The
Cybercrime Prevention Act of 2012 (Republic Act No. 10175) has caught the attention of lawyers and netizens alike for its alleged
over-reaching provisions. Because
petitions challenging the constitutionality of certain provisions of the law
were filed with the SC, we shall deal not with the Act but with the SC ruling on the Act which was laid down in February 2014.
To
enumerate, the assailed provisions of the Act are:
- Section 4(a)(1) on Illegal Access;
- Section 4(a)(3) on Data Interference;
- Section 4(a)(6) on Cyber-squatting;
- Section 4(b)(3) on Identity Theft;
- Section 4(c)(1) on Cybersex;
- Section 4(c)(2) on Child Pornography;
- Section 4(c)(3) on Unsolicited Commercial Communications;
- Section 4(c)(4) on Libel;
- Section 5 on Aiding or Abetting and Attempt in the Commission of Cybercrimes;
- Section 6 on the Penalty of One Degree Higher;
- Section 7 on the Prosecution under both the Revised Penal Code (RPC) and R.A. 10175;
- Section 8 on Penalties;
- Section 12 on Real-Time Collection of Traffic Data;
- Section 13 on Preservation of Computer Data;
- Section 14 on Disclosure of Computer Data;
- Section 15 on Search, Seizure and Examination of Computer Data;
- Section 17 on Destruction of Computer Data;
- Section 19 on Restricting or Blocking Access to Computer Data;
- Section 20 on Obstruction of Justice;
- Section 24 on Cybercrime Investigation and Coordinating Center (CICC); and
- Section 26(a) on CICC’s Powers and Functions.
Because they were connected
with some petitioners’ issues with the Cybercrime Prevention Act in relation to
libel, Articles 353, 354, 361, and 362 of the Revised Penal Code (on libel)
were also assailed.
Of the 21 challenged
provisions, the SC struck down 3 for being unconstitutional while the other 18
provisions were declared valid and constitutional. 2 provisions, however, were partially struck
down and partially upheld:
1.
Section
4(c)(4) that penalizes online libel as VALID and CONSTITUTIONAL with respect to
the original author of the post; but VOID and UNCONSTITUTIONAL with respect to
others who simply receive the post and react to it; and
2.
Section 5 that
penalizes aiding or abetting and attempt in the commission of cybercrimes as
VALID and CONSTITUTIONAL only in relation to Section 4(a)(1) on Illegal Access,
Section 4(a)(2) on Illegal Interception, Section 4(a)(3) on Data Interference,
Section 4(a)(4) on System Interference, Section 4(a)(5) on Misuse of Devices,
Section 4(a)(6) on Cyber-squatting, Section 4(b)(1) on Computer-related
Forgery, Section 4(b)(2) on Computer-related Fraud, Section 4(b)(3) on
Computer-related Identity Theft, and Section 4(c)(1) on Cybersex; but VOID and UNCONSTITUTIONAL
with respect to Sections 4(c)(2) on Child Pornography, 4(c)(3) on Unsolicited
Commercial Communications, and 4(c)(4) on online Libel.
For their guidance,
Information and communications technology (ICT) users are encouraged to read the
law and the SC decision. Warning: the
decision is 50 pages long and in single space.
Ponente
Justice Abad tackled each assailed provision one by one. And so shall we.
On Illegal Access
“SEC. 4. Cybercrime Offenses. — The
following acts constitute the offense of cybercrime punishable under this Act:
(a)
Offenses against
the confidentiality, integrity and availability of computer data and systems:
(1)
Illegal
Access. – The access to the whole or any part of a computer system without
right.”
The SC ruled this
provision is constitutional. The petitioners
claimed that the provision “fails to meet the strict scrutiny standard required
of laws that interfere with the fundamental rights of the people”. In upholding the provision, the SC ruled that
“no fundamental freedom, like speech, is involved in punishing what is essentially
a condemnable act – accessing the computer system of another without right.”
On Data Interference
SEC. 4. Cybercrime Offenses. — The following
acts constitute the offense of cybercrime punishable under this Act:
(a)
Offenses
against the confidentiality, integrity and availability of computer data and
systems:
x x x
(2)
Data
Interference. — The intentional or reckless alteration, damaging, deletion or
deterioration of computer data, electronic document, or electronic data
message, without right, including the introduction or transmission of viruses.
The SC ruled this
provision is constitutional. In response
to petitioners’ claim that this provision “suffers from overbreadth in that,
while it seeks to discourage data interference, it intrudes into the area of
protected speech and expression, creating a chilling and deterrent effect on
these guaranteed freedoms”, the SC held that the provision “does not encroach
on these freedoms at all. It simply punishes what essentially is a form of
vandalism, the act of willfully destroying without right the things that belong
to others, in this case their computer data, electronic document, or electronic
data message. Such act has no connection
to guaranteed freedoms. There is no
freedom to destroy other people’s computer systems and private documents.”
On Cyber-squatting
Section 4. Cybercrime
Offenses. – The following acts constitute the offense of cybercrime
punishable under this Act:
(a)
Offenses
against the confidentiality, integrity and availability of computer data and
systems:
x x x
(6)
Cyber-squatting.
– The acquisition of domain name over the internet in bad faith to profit,
mislead, destroy the reputation, and deprive others from registering the same,
if such a domain name is:
(i)
Similar,
identical, or confusingly similar to an existing trademark registered with the
appropriate government agency at the time of the domain name registration;
(ii)
Identical or
in any way similar with the name of a person other than the registrant, in case
of a personal name; and
(iii) Acquired without right or with intellectual
property interests in it.
The SC ruled this
provision is constitutional. Petitioners
claimed that this provision “violates the equal protection clause in that, not
being narrowly tailored, it will cause a user using his real name to suffer the
same fate as those who use aliases or take the name of another in satire,
parody, or any other literary device.”
