), it is still considered as recklessness in his/her part and
it also caused an “alteration”, or “deletion”, or even “deterioration” of data.
36
4. System Interference
□ The intentional alteration or reckless hindering or interference with the
functioning of a computer or computer network by inputting,
transmitting, damaging, deleting, deteriorating, altering or
suppressing computer data or program, electronic document, or
electronic data message, without right or authority, including the
introduction or transmission of viruses
37
Explanation
▣ This is more or less an extension of the previous offense, whereby the
affected entity is not just data but the whole system.
▣ The previous situation can also apply here if, instead of just having the files
“damaged” or “altered”, the whole computer system went into error.
38
Example of Data / System Interference
▣ Cryptojacking or Cryptomining Malware
□ Refers to software programs and malware

components developed to take over a computer's resources and use them
for cryptocurrency mining without a user's explicit permission.
□ There are reports that malware are now embedded on certain websites to
run on a visitor's computer.
39
▣ When you download through torrent sites like “thepiratebay”, you basically
give them the authority to use your computer’s CPU (whether mobile or
desktop) to “mine” cryptocurrencies.
▣ This is one of the reasons why, in most cases, downloading a lot of files can
cause your computer to heat up. Your computer’s CPU is being used to
calculate and solve blocks of encrypted data to mine cryptocurrencies.
40
▣ Website defacing
41
5. Misuse of Devices
□ The use, production, sale, procurement, distribution, or otherwise making
available, without right, of a device or computer password designed
primarily for the purpose of committing any of the offenses under this
Act;
□ The possession of an item referred to above.
42
Example of Misuse of Devices
▣ Use of Skimming Devices / Keyloggers
43
Example of Misuse of Devices
Use of Skimming Devices
□ Ivaylo Sashov Galapov was a
Bulgarian man arrested in
Pampanga, when the security
guards of BPI Family Savings Bank
noticed him inserting ATM cards in
succession.
□ He was arrested for violation of
R.A. 8792 and R.A. 10175.
Credits: ABS-CBN News Website
44
6. Cyber-squatting
□ The acquisition of a domain name over the internet in bad faith to profit,
mislead, destroy reputation, and deprive others from registering the same, if
such a domain name is:
i. Similar, identical, to an existing trademark (…) at the time of the domain name
registration:
ii. Identical with the name of a person other than the registrant;
iii. Acquired without right or with intellectual property interests in it.
45
▣ MikeRoweSoft
□ In January 2004, Mike Rowe was a grade 12 student who operated a
profitable web design business as a part time job. He registered the
website with the domain name MikeRoweSoft.com.
□ Lawyers from Microsoft asked him to stop using the website. Mike Rowe
asked for $10,000 in return.
□ Microsoft said no and proceeded to filing a case against him.
46
▣ MikeRoweSoft
□ Perhaps due to the stress that the whole process would entail, not
withstanding the fact that this legal process would cost a lot of money,
Mike Rowe decided to give away the website.
□ News outlets reported that what he got in return was an XBOX console.
□ But after some research, the following reddit thread appears apparently
from Mike Rowe himself.
47
▣ I found this on reddit, Mike Row had this to say:
48
▣ Ch. II. Sec 4 (b). Computer-Related Offense
7. Computer-Related Forgery
□ The input, alteration, or deletion of any computer data without right resulting
in inauthentic data with the intent that it be considered or acted upon for legal
purposes as if it were authentic.
49
Example of Computer-Related Forgery
▣ Hacking into the iSLU portal to change your grade from 65 to 95.
□ This has no monetary value and is therefore considered as “forgery” and
not “fraud”.
50
8. Computer-Related Fraud
□ The unauthorized input, alteration, or deletion of computer data or program or
interference in the functioning of a computer system, causing damage thereby
with fraudulent intent.
51
Example of Computer-Related Fraud
The only difference between forgery and fraud, it is now considered fraud
instead of forgery if the damage incurred has “monetary value”.
Some examples include:
▣ Hacking into a bank’s database and changing your account balance
from “Php 500” to “Php 5,000”.
▣ Asking people to send you “prepaid load”, as they maliciously deceive
you from believing that they are your “relatives from abroad”.
52
9. Computer-Related Identity Theft

