Some time last year, news broke out that U.S. telecommunications giant, AT&T, had suffered a major data breach resulting in unlawful third-party access to its customer records. Estimates put the number of people affected at over 280,000 in total. Sensitive personal information like social security numbers were among the primary targets, as they could then be subsequently used to request from the telco codes that unlock the phones of their respective owners.
According to reports, the breach actually occurred in three different jurisdictions outside of the States: Colombia, Mexico and the Philippines. The American company, it turns out, outsources its data processing chores to a number of off-shore companies (call centers). In the 3 countries cited, some employees were corruptible enough to have been convinced to sell customer records they could access for an undetermined amount of consideration.
The incident proved costly for AT&T. It was meted a hefty $25-million fine by the Federal Communications Commission (FCC) for failing to secure properly personal data under its care. While no news has surfaced about the company going after its BPO partners, the telco did decide to sever its ties with them in the wake of the controversy.
As for the fate of the call center employees who were mainly responsible for the unauthorized access and disclosure that made up the entire mess, there has been no word in that regard either. To be fair, the question offers no easy answers. The chances of successfully prosecuting data theft rely heavily on the legal system of the country (or in this case, countries) involved, especially their respective data protection laws (if any).
The Philippines, for instance, has the Data Privacy Act (DPA) as the primary legal reference that would determine the criminal liability of the erring BPO employees. And under its current language, the offenses in question would likely go unpunished.
Explaining why this is so is one mean feat. After all, the DPA is touted as the country’s response to the growing concern regarding the people’s right to informational privacy. More importantly, it was highlighted as the government’s sincere effort to comply with the European Union’s 1995 Data Protection Directive, which, among others, prohibits the outsourcing of data processing to non-EU countries, unless the latter afford the same level of protection maintained by EU member states. This is why one finds the DPA borrowing many of its provisions—sometimes word for word—from the EU Directive.
Notwithstanding its strong European flavor though, the DPA is not without its original (and additional) provisions; one of which now plays a key role in dealing with incidents like the AT&T controversy. The law, as presently written, provides that “personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines” is outside its scope. In other words, all local BPOs—and their employees, by extension—are essentially insulated from the application of the law whenever they are engaged in the processing of personal information lawfully collected from abroad, and which pertain to foreign nationals.
The rationale for the crafting of such language into the law is difficult to fathom, especially when one considers the very public pronouncements of its proponents regarding the urgency of putting such a policy in place. Its enactment, they said, is necessary if local BPOs want to keep doing business with the EU. It would provide ample data protection comparable to that mandated by the EU Directive.
The presence of the exception just cited, however, appears to deny the existence of any such protection. Only citizens and residents of the Philippines get to benefit from the security and protection required by the provisions of the DPA.
Whatever the underlying reason for such gaffe, the only parties that obviously benefit from its application are those engaged in violating people’s data privacy rights—and this is true for BPOs who either actively commit it, or end up allowing it by their negligence or poor security mechanisms.
If anything, this predicament highlights the need for Filipinos to take a closer look at their data privacy law. The EU Directive it is based on is itself undergoing review, and may be revised this year or next year at the latest. It should also call the attention of government, particularly the President, who continues to delay the implementation of the law by refraining from appointing (or refusing to?) a competent National Privacy Commission. Among the many responsibilities of the Commission is precisely to point out deficiencies in the country’s data protection regime, such as the one identified just now.
Government needs to stop paying lip service to the protection of privacy rights. Concrete and effective action is what’s needed. The people must also start taking their leaders to task in this respect.