The Philippines’ Cybercrime Prevention Act Of 2012

On September 12, 2012, the Philippines enacted a law specifically addressing cybercrime. The law, officially called the Cybercrime Prevention Act of 2012¹ (“Cybercrime Act”), was signed into law on September 12, 2012 (see WDPR, September 2012, page 19), and entered into effect on October 3, 2012.

The adoption of the Cybercrime Act is seen as a response to the difficulties faced in addressing crimes committed through the use of computer and information technology.

Definitions of Key Concepts

One of the law’s key contributions is in defining concepts which previously had loose legal meaning in Philippine law, such as cybersquatting and unauthorized real-time online data collection. In defining these offenses, the law seeks to “effectively prevent and combat such offenses by facilitating their detection, investigation, and prosecution at both the domestic and international levels”².

The adoption of laws in the Philippines dealing with crimes committed through the use of computers and information technology is motivated by the rapid increase of acts through the use of computers, including mobile devices, that will now be defined as “cybercrimes”. One of the most notable of these instances is the worldwide spread of the “ILOVEYOU” worm sometime in May 2000, which originated from the Philippines and was coded by a Filipino programmer. In the same year, a law called the Electronic Commerce Act³ was passed, which, among other provisions, officially criminalized hacking or cracking and piracy. The definition of “hacking” under the E-Commerce Act has now been repealed by the new Cybercrime Act, which more particularly deals with the component acts which comprise “hacking”, such as access, interception or interference of data.

Wide Range of Offenses

The new law also covers a wider range of offenses, covering topics on confidentiality, integrity and availability of computer data and systems, computer-related offenses and content-related offenses. The Convention on Cybercrime, which was held in Budapest in 2001, also lends similar provisions to the Cybercrime Act, although the Philippines has yet to sign the convention.

A critical feature of the new law is the definition of cybercrimes. The Cybercrime Act specifically lists 13 offenses, which include illegal access to a computer system, illegal interception of computer data, data and system interference, misuse of devices, cybersquatting, computer-related forgery, fraud and identity theft, cybersex, child pornography, unsolicited commercial communications and libel. Aiding, abetting or attempting to commit any of the listed cybercrime offenses is also criminalized.

Stiff Penalties Available

Penalties include imprisonment, the payment of fines, or both. Prison terms range from six years with the possibility of reaching up to 30 years, particularly for crimes committed “by, through and with the use of information and communications technologies”⁴. Notably, the law provides that imprisonment can be imposed on an officer of a corporation, depending on the degree of participation. Fines can reach up to around U.S.$23,000, depending largely on the offense committed and the damage caused. Harsher penalties are given for offenses committed against critical infrastructure (i.e., systems or networks vital to the country). The liability of corporations is also outlined under the law, and corporations are given harsher penalties.

New Powers for Law Enforcement

Another key feature of the Cybercrime Act is the grant of new powers to law enforcement authorities to aid their investigation and discovery of cybercrimes. Law enforcement authorities are now given authority to search, seize and examine computer data and to conduct real-time collection of traffic data in relation to cybercrime investigations. In relation to these powers, service providers are mandated to retain traffic data for six months, and content data may be required to be preserved for as much as one year from the date of the data transaction. In cases where “computer data is prima facie found to be in violation of the provisions” of the Cybercrime Act, the Department of Justice can “issue an order to restrict or block access to such computer data”.

Implementation Temporarily Suspended

The passage of the law was received with much controversy. Several petitions were filed with the Supreme Court of the Philippines questioning the validity of the law on various grounds. One of the most resounding objections was to the provision which increased the penalty for libel, which the law’s critics claim is a patent violation of free speech. News reports surrounding the passage of the new law suggest that some lawmakers involved in its passage are openly entertaining suggestions on how to amend it.

On October 9, 2012, the Supreme Court of the Philippines issued a temporary restraining order which suspended the implementation of the law for 120 days. During this time, the Supreme Court will be evaluating the law in response to the petitions questioning the law’s validity. In the meantime, a bill has already been filed in Congress to amend the Cybercrime Act.

Bienvenido Marquez III is a Partner and Anthony Chadd Concepcion is an Associate with Quisumbing Torres, Manila, a member firm of Baker & McKenzie International. They may be contacted at bienvenido.marquez@bakermckenzie.com and anthonychadd.concepcion@bakermckenzie.com.