□ The intentional acquisition, use, misuse, transfer, possession, alteration or
deletion of identifying information belonging to another, whether natural or
juridical, without right.
53
Example of Computer-Related Identity Theft
▣ Fake profiles in Facebook, Instagram, and other websites.
□ There must be a use of “identifying information” which includes pictures of
another person and his/her other personal details but not someone’s NAME.
□ This is because it is completely possible for anyone to have the same name as
another person, as well as for fan pages bearing the name of another person.
□ If the intentions in the use of such profiles are for malicious purposes, such as
pretending to be the actual person even if not, is already a violation of this law .
54
▣ Ch. II. Sec 4 (c). Content-Related Offense
10. Cybersex
□ The willful engagement, maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of sexual organs or sexual activity,
with the aid of a computer system, for favor or consideration.
55
Guide Questions on RA 10175
▣ What if two individuals, who happen to be partners in life, gave

their consent to each other to record any sexual act they are
doing?
▣ Is this a case of cybersex?
56
NO!
Even if both partied consented, and even if these acts are publicly denounced, they do not constitute to
cybersex since the act is not done for “any favour or consideration”. For the purposes of this law, there
must be an element of “engagement in business” for the act to be considered as prohibited.
57
11. Child Pornography
□ The unlawful or prohibited acts defined and punishable by Republic Act
No. 9775 or the Anti-Child Pornography Act of 2009, committed through
a computer system.
□ Any representation, whether visual, audio thereof, by electronic, … , or
any other means, of a child engaged or involved in real or simulated
explicit sexual activities.
58
▣ Are “hentai” clips considered as a violation if this law?
59
NO!
UNLESS: the hentai clip itself contains a character which is explicitly identified as a minor. If so, the
said material is prohibited and the creator / distributor of the said material are liable for violations of
this law.
60
12. Online Libel
□ Libel is the public and malicious imputation of a crime, real or
imaginary, or any act, omission, condition, status, or circumstance
tending to cause the dishonor, discredit, or contempt of a natural or
juridical person, or to blacken the memory of one who is dead.
61
12. Online Libel
□ Elements of Libel:
1. Allegation of a discreditable act or condition
concerning another;
2. Publication of the charge;
3. Identity of the person defamed; and
4. Existence of malice.
62
▣ Consider the following post:
□ “Hoy Maria David! Ikaw malandi ka! Alam naman ng lahat
na kahit kanino pumapatol ka! Tuwing gabi nasa park ka,
kasama mo nanay mo! Magkano ba ang rate natin ngayon?
500 hundred, tatlong oras? Ha? Pokpok! Pokpok! Pokpok
kayo ng nanay mo!”
63
▣ Is the person who posted it liable for any crime?
64
YES!
The statements in the post contains: 1. An allegation against Maria David; 2. Publicized since it was
posted in a social media site; 3. The identity of Maria David was clear; 4. There was no doubt that the
intentions were to defame Maria David, including her mother.
All elements of libel are existent in this post.
65
▣ If you liked / reacted the said post, are you liable?
66
NO!
Liking or reacting may be a sign of approval to the said post, but no statement was mentioned in
anyway that makes any allegation towards Maria David. Hence, the first element of libel is not
present.
67
▣ If you shared the said post, are you liable?
68
NO!
The shared post might contain a message that is already established as libelous, BUT the statements
were not made by the person who shared it. Thus, the person who shared the same post cannot be held
liable.
69
▣ If you commented “OO NGA!”, are you liable?
70
NO!
Similar to liking or reacting, commenting “oo” is a sign of approval but is not a statement that
discredits or alleges Maria David. Thus, the person is not liable.
71
▣ If you commented “OO NGA! Pokpok talaga kayong mag-

ina!!” on the post, are you liable?
72
YES!
This statement is not merely an approval but also states an allegation towards Maria David herself.
Thus making the person liable for libel since the comment can be seen publicly as well.
73
The concept of PRIVACY
Privacy under the civil code
The Right to Privacy
▣ This is the right of an individual "to be free from
unwarranted publicity, or to live without unwarranted
interference by the public in matters in which the public
is not necessarily concerned.”
Guide Question
▣ Does the state (government) have the right to disturb

private individuals in their homes?
No!
The State recognizes the right of the people to be secure in their houses. No one, not even the State,
except "in case of overriding […] and only under the stringent procedural safeguards," can disturb
them in the privacy of their homes.
77
Privacy in the Civil Code
Art. 26. of the Civil Code of the Philippines:

