Philippine E-Commerce and Cybercrime Acts PDF

Summary

This document provides an overview of two Philippine Acts: Republic Act 8792, the E-Commerce Act of 2000, and Republic Act 10175, the Cybercrime Prevention Act of 2012. It details the provisions and penalties outlined within these acts, focusing on important sections related to electronic transactions, documents, signatures, and hacking/piracy. The document also outlines the jurisdiction of these acts and defines various cybercrime offenses.

Full Transcript

# Republic Act 8792: Philippine E-Commerce Act of 2000

- The full title of R.A. 8792 is: An Act Providing For The Recognition And Use Of Electronic Transactions And Documents, Penalties For Unlawful Use Thereof And Other Purposes.
- The act was passed in 2000 and defines certain activities illegal concerning the use of various devices in order to deter future actions similar to what Onel De Guzman did.

## Provisions of R.A. 8792

* **Chapter II of R.A. 8792 states the following provisions:**

* **Section 6. Legal Recognition of Data Messages**:
* Electronic data messages such as text messages, e-mails, or any other similar modes of communications done through electronic means (including unaltered screenshots) has the same legal validity as physical messages.
* **Section 7. Legal Recognition of Electronic Documents**:
* Electronic Documents shall have the same legal effect, validity, or enforceability as any other document or legal writing.
* This provision gives softcopy of authentic documents the same legal validity as physical documents.
* **Section 8. Legal Recognition of Electronic Signatures**:
* An Electronic Signature on the electronic document shall be equivalent to the signature of a person on a written document.

* **Chapter III of R.A. 8792 states the following penalties in violation of this law:**

* **Section 33. Penalties**: The following acts shall be penalized by fine and/or imprisonment:

* **1. Hacking/Cracking**:
* Unauthorized access into a computer system/server or information and communication system.
* Any access with the intent to corrupt, alter, steal, or destroy using a computer or computer system without the knowledge and consent of the owner of the system.
* **2. Piracy**:
* Unauthorized copying, reproduction, storage, uploading, downloading, communication, or broadcasting of protected material [..] through the use of telecommunication networks, e.g. the Internet, in a manner that infringes intellectual property.
* **3. Violations against R.A. 7394: The Consumer Act of the Philippines**:
* R.A. 7394 was enacted primarily to protect the consumers against hazards to health and safety, and against deceptive, unfair and unconscionable sales acts and practices.

# Republic Act 10175: Cybercrime Prevention Act of 2012

- R.A. 10175 is an act that adopts sufficient powers to effectively prevent and combat cybercrime offenses by facilitating their detection, investigation, and prosecution at both the domestic and international levels.
- R.A. 10175 defines Cybercrime as a crime committed with or through the use of information and communication technologies such as radio, television, cellular phone, computer and network, and other communication device or application.

## Jurisdiction of R.A. 10175

Who can be charged with violations of this law?

1. Any violation committed by a Filipino national regardless of the place of commission.
2. Any of the cybercrime elements were committed within the Philippines or committed with the use of any computer system wholly or partly situated in the country.
3. When by such commission, any damage is caused to a person who, at the time of the offense was committed, was in the Philippines.

## Cybercrime Offenses

* **Section 4. Cybercrime Offenses** : The following acts constitute the offense of cybercrime punishable under this act.

* **(a) Offenses against the Confidentiality, Integrity, and Availability (CIA) of Computer Data and Computer Systems:**
* **1. Illegal Access**: The access to the whole or any part of a computer system without right.

* **2. Illegal Interception**: The interception of computer data to, from, or within a computer system.
* **3. Data Interference**: The intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document or electronic data message without right, including the introduction or transmission of viruses.
* **4. System Interference**: The intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses.
* **5. Misuse of Device**:
* The unauthorized use, production, sale, procurement, distribution or otherwise making available of:
* A device designed for committing any offenses under this Act
* A computer password, access code, or similar data by which [...] a computer system is [...] accessed with the intent of committing any offenses under this act.
* **6. Cyber-Squatting**: The acquisition of a domain name on the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same.

