Module 3 - Unit 9: CYBER CRIME LAWS

REPUBLIC ACT 8792: PHILIPPINE E-COMMERCE ACT OF 2000

An act providing for …
[1] … the recognition and use of electronic commercial and non-commercial transactions and documents,
[2] … penalties for unlawful use [of electronic transactions and documents] and
[3] … for other purposes [of electronic transactions and documents].

PROVISIONS OF R.A. 8792

Section 6: LEGAL RECOGNITION OF DATA MESSAGES.
ELECTRONIC DATA MESSAGES such text messages, e-mails, or any other modes of electronic communication […] has the
same legal validity as physical messages

Section 7. LEGAL RECOGNITION OF ELECTRONIC DOCUMENTS.

ELECTRONIC DOCUMENTS shall have the legal effect, validity or enforceability as any other document or legal writing.

Section 8. LEGAL RECOGNITION OF ELECTRONIC SIGNATURES.

An ELECTRONIC SIGNATURE on the electronic document shall be equivalent to the signature of a person on a written
document

Section 33. PENALTIES.

The following acts shall be penalized by fine and/or imprisonment:
HACKING/CRACKING
• Unauthorized access into a computer system/server or information and communication system
• Or any access to corrupt, alter, steal, or destroy using a computer [or similar ICT device] without the knowledge
and consent of the owner of the [computer] system

PIRACY
• Unauthorized copying, reproduction, storage, uploading, downloading, communication, or broadcasting of
protected material [..] through the use of telecommunication networks, e.g. the Internet, in a manner that
infringes intellectual property.

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

R.A. 10175 is an act that adopts sufficient powers to effectively prevent and combat cybercrime offenses by
facilitating their detection, investigation, and prosecution at both the domestic and international levels […]

R.A. 10175 defines CYBERCRIME as a crime committed with or through the use of information and
communication technologies such as radio, television, cellular phone, computer and network, and other
communication device or application.

THREE TYPES OF CYBERCRIMES

1. OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of COMPUTER DATA AND
SYSTEMS such as:
a. Illegal Access.
The access to the whole or any part of a computer system without right.
b. Illegal Interception.
The interception […] of computer data to, from, or within a computer system.
 c. Data Interference.
The intentional or reckless alteration, damaging, deletion or deterioration of computer data.
d. System Interference.
The intentional alteration or reckless hindering or interference with the functioning of a computer or
computer network.
e. Misuse of Device.
The use or possession of any device, including a computer program, designed or adapted primarily for the
purpose of committing any of the offenses under this Act.
f. Cyber-Squatting.
The acquisition of a domain name on the internet in bad faith to profit, mislead, destroy reputation,
and deprive others from registering the same.
2. COMPUTER-RELATED OFFENSES such as
a. Computer FORGERY,
b. Computer FRAUD, and
c. Computer-related IDENTITY THEFT.
3. CONTENT-RELATED OFFENSES such as
a. Cybersex,
b. Child Pornography, and
c. Online Libel.

REPUBLIC ACT 386: CIVIL CODE OF THE PHILIPPINES (1950)

Article 26: Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and
other persons.

The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of
action for damages, prevention and other relief:
(1) Prying into the privacy of another's residence;
(2) Meddling with or disturbing the private life or family relations of another;
(3) Intriguing to cause another to be alienated from his friends;
(4) Vexing or humiliating another on account of his religious beliefs, lowly station in life, place of birth,
physical defect, or other personal condition.

REPUBLIC ACT 9995: ANTI-PHOTO AND VIDEO VOYEURISM ACT OF 2009

Under the REASONABLE EXPECTATION OF PRIVACY any person believes that:
• He/she could disrobe in privacy, without being concerned that an image or a private area of the person
was being captured;
• The private area of the person would not be visible to the public, regardless of whether that person is in
a public or private place.

Section 4: PROHIBITED ACTS.

It is hereby prohibited and declared unlawful for any person:
(a) To TAKE photo or video coverage of a person or group of persons performing sexual act or any
similar activity or to capture an image of the private area of a person/s […] without the consent of
the person/s involved and under circumstances in which the person/s has/have a reasonable
expectation of privacy;
 (b) To COPY or REPRODUCE […] such photo or video or recording of (a);
(c) To SELL or DISTRIBUTE […] such photo or video or recording of (a); or
(d) To PUBLISH or BROADCAST […] of (a) through VCD/DVD, Internet, cellular phones and other similar
means or device.

REPUBLIC ACT 10173: DATA PRIVACY ACT OF 2012

PURPOSE.
1. PROTECTS THE PRIVACY OF INDIVIDUALS while ensuring free flow of information to promote
innovation and growth.
2. REGULATES the collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of PERSONAL DATA.
3. Ensures that the Philippines COMPLIES WITH INTERNATIONAL STANDARDS set for data protection.

