NPC sees benefits from privacy-protected SIM-card registration (Statement of Privacy Commissioner Raymund E. Liboro)
The Philippines may harness the benefits of the proposed SIM-Card Registration Act by enabling SMEs engaged in e-commerce and engendering consumer trust in a fastgrowing identity-linked digital services society.
The recent approval of the bill in the House of Representatives came at a time of rapid digitalization during the pandemic that resulted in the Filipinos’ unprecedented participation in e-commerce, fintech, and mobile services using various digital platforms.
Under these circumstances the need to know-your-customer or know your caller becomes imperative not only to protect the public from ICT-enabled scams and frauds, but more importantly to build consumer and business confidence to engage productively in the digital economy.
The National Privacy Commission (NPC) maintains that mandatory SIM-card registration will succeed only under a framework of guaranteed privacy protection for mobile users. At present, we have that framework in place to protect citizens’ privacy and ensure that data privacy rights of mobile users are upheld and that is the Data Privacy Act (DPA) of 2012.
It must be noted that the approved bill came at a time when the country has put in place a foundational platform for identification which can strengthen trust in the registration of SIM cards. As a foundational platform, the PhilSys establishes a single source of truth for identification. Validating identities has always been a barrier in previous SIM-card registration proposals, but which the country can now hurdle with PhilSys, the government’s unified, centralized form of identification for Filipino citizens and resident aliens.
Voting 181-6-0 on December 6, the House approved on final reading House Bill 5793 or the proposed SIM-Card Registration Act. A similar measure has been filed in the Senate.
The bill includes a confidentiality clause that prohibits disclosing any information of a subscriber, unless upon subpoena or order from a court or written request from a law enforcement agency about an investigation that a particular number is used in the commission of a crime.
Under the bill, every public telecommunication entity (PTE) or direct seller shall require the end-user to present valid identification to register a SIM.
PTEs or telcos must provide the data protection citizens expect. They are required by the DPA to afford appropriate organizational, technical, and physical security measures to secure the personal data they will collect and prevent its unauthorized use and abuse.
Under the DPA, telcos are required, among other things, to conduct privacy impact assessments, enable their employees and supply chains on data security and privacy to prevent data breaches and ensure end-to-end protection of personal data.
The final version of the proposed law, after undergoing Senate procedures and bicameral committee consideration, where applicable, must clearly articulate the requirements for the implementation of data security measures by entities identified to handle SIM-card registration and that these entities be held accountable for any violation of data privacy rights under the DPA.
Furthermore, the final version should provide sufficient time for registration to prevent mobile users from being unjustly cut off from enjoying mobile services due to a limiting SIM-card registration period.
The NPC will continuously perform its regulatory function and assess the potential risks of the proposed law and provide practical recommendations to mitigate these risks so mobile users can be protected.