* **(b) Computer-related Offenses:**
* **1. Computer-related Forgery**: The input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic or the act of knowingly using computer data which is the product of computer-related forgery for the purpose of perpetuating a fraudulent or dishonest design.
* **2. Computer-related Fraud**: The unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent.
* **3. Computer-related Identity Theft**: The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another [person] without right.

* **(c) Content-related Offenses:**
* **1. Cybersex**: The willful engagement, maintenance, control or operation - directly or indirectly - any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favor or consideration.
* **2. Child Pornography**: The unlawful or prohibited acts defined and punishable by R.A. 9775: The Anti-Child Pornography Act of 2009 committed through a computer system. This includes any representation - whether visual or audio - by electronic or any other means of a child engaged or involved in real or simulated explicit sexual activities.
* **3. Online Libel**: Libel is the public and malicious imputation of a crime - real or imaginary - or any act, omission, condition, status or circumstance tending to cause the dishonor, discredit, or contempt of a [...] person, or to blacken the memory of the dead

## Privacy Under the Civil Code

### The Right to Privacy

- This is the right of an individual "to be free from unwarranted publicity, or to live without unwarranted interference by the public in matters in which the public is not necessarily concerned."
- The State recognizes the right of the people to be secure in their houses, no one, not even the State, except "in case of overriding [...] and only under the stringent procedural safeguards," can disturb them in the privacy of their homes.

## Republic Act 386: Civil Code of the Philippines (1950)

### The Right to Privacy

- Every person shall respect the dignity, personality, privacy, and peace of mind of his neighbors and other persons.
- The following and other similar acts, though they may not constitute a criminal offense, shall produce cause of action for damages, prevention, and other relief:
- Prying into the privacy of another's residence.
- Meddling with or disturbing the private life or family relations of another.
- Intriguing to cause another to be alienated from his friends.
- Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.

## Reasonable Expectation of Privacy

- Also known as the "right to be left alone", refers to the right of a person to "expect privacy" in places and/or situations that the community generally accepts as "quite reasonable".
- For instance, there are certain instances that a person assumes that there is reasonable expectation of privacy, such that at that particular moment, nobody can see or hear him/her.

## REPUBLIC ACT 9995: Anti-Photo and Video Voyeurism Act of 2009

- Included under the REASONABLE EXPECTATION OF PRIVACY is that any person believes that:
* He/She could disrobe in privacy, without being concerned that an image or a private area of the person was being captured;
* The private area of the person would not be visible to the public, regardless of whether that person is in a public or private place.

## Republic Act 10173: Data Privacy Act of 2012

- Protects the privacy of individuals while ensuring the free flow of information to promote innovation and growth.

## Purpose

1. **Protects the privacy of individuals** while ensuring free flow of information to promote innovation and growth.
2. **Regulates** the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of PERSONAL DATA.
3. **Ensures** that the Philippines complies with international standards set for data protection.

## Definitions of Terms

1. **Personal Information Controller (PIC)**: The individual, corporation, or body who decides what to do with data.
2. **Personal Information Processor (PIP)**: One who processes data for a PIC. The PIP does not process information for the PIP's own purpose.
3. **Consent of the Data Subject**: Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.

## Processing of Personal Information

- The processing of personal information shall be allowed if it adheres to all the following:

* **1. Principles of Transparency**: The data subject must know:
* what personal data will be collected.
* how the personal data will be collected.
* why personal data will be collected.
* The data processing policies of the PIC must be known to the data subject.
* The information to be provided to the data subject must be in clear and plain language.
* **2. Legitimate Purpose Principle**: Data collected must be always be collected only for the specific, explicit, and legitimate purposes of the PIC. Data that is not compatible with the purpose [of the data collection] shall not be processed.
* **3. Principle of Proportionality**: The amount of data collected for processing should be adequate, relevant, and not excessive in proportion to the purpose of the data processing. Efforts should be made to limit the processed data to the minimum necessary.