DEFINITION OF TERMS.
1. PERSONAL INFORMATION CONTROLLER (PIC)
The individual, corporation, or body who decides what to do with data.
2. PERSONAL INFORMATION PROCESSOR (PIP)
One who processes data for a PIC. The PIP does not process information for the PIP’s own purpose.
3. CONSENT OF THE DATA SUBJECT
Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection
and processing of personal information about and/or relating to him or her.
The agreement must inform:
a. Purpose, nature, and extent of processing;
b. Period of consent/instruction;
c. Rights as a data subject.
4. BREACH
A security incident that:
a. Leads to unlawful or unauthorized processing of personal, sensitive, or privileged information;
b. Compromises the availability, integrity, or confidentiality of personal data.

PERSONAL INFORMATION vs SENSITIVE PERSONAL INFORMATION

PERSONAL INFORMATION SENSITIVE PERSONAL INFORMATION
Any personal information about a particular Any information or opinion about a particular
individual that can be used in identifying a individual that may be used to harm or
person. discriminate a person.
This includes, but not limited to: This includes, but not limited to:
• Name; • Race or ethnic origin;
• Address; • Political opinions;
• Age; • Religious affiliations;
• Phone number; • Criminal record;
• Date of birth; • Medical record;
• E-mail address. • Biometric information.
PROCESSING OF PERSONAL INFORMATION
The processing of personal information shall be allowed if it adheres to ALL the following:
1. PRINCIPLES OF TRANSPARENCY.
The data subject must know:
a. What personal data will be collected
b. How the personal data will be collected
c. Why personal data will be collected
The data processing policies of the PIC must be known to the data subject.
The information to be provided to the data subject must be in clear and plain language.

2. LEGITIMATE PURPOSE.
Data collected must be always be collected only for the specific, explicit, and legitimate purposes of the
PIC.
Data that is not compatible with the purpose [of the data collection] shall not be processed.

3. PROPORTIONALITY.
The amount of data collected for processing should be adequate, relevant, and not excessive in
proportion to the purpose of the data processing.
Efforts should be made to limit the processed data to the minimum necessary.

PROCESSING OF SENSITIVE PERSONAL INFORMATION

The processing of sensitive personal information shall be allowed if it adheres to ONE of the following:
1. The consent of data subject has to be given;
2. The processing is necessary and is related to the fulfillment of a contract with the data subject or in
order to take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a legal obligation to which the PIC is subject;
4. The processing is necessary to protect vitally important interests of the data subject, including life
and health;
5. The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and safety, or to fulfill functions of public authority […]; or
6. The processing is necessary for the purposes of the legitimate interests pursued by the PIC […], except
where such interests are overridden by fundamental rights and freedoms of the data subject […]

RIGHTS OF THE DATA SUBJECT

1. Right to be INFORMED.
This is the right to be informed that your personal data shall be, are being, or have been processed.
2. Right to OBJECT.
The right to refuse to the processing of personal data.
3. Right to ACCESS.
The right to find out whether a PIC holds any personal data about you.
4. Right to RECTIFICATION.
This involves the right to dispute the inaccuracy or error in the personal data and have the PIC correct it
immediately.
 5. Right to ERASURE OR BLOCKING.
This is the right to suspend, withdraw, or order the blocking, removal, or destruction of his/her personal
information from the PIC’s filing system
6. Right to DAMAGES.
This is the right to be receive compensation for any damages sustained due to inaccurate, incomplete, outdated,
false, unlawfully obtained, or unauthorized use of personal data.
7. Right to DATA PORTABILITY.
The right to obtain a copy of data undergoing processing in [a commonly used] electronic or structured format
that allows for further use by the data subject.
8. Right to FILE A COMPLAINT.
The right to file a complaint in circumstances wherein the PIC or the PIP has breached the privacy of the data
subject

PROHIBITED ACTS OF R.A. 10173

1. Unauthorized processing of personal information and sensitive personal information .
Process (sensitive) personal information without the consent of the data subject or without being authorized
under the Data Privacy Act or any other law.
2. Accessing personal information and sensitive personal information due to negligence.
Provided access to (sensitive) personal information due to negligence or was unauthorized under the Data
Privacy Act or any existing law.
3. Improper disposal of (sensitive) personal information.
Negligently dispose, discard or abandon the (sensitive) personal information of an individual in an area
accessible to the public or placed the (sensitive) personal information of an individual in a container for trash
collection.
4. Processing of personal information and sensitive personal information for unauthorized purposes.
Process personal information for purposes not authorized by the data subject or not otherwise authorized by the
Data Privacy Act or under existing laws.
5. Unauthorized access or intentional breach.
Knowingly and unlawfully violate data confidentiality and security data systems where personal and sensitive
personal information is stored.
6. Malicious disclosure.
Discloses to a third party unwarranted or false information with malice or in bad faith relative to any (sensitive)
personal information obtained by such PIC or PIP.