▣ Every person shall respect the dignity, personality, privacy and peace
of mind of his neighbors and other
persons.
Prohibited Acts under the Civil Code
1. Prying into the privacy of another's residence;

2. Meddling with or disturbing the private life or family relations of
another;
3. Intriguing to cause another to be alienated from his friends;
4. Vexing or humiliating another on account of his religious beliefs,
lowly station in life, place of birth, physical defect, or other personal
condition.
Guide Question
(Hing vs Choachuy, 2013)
▣ May an individual install surveillance cameras on his own property facing the
property of another?
No!
A man’s house is his castle, where his right to privacy cannot be denied or even restricted
by others.
It includes any act of intrusion into, peeping or peering inquisitively into the
residence of another without the consent of the latter.
81
Privacy in the Civil Code
▣ On the installation of cameras:

▣ The installation of surveillance cameras, should not cover places where there
is reasonable expectation of privacy, unless the consent of the individual,
whose right to privacy would be affected, was obtained.
Guide Question
▣ Does an employee / student have a reasonable expectation

of privacy in the workplace / school?
Questions and Cases
According to a court decision, employees in workplace have

less or no expectation of privacy. Similarly, students have
less or no expectation of privacy within school grounds.
Example Case
▣ Case: (Zulueta vs C.A., 1996)

□ Cecilia is the wife of Alfredo, a doctor of medicine.
□ Cecilia entered the clinic of her husband and in the presence of witnesses,
forcibly opened the drawers and cabinet and took 157 documents
consisting of private correspondence between Dr. Martin and his
alleged paramours, greetings cards, cancelled checks, diaries, Dr.
Martin’s passport, and photographs.
□ The said items were used as evidence in legal separation case.
Guide Question
▣ Was the right to privacy of Dr. Alfredo Martin violated?
Yes!
In the decision of the court: “A person, by contracting marriage, does not shed his/her
integrity or his right to privacy as an individual and the constitutional protection is ever
available to him or to her.”
87
Example Case
With respect to the legal separation case, what was the decision of the
court?
▣ The documents and papers are inadmissible as evidence.
▣ The Court said: “the intimacies between husband and wife do not justify any
one of them in breaking the drawers and cabinets of the other and in
ransacking them for any telltale evidence of marital infidelity.”
Reasonable Expectation of Privacy
When does a person have a reasonable expectation of privacy?
1. When the person believes that one could undress in privacy without being
concerned that an image of him or her is being taken;
2. When a reasonable person would believe that one’s private area would not be
visible regardless of whether the person is in a public or private place.
Guide Question
Does a person have a reasonable expectation of privacy inside

a fitting room while, say, trying out a set of clothes?
Yes!
A person would normally expect to change his or her clothes without worrying about
anyone who could see him / her.
In addition, a fitting room is properly secluded to ensure that no one else can see what a
person inside is doing. Thus, a person has a reasonable expectation of privacy inside a
fitting room
91
Photo and Video Voyeurism Act of
2009
Republic Act 9995
Punishable Acts: R.A. 9995
1. The unconsented taking of a photo or video of a person or group of persons

engaged in a sexual act or any similar activity, or capturing an image of the
private area of a person, under circumstances in which the said person has a
reasonable expectation of privacy;
2. The copying or reproduction of such photo or

video recording of the sexual act;
Punishable Acts
3. The selling or distribution of such photo or video recording;
4. The publication or broadcasting, whether in print or broadcast media, or the

showing of such sexual act or any similar activity through VCD/DVD, the
internet, cellular phones, and other similar means or devices without the written
consent of the persons featured.
Guide Questions
The phrase “private area of a person” appears on the first punishable act under R.A.
9995.
What does the “private area of a person” include?
Guide Questions
The “private area of a person” includes naked or

undergarment-clad genitals, pubic area, buttocks, or the female
breast.
Guide Question
Will one be liable for the non-commercial (simply sharing

without asking for money) copying or reproduction of said
photo or video?
Yes!
The mere copying or reproduction of said material will make one liable under the law
regardless of the reason or whether one profits or not from such act. In fact, the mere
showing of the material on one’s cellphone would violate the law.
98
Guide Questions
If the persons in the photo knew and consented to the video

recording or taking of the photo; can anyone reproduce,
distribute, or broadcast it?
No!
The person merely consented to the taking of the photo or the video recording and did not
give written consent for its reproduction, distribution, and broadcasting.
100
Penalty
The penalty for the commission of any of the said prohibited acts would
incur a penalty of:
3 years to 7 years imprisonment AND a fine of