## Processing of Sensitive Personal Information

- The processing of sensitive personal information shall be allowed if it adheres to one of the following:

* **1.** The consent of data subject has to be given.
* **2.** The processing is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract.
* **3.** The processing is necessary for compliance with a legal obligation to which the PIC is subject.
* **4.** The processing is necessary to protect vitally important interests of the data subject, including life and health.
* **5.** The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority [...]; or
* **6.** The processing is necessary for the purposes of the legitimate interests pursued by the PIC [...], except where such interests are overridden by fundamental rights and freedoms of the data subject [...]

## Rights of the Data Subject

1. **Right to be Informed**: This is the right to be informed that your personal data shall be, are being, or have been processed. The disclosure must be made before the entry of the data into the processing system or at the next practical opportunity.
2. **Right to Object**: The right to refuse to the processing of personal data.
3. **Right to Access**: The right to find out whether a PIC holds any personal data about you.
4. **Right to Rectification**: This involves the right to dispute the inaccuracy or error in the personal data and have the PIC correct it immediately. It also includes access to new and retracted information, and simultaneous receipt thereof. Recipients previously given erroneous data must be informed of inaccuracy and rectification upon reasonable request of the data subject.
5. **Right to Erasure or Blocking**: This is the right to suspend, withdraw, or order the blocking, removal, or destruction of his/her personal information from the PIC's filing system. The right to erase or block can be invoked in the following circumstances:
* There are data which are incomplete, outdated, false, or unlawfully obtained.
* The data was used for unauthorized purposes.
* The data is no longer necessary for purposes of collection.
* The processing of data was found to be unlawful.
* The PIC or PIP violated the rights of the data subject.
6. **Right to Damages**: This is the right to be receive compensation for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data. If there are circumstances where you discovered that your personal data was mishandled, you have the right to ask for compensation for the damage it has caused you.
7. **Right to Data Portability**: The right to obtain a copy of data undergoing processing in [a commonly used] electronic or structured format that allows for further use by the data subject. This takes into account the right to have control over personal data being processed based on consent, contract, for commercial purposes, or through automated means.
8. **Right to File a Complaint**: The right to file a complaint in circumstances wherein the PIC or the PIP has breached the privacy of the data subject.

## Unit 11: Security Controls

- Security controls are a set of procedures and technological measures to ensure secure and efficient operation of information within an organization, both general and application controls for safeguarding information. These control activities are applied throughout an organization. The most important general controls are the measures that control access to computer systems and the information stored or transmitted over telecommunication networks. General controls include administrative measures that restrict employee access to only those processes directly relevant to their duties, thereby limiting the damage an employee can do.
- IT security is about protecting things that are of value to an organization. Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.
- There are two ways to classify controls in an organization: by type - physical, technical, or administrative - and by function - preventive, detective, and corrective.

## Prohibited Acts of R.A. 10173

1. Unauthorized processing of personal information and sensitive personal information: Process (sensitive) personal information without the consent of the data subject or without being authorized under the Data Privacy Act or any other law.
2. Accessing personal information and sensitive personal information due to negligence: Provided access to (sensitive) personal information due to negligence or was unauthorized under the Data Privacy Act or any existing law.
3. Improper disposal of (sensitive) personal information: Negligently dispose, discard or abandon the (sensitive) personal information of an individual in an area accessible to the public or placed the (sensitive) personal information of an individual in a container for trash collection.
4. Processing of personal information and sensitive personal information for unauthorized purposes : Process personal information for purposes not authorized by the data subject or not otherwise authorized by the Data Privacy Act or under existing laws.
5. Unauthorized access or intentional breach: Knowingly and unlawfully violate data confidentiality and security data systems where personal and sensitive personal information is stored.
6. Malicious disclosure: Discloses to a third party unwarranted or false information with malice or in bad faith relative to any (sensitive) personal information obtained by such PIC or PIP.