The Philippine Cybercrime Prevention Act of 2012 Takes Effect, Minus Provisions Deemed Unconstitutional

In September 2012, the Philippines passed the Cybercrime Prevention Act of 2012, which specifically lists 13 “cybercrimes”, including illegal access to a computer system, illegal interception of computer data, data and system interference, misuse of devices, cyber squatting, computer-related forgery, fraud and identity theft, cyber sex, child pornography, unsolicited commercial communications and libel. However, only days after its passage, the Supreme Court of the Philippines issued a 120-day temporary restraining order (TRO) against the application of the law see analysis by the authors at WDPR, October 2012, page 17. In February 2013 the TRO was extended indefinitely.

The restraining order was issued in relation to 15 petitions filed with the Philippine Supreme Court questioning the constitutionality of the law on various points. One of the most heavily criticized items was the provision including “online libel” as a cybercrime, which critics believe to be contrary to free speech. Other provisions which were questioned by the petitions were the increase in penalty for all crimes punished by the Revised Penal Code of the Philippines when committed through the “use of information and communications technologies”, the requirement for service providers to retain traffic and content data, the prohibition of unsolicited commercial communications, and the granting of authority to the Philippine Department of Justice to take down websites without a trial.

On Feb. 18, 2014, the Supreme Court issued its ruling addressing all the petitions, and declared select portions of the Cybercrime Prevention Act of 2012 to be unconstitutional.

The Supreme Court’s Decision

In the case of Disini, Jr. et al. vs. The Secretary of Justice, et al. (G.R. No. 203335, Feb. 18, 2014), the court held the following provisions of the Cybercrime Prevention Act of 2012 to be unconstitutional, and therefore without force and effect:

• the “real-time” collection and recording of traffic data (Sec. 12);

• the authority of the Department of Justice to restrict or block access to a computer system on the basis of prima facie findings and without a court-issued warrant (Sec. 19); and

• the prohibition against unsolicited commercial communications (Sec. 4[c][3]).

The court then affirmed the validity of the provisions of the Cybercrime Prevention Act of 2012 which:

• provide criminal penalties for accessing a computer system without right, data interference, including the transmission of viruses, cyber squatting, identity theft, cyber sex or the lascivious exhibition of sexual organs or sexual activity for favor or consideration and the production of child pornography;

• classify “online libel” as a cybercrime (but only for the original author of the statement and not for “reactors” thereto);

• provide for a one-degree increase in penalty for crimes committed with the use of information and communications technologies;

• grant authority to law enforcers to require service providers to preserve traffic data and subscriber information as well as specified content data for six months;

• allow the search, seizure, examination and disclosure of computer data when conducted under a valid warrant;

• authorize the destruction of previously preserved computer data after the expiration of the prescribed holding periods;

• penalize obstruction of justice in relation to cybercrime investigations; and

• establish a Cybercrime Investigation and Coordinating Center and define its functions.

With regard to online libel, the court specifically clarified that only the author of the libelous expression will be criminally liable under the law, while those who subsequently “receive the post and react to it” are not liable. The court further explained that if, in reaction to an originally libelous expression, a user also issued a libelous expression, then such “reactor” will also be held liable.

Recommended Actions for Individuals and Businesses

The decision of the Supreme Court effectively lifts the restraining order against the Cybercrime Prevention Act of 2012 and, thus, the said law is now in full force and effect, except for those provisions it found to be unconstitutional, even though some of the petitioners formally moved for the Supreme Court to reconsider its decision.

In view of the ruling, individuals and businesses are reminded that:

• The real-time collection of traffic data and content data by any law enforcement authority, without a valid warrant, has been declared unconstitutional by the Supreme Court. Thus, if any law enforcement agency requests your or your company’s cooperation for the warrantless real-time collection of data, such request may validly be resisted.

• Businesses which maintain local offices in the Philippines are advised that they may be classified as “service providers” under the act, and may be subject to certain requirements under the law. (Under the Cybercrime Prevention Act of 2012, service providers are defined as “any public or private entity that provides to users of its service the ability to communicate by means of a computer system”.) This may include the mandatory retention of traffic data for six months, and the mandatory destruction of retained data after the allowable retention period. Failure to comply with these requirements may subject responsible individuals to criminal prosecution for “obstruction of justice”.

• Despite the ruling which invalidates the prohibition of unsolicited commercial communications, the sending of unsolicited commercial communications is not legal in all circumstances. Several other rules cover the regulation of unsolicited commercial communications, and must be complied with. The National Telecommunications Commission, for example, has regulations in place for the sending of unsolicited text messages or multi-media messages. To ensure compliance, we recommend conducting the necessary legal due diligence before sending out unsolicited commercial communications.

• In connection with the court’s confirmation that online libel, as well as the aiding or abetting thereof, is punishable, communications or media officers of companies must continue to be vigilant in handling the company’s social media presence. Guidelines must be in place to regulate those responsible for the social media presence of a company to minimize exposure to the risk of liability under this prohibition. Common sense is no longer an acceptable social media policy.

• The Cybercrime Prevention Act of 2012 does not cover all the crimes that may be committed through or with the use of computers or the Internet. Other activities, though not covered by the Cybercrime Prevention Act of 2012, may nevertheless be prohibited under other laws. The recording of telephone conversations without the consent of the participants to the call, for example, is prohibited under the Anti-Wiretapping Act. Online piracy, which is not prohibited by the Cybercrime Prevention Act of 2012, is illegal under the Intellectual Property Code of the Philippines and the Electronic Commerce Act. Further, the processing of personal information must comply with the Data Privacy Act of 2012 see analysis by Laxmi Rosell and Sheilah Marie Tomarong-Cañabano, of Quisumbing Torres, Manila, at WDPR, September 2012, page 4.

The Philippine Department of Justice issued a “Primer on Cybercrime” in November 2012 which reported that “87% of Filipino Internet users were identified as victims of crimes and malicious activities committed online”. With this steep increase in cybercrime occurrences in the country, individual users and companies are encouraged to safeguard their data assets.

Alongside disaster recovery preparedness, it may also benefit companies to have a clearly defined enforcement plan to pursue perpetrators in the event of a cyber attack or compromise, which act or acts may qualify as a cybercrime under Philippine laws.

Even though some of the petitioners against the law filed their respective Motions for Reconsideration of the Supreme Court’s decision, the public is well-advised to follow the provisions of the law to the letter, until any contrary ruling is issued by the Philippine Supreme Court.

Bienvenido Marquez III is a Partner and Anthony Chadd Concepcion is an Associate in the Intellectual Property and Information Technology practice group of Quisumbing Torres, Manila, a member firm of Baker & McKenzie International. The authors may be contacted at bienvenido.marquez@quisumbingtorres.com and anthonychadd.concepcion@quisumbingtorres.com.