Php 100,000.00 to Php 500,000.00
Data Privacy Act
Republic Act 10173
Data Privacy Act of 2012
1. Protects the privacy of individuals while ensuring free flow of information

to promote innovation and growth.
2. Regulates the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of personal data.
3. Ensures that the Philippines complies with
international standards set for data protection.
Important Definitions
1. Personal Information Controller

▣ The individual, corporation, or body who decides what to do with data.
2. Personal Information Processor
▣ One who processes data for a Personal Information Controller. The PIP
does not process information for the PIP’s own purpose.
Important Definitions
3. Consent
▣ Where the data subject agrees to the collection and processing of his
personal data. The agreement must inform:
□ purpose, nature, and extent of processing;
□ period of consent/instruction;
□ rights as a data subject
Definitions
4. Breach
▣ A security incident that:
□ Leads to unlawful or unauthorized processing of personal,
sensitive, or privileged information;
□ Compromises the availability, integrity, or confidentiality of
personal data.
What is Personal Information?
Personal Information Sensitive Personal Information
▣ Refers to any information or opinion about ▣ This is a type of personal information that
a particular individual that can be used in may be used to harm or discriminate other
identifying a person. This includes: people when mishandled. This include:
□ name □ race or ethnic origin;
□ address □ political opinions
□ phone number □ religious affiliations;
□ date of birth □ criminal record;
□ E-mail address □ biometric information.
Processing Personal Information
▣ The processing of personal information shall be allowed

and shall adhere to the following:
□ Principles of transparency;
□ Legitimate purpose; and
□ Proportionality
PRINCIPLE OF TRANSPARENCY
▣ The data subject must know:
□ The kind of personal data collected
□ How the personal data will be collected
□ Why personal data will be collected
▣ The data processing policies of the PIC must be known to
the data subject.
▣ The information to be provided to the data subject must be
in clear and plain language.
Legitimate Purpose Principle
▣ Data collected must be always be collected only for the specific, explicit, and
legitimate purposes of the PIC.
▣ Data that is not compatible with the purpose for which the data was collected
shall not be processed.
PRINCIPLE OF PROPORTIONALITY
▣ The processing of personal data should be limited to such processing as is

adequate, relevant, and not excessive in relation to the purpose of the data
processing.
▣ Efforts should be made to limit the processed data to the minimum necessary.
PROCESSING SENSITIVE PERSONAL INFO.
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and
is related to the fulfillment of a contract with the data subject or in order to
take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a
legal obligation to which the personal information
controller is subject;
PROCESSING SENSITIVE PERSONAL INFO.
4. The processing is necessary to protect vitally important interests of the data
subject, including life and health;
5. The processing is necessary in order to respond to national emergency, to
comply with the requirements of public order and safety, or to fulfill functions
of public authority (…); or
6. The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller (…), except where such
interests are overridden by fundamental rights and freedoms of the data
subject (…).
Rights of the Data Subject
1. Right to be informed.
2. Right to object.
3. Right to access.
4. Right to rectification.
5. Right to erasure or blocking.
6. Right to damages.
7. Right to data portability.
8. Right to file a complaint.
1. Right to be Informed
▣ This is the right to be informed that your personal data shall be, are being, or
have been processed, including the existence of automated decision-making
and profiling
▣ The disclosure must be made before the entry of the data into the processing
system or at the next practical opportunity
2. Right to Object
▣ The right to object to the processing of personal data, including processing for
direct marketing, automated processing, or profiling.
□ If you do not want to share any information, or you do not want any other person to
collect information from you, then you have the right to say NO.
▣ This includes the right to be given an opportunity to withhold consent to the
processing in case of any changes or any amendment to the information
supplied or declared.
2. Right to Object
There are several exceptions where you cannot invoke your right to
object:
□ Personal data is needed pursuant to a subpoena issued by a court.