The SC held that “it is the evil purpose for which [the alleged
violator] uses the name that the law condemns. The law is reasonable in penalizing him for
acquiring the domain name in bad faith to profit, mislead, destroy
reputation, or deprive others who are not ill-motivated of the rightful
opportunity of registering the same.” [underscoring
supplied]
On Computer-related Identity Theft
Section 4. Cybercrime
Offenses. – The following acts constitute the offense of cybercrime
punishable under this Act:
x x x
(b)
Computer-related
Offenses:
x x x
(3)
Computer-related
Identity Theft. – The intentional acquisition, use, misuse, transfer,
possession, alteration, or deletion of identifying information belonging to
another, whether natural or juridical, without right: Provided: that if
no damage has yet been caused, the penalty imposable shall be one (1) degree
lower.
The SC ruled this provision
is constitutional. Petitioners claimed
that this provision “violates the constitutional rights to due process and to
privacy and correspondence, and transgresses the freedom of the press.”
In negating the right to
privacy issue, the SC held that the provision “punishes those who acquire or
use such identifying information without right, implicitly to cause damage.
Petitioners simply fail to show how government effort to curb computer-related
identity theft violates the right to privacy and correspondence as well as the
right to due process of law.”
In negating the
overbreadth issue, the SC held that “specific conducts proscribed do not
intrude into guaranteed freedoms like speech. Clearly, what this section
regulates are specific actions: the acquisition, use, misuse or deletion of
personal identifying data of another. There is no fundamental right to acquire
another’s personal data.”
In countering the
freedom of the press issue that “journalists would be hindered from accessing
the unrestricted user account of a person in the news to secure information
about him that could be published,” the SC held that “this is not the essence
of identity theft that the law seeks to prohibit and punish. Evidently, the
theft of identity information must be intended for an illegitimate purpose.
Moreover, acquiring and disseminating information made public by the user
himself cannot be regarded as a form of theft.” Further, the SC said that since
intent to gain is an essential element to fall within the provision’s scope,
“the press, whether in quest of news reporting or social investigation, has
nothing to fear since a special circumstance is present to negate intent to
gain which is required by this Section.” [underscoring
supplied]
On Cybersex
Sec. 4. Cybercrime
Offenses. – The following acts constitute the offense of cybercrime
punishable under this Act:
x x x
(c)
Content-related
Offenses:
(1)
Cybersex. –
The willful engagement, maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of sexual organs or sexual activity,
with the aid of a computer system, for favor or consideration.
The SC ruled this
provision is constitutional. In claiming
that this provision violates the freedom of expression, petitioners alleged
that “private communications of sexual character between husband and wife or
consenting adults, which are not regarded as crimes under the penal code, would
now be regarded as crimes when done “for favor” in cyberspace.”
The SC went back to the
deliberations in Congress and found that the “deliberations show a lack of
intent to penalize a “private showing x x x between and among two private
persons x x x although that may be a form of obscenity to some.” The
understanding of those who drew up the cybercrime law is that the element of
“engaging in a business” is necessary to constitute the illegal cybersex.
The Act actually seeks to punish cyber prostitution, white slave trade, and
pornography for favor and consideration.” [underscoring
supplied]
Okay, private non-profit
exhibition of sexual organs or sexual activity may not be covered (no pun
intended). But what about
public, for profit, but educational/artistic/informative (as in for medical
purposes) - even if lascivious - exhibition of sexual organs or sexual activity?
Since a museum would normally charge entrance fees, and it is not inconceivable
that a museum will have an art exhibition showing sexual organs or sexual
activity, the museum may unjustly be punished under this provision once it uses
ICT in relation to its exhibition.
On Child Pornography
Sec. 4. Cybercrime
Offenses. – The following acts constitute the offense of cybercrime
punishable under this Act:
x x x
(c)
Content-related
Offenses:
x x x
(2)
Child
Pornography. — The unlawful or prohibited acts defined and punishable by
Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed
through a computer system: Provided, That the penalty to be imposed
shall be (1) one degree higher than that provided for in Republic Act No. 9775.
The SC ruled this
provision is constitutional. Petitioners
feared “that a person who merely doodles on paper and imagines a sexual abuse
of a 16-year-old is not criminally liable for producing child pornography but
one who formulates the idea on his laptop would be. Further, if the author
bounces off his ideas on Twitter, anyone who replies to the tweet could be
considered aiding and abetting a cybercrime.”
The SC held that this
provision “merely expands the scope of the Anti-Child Pornography Act of 200931
(ACPA) to cover identical activities in cyberspace” and that “no one can
complain since the intensity or duration of penalty is a legislative
prerogative and there is rational basis for such higher penalty. The potential for uncontrolled proliferation
of a particular piece of child pornography when uploaded in the cyberspace is
incalculable.”
Perhaps petitioners
should have also challenged the constitutionality of the relevant provisions of
the ACPA so that the SC could have tackled that issue as well.
On
Unsolicited Commercial Communications
Sec. 4. Cybercrime
Offenses. – The following acts constitute the offense of cybercrime punishable
under this Act:
x x x
(c)
Content-related
Offenses:
x x x
(3)
Unsolicited
Commercial Communications. – The
transmission of commercial electronic communication with the use of computer
system which seeks to advertise, sell, or offer for sale products and services
are prohibited unless:
(i)
There is prior
affirmative consent from the recipient; or
(ii)
The primary
intent of the communication is for service and/or administrative announcements
from the sender to its existing users, subscribers or customers; or
(iii) The following conditions are present:
(aa)
The commercial
electronic communication contains a simple, valid, and reliable way for the
recipient to reject receipt of further commercial electronic messages (