Privacy in limbo: the implications of the SIM Card Registration Act
The Senate and the House of Representatives recently ratified the disagreeing provisions of Senate Bill №2395 and House Bill №5793, or the proposed SIM Card Registration Act. Principally authored by Deputy Speaker Wes Gatchalian, the act intends to deter scams, crimes, and other malicious activities arising from different forms of electronic communications.
But several civil rights groups and privacy experts are now raising the alarm because of provisions that slipped in the legislative hearings. One of which is the use of real names in registering on social media–a system currently used in China and proposed in several other countries. The system would, later on, be repealed in other countries a few years after its implementation because of infectivity to curb criminality and concerns on people’s privacy.
The salient features of the Act include the need to register one’s information such as names, contact details, and other identifiers before a SIM Card sale will be made. Third-party resellers are also given responsibility in the act, as well as concerned agencies and public telecommunications entities or PTEs to ensure that the measures are observed. Third-party resellers also have to be verified and registered and will be held criminally liable if found to engage in the sale of fraudulently registered or stolen SIM Cards
As to confidentiality, any information obtained from the process of registration will be treated as confidential pursuant to the Data Privacy Act of 2012. However, when an order from a competent court is present, alongside a finding of probable cause that a mobile number was used to commit a crime or malicious, fraudulent, or unlawful acts, the PTEs are required to provide information regarding the subject mobile number; provided, there is written consent from the subscriber.
Furthermore, the application of the Act applies to both present and future SIM card users. Existing SIM card users must register within 180 days from the effectiveness of the proposed law. If this is not complied with, the PTEs will be authorized to deactivate the SIM card numbers. Fines and penalties will also be imposed on those who commit breaches concerning confidential information, non-compliance with registration matters, using fictitious activities to register SIM cards, and spoofing registered SIM cards.
During the bicameral committee session, it was also discussed that there will be a requirement to use real names and phone numbers upon creating social media networks. Interestingly, the provision was not included in the Senate and House versions of the proposed measures and was only included during the reconciliation process in the bicameral committee. No further clarifications nor explanations were given.
Can we handle this?
In a research paper written by GSMA, an industry organization that represents the various interests of mobile operators around the world, it was found that only 59% of countries that require the registration of SIM cards have sound data protection frameworks. In the absence of such, the information contained in the SIM cards could easily be accessed and shared with different databases and third parties.
The National Privacy Commission (NPC) has also released a similar statement, placing emphasis on the presence of the Data Privacy Act of 2012. They reiterated that the scheme for mandatory registration will only work if there is proper legislation in place.
While registering our SIM cards may seem like a mere obligation, the Act may actually affect the way our data is handled, as well as our security, when it comes to electronic communications and transactions. In a Senate public services committee hearing, NPC OIC Director IV Atty. Ivy Grace Villasotto argued that the SIM Card registration would result in a “massive collection” of personal data nationwide. Consequently, this may lead to privacy violations and concerns, and even the limitation of personal liberties.
The question begs, however, that notwithstanding existing legal frameworks, why is our privacy still at risk under the proposed measures?
The law has some ambiguities, experts say
Atty. Jamael Jacob, a lawyer specializing in Information and Communications Technology (ICT), argued that the law and its provisions are too vague since it does not provide for its scope and definitions. He further cited that social media registration is impossible unless social media platforms implement the same rule to all their users, but if this is done, it would be violative of other privacy laws worldwide. And because the proposed law does not make mention of any guidelines, it is likely that its implementation will be an exercise in futility.
An example of such ambiguity can be found on the Joint Explanation of the Bicameral Conference Committee on the Disagreeing Provisions of House Bill №5793 and Senate Bill №2395 where it states that the registration of SIM Cards and Social Media Accounts will be done to deter terrorism, text scams, unsolicited obscene messages, fraud, libel, and other similar acts. The problem, however, is that this list of acts may include trolling, hate speech, and anonymous online defamation, all of which have no specific definitions or grounds under the SIM Card Registration Act.
It has not been long since the Anti-Terrorism Act was questioned for its potential in suppressing freedom of expression and speech. In a decision, the Supreme Court struck down a portion of Sections 4 and 25 of the said Act for being violative of the freedom of expression and for being overbreadth– if these were not stricken down, its broad coverage might lead to military oppression, discriminatory treatment to individuals, and violation of the freedom to peacefully assemble and dissent.
Rey Valmores-Salinas, Bahaghari’s spokesperson, airs the sentiment about the SIM Card Registration Act being used hand-in-hand with the Anti-Terrorism Act. She reiterated that social media platforms carry with them the duty to fight the spread of fake news and to aid in the prevention of red-tagging and terror-tagging. The burden should not be shifted to the public.
A basic tenet of lawmaking is that mechanisms sought out for the protection of the citizenry should not be harmful nor prejudicial to legally conferred rights and guarantees. To counter disinformation and other related mischiefs, for example, the power to bring out truthful and unbiased information is necessary. But This cannot be done if there are gaps found in coverage, applicability, and limitations.
Doomed to repeat other countries’ mistakes
Mandating the registration of SIM cards and using real-name on social media is not a new practice. As a matter of fact, several countries such as South Korea and China have implemented the same, but in the course of their individual mandates, people have shown their defiance and disagreement with the mandatory registration.
When South Korea had a similar mandate, about 35 million social media users were affected when their information was breached.
In China, while it was said that the purpose of their real-name system was to protect sensitive information, it could enable the government to track and persecute users. Their proposed mechanisms, just like the SIM Card Registration Act, also had some overbroad provisions, which are akin to, if not actually, censorship.
In addition, research shows that real-name systems have caused digital or online anonymity to fade. Anonymity is important when it comes to free speech and expression as it also encourages discourse and engagement when it comes to questionable government policies and actions. It is not the enemy, as it may be a source of resolving issues and minimizing chilling effects.
As an alternative, Galla suggested that registration of SIM cards may still be conducted, so as long as it is voluntary. He mentioned that central African countries have undertaken a voluntary type of registration and has been beneficial especially with regard to the expansion of mobile banking and mobile governance.
What happens now
Since the SIM Card Registration Act has already been ratified, the approval or disapproval of President Rodrigo Duterte is the last step before this validly turns into law.
However, if he does not act upon it, it may lapse into law within a specific period. Ultimately, the qualms and precautions concerning this Act have been raised by several individuals and groups. Its purpose and mandates should not be taken lightly and should not leave us with more questions than answers.