□ Processing is necessary for or related to a contract or service to which the data
subject is a party;
□ Information is being processed as a result of a legal obligation.
3. Right to Access
▣ The right to find out whether a PIC holds any personal
data about you.
▣ The right to reasonable access to personal data that were
processed, sources of personal data, names and addresses of recipients,
manner/method of processing, information on automated process, date when
personal data was last accessed and modified, designation, name or identity,
and address of the PIC
4. RIGHT TO RECTIFICATION
▣ This involves the right to dispute the inaccuracy or error in the personal
data and have the PIC correct it immediately.
▣ It also includes access to new and retracted information, and
simultaneous receipt thereof.
▣ Recipients previously given erroneous data must be
informed of inaccuracy and rectification upon reasonable
request of the data subject.
5. RIGHT TO ERASURE OR BLOCKING
▣ This is the right to suspend, withdraw, or order the

blocking, removal, or destruction of his or her personal
information from the personal information controller’s
filing system
5. RIGHT TO ERASURE OR BLOCKING
The right to erase or block can be invoked in the following

circumstances:
□ There are data which are incomplete, outdated, false, or unlawfully
obtained.
□ The data was used for unauthorized purposes.
□ The data is no longer necessary for purposes of collection.
□ The processing of data was found to be unlawful.
□ The PIC or PIP violated the rights of the data subject.
6. RIGHT TO DAMAGES
▣ This is the right to be indemnified (receive compensation) for
any damages sustained due to inaccurate, incomplete, outdated,
false, unlawfully obtained, or unauthorized use of personal data.
□ If there are circumstances where you discovered that your

personal data was mishandled, you have the right to ask for
compensation for the damage it has caused you.
7. RIGHT TO DATA PORTABILITY
▣ The right to obtain a copy of data undergoing processing in an electronic or

structured format, commonly used, and allows for further use by the data
subject.
▣ Takes into account the right to have control over personal data being
processed based on consent, contract, for commercial purposes, or through
automated means.
8. RIGHT TO FILE A COMPLAINT
▣ In circumstances wherein the PIC or the PIP has breached the privacy of the
data subject, a complaint may be filed through complaints@privacy.gov.ph
▣ National Privacy Commission – Government agency responsible for

implementing R.A. 10173.
Questions and Cases
May a teacher/professor search the contents of a

student’s cellular phone?
No!
Any search through a student’s cellular phone without justification under a law or
regulation is UNLAWFUL, and may be considered as unauthorized processing of data.
126
Questions and Cases
However, there are exceptions:
▣ If it was done with student’s consent ( except if the student is a minor.)

▣ If it is required by the student’s life and health, or by national
emergency.
Questions and Cases
Is an implied (indirect) form of consent

valid?
An example of this is the following paragraph that appears in several websites:
▣ “By continuing to avail of xxx products and services:, you explicitly authorize xxx, its
employees, duly authorized representatives, related companies and third-party service
providers, to use, process and share personal data needed in the administration of your
xxx”
No!
Consent under the Data Privacy Act has three requirements, none of which are seen in an implied
consent:
Consent must be freely given;
Details about what consent is being asked must be specific.
And there must be an informed indication of will.
129
Guide Questions
Are handwritten signatures considered

sensitive personal information?
No!
It is possible that one may share a similar signature as another person. Moreover, some
signatures do not, in any way, show signs of identity of a person. Nonetheless, these may
be considered personal information when used to identify an individual such as a
signature affixed on the name of a person.
131
Guide Questions
Are usernames, password, IP and MAC address, location

cookies and birthday (month and day only) are considered
personal information?
Yes*!
*Only when they are combined with other pieces of information that may allow an
individual to be distinguished from others.
Remember that a username, say “iloveyou3000”, does not identify any particular person
unless it is combined with other information.
133
Guide Questions
In addition:
▣ There are a lot of people who share the same birthday as others. This makes it
impossible to use birthdays to identify any person.
▣ IP addresses alone cannot identify who a person is because it is possible that
two or more people make use of a single computer / server.
Prohibited Acts: R.A. 10173
1. Unauthorized processing of personal information and sensitive

personal information.
▣ Process (sensitive) personal information without the consent of the data subject
or without being authorized under the
Data Privacy Act or any other law.
2. Accessing personal information and sensitive personal
information due to negligence.
▣ Provided access to (sensitive) personal information due to negligence or was
unauthorized under the Data Privacy Act or any existing law.
3. Improper disposal of (sensitive) personal information.

▣ Negligently dispose, discard or abandon the (sensitive) personal information of
an individual in an area accessible to the public or placed the (sensitive) personal
information of an individual in a container for trash collection.
4. Processing of personal information and sensitive personal
information for unauthorized purposes.
▣ Process personal information for purposes not authorized by the data
subject or not otherwise authorized by the Data Privacy Act or under
existing laws.
5. Unauthorized access or intentional breach.

▣ Knowingly and unlawfully violate data confidentiality and security data
systems where personal and sensitive personal information is stored.
6. Malicious disclosure.
▣ Discloses to a third party unwarranted or false
information with malice or in bad faith relative to any (sensitive) personal
information obtained by such PIC or PIP.

GIT Lecture 9 Cybercrime Laws in The Philippines

Uploaded by

Copyright:

Available Formats

GIT Lecture 9 Cybercrime Laws in The Philippines

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GIT Lecture 9 Cybercrime Laws in The Philippines

Uploaded by

Copyright:

Available Formats

Cybercrime Laws

On the year 2000,

▣ Q 1.1: Upon the arrest of Onel De Guzman,

▣ A serious threat was exposed due to Onel De Guzman’s actions.

□ Information shall not be denied legal effect, validity or enforceability

□ Electronic documents shall have the legal effect, validity or

□ This provision gives softcopy of documents, the same legal validity as

□ In order for anyone to be prosecuted for having performed these acts, it is

□ Minimum fine of One Hundred Thousand Pesos (Php 100,000.00) and a

▣ Does connecting to an open WiFi Network (WiFi with no

▣ R.A. 10175 is an act that adopts sufficient powers to effectively

▣ Does connecting to an open WiFi Network (WiFi with no

□ Refers to software programs and malware

9. Computer-Related Identity Theft

▣ What if two individuals, who happen to be partners in life, gave

▣ Are “hentai” clips considered as a violation if this law?

▣ Is the person who posted it liable for any crime?

▣ If you liked / reacted the said post, are you liable?

▣ If you shared the said post, are you liable?

▣ If you commented “OO NGA!”, are you liable?

▣ If you commented “OO NGA! Pokpok talaga kayong mag-

▣ Does the state (government) have the right to disturb

Art. 26. of the Civil Code of the Philippines:

1. Prying into the privacy of another's residence;

(Hing vs Choachuy, 2013)

▣ On the installation of cameras:

▣ Does an employee / student have a reasonable expectation

According to a court decision, employees in workplace have

▣ Case: (Zulueta vs C.A., 1996)

▣ Was the right to privacy of Dr. Alfredo Martin violated?

When does a person have a reasonable expectation of privacy?

Does a person have a reasonable expectation of privacy inside

1. The unconsented taking of a photo or video of a person or group of persons

2. The copying or reproduction of such photo or

3. The selling or distribution of such photo or video recording;

4. The publication or broadcasting, whether in print or broadcast media, or the

What does the “private area of a person” include?

The “private area of a person” includes naked or

Will one be liable for the non-commercial (simply sharing

If the persons in the photo knew and consented to the video

3 years to 7 years imprisonment AND a fine of

1. Protects the privacy of individuals while ensuring free flow of information

1. Personal Information Controller

▣ The processing of personal information shall be allowed

▣ The processing of personal data should be limited to such processing as is

□ Personal data is needed pursuant to a subpoena issued by a court.

▣ This is the right to suspend, withdraw, or order the

The right to erase or block can be invoked in the following

□ If there are circumstances where you discovered that your

▣ The right to obtain a copy of data undergoing processing in an electronic or

▣ National Privacy Commission – Government agency responsible for

May a teacher/professor search the contents of a

However, there are exceptions:

▣ If it was done with student’s consent ( except if the student is a minor.)

Is an implied (indirect) form of consent

Are handwritten signatures considered

Are usernames, password, IP and MAC address, location

1. Unauthorized processing of personal information and sensitive

3. Improper disposal of (sensitive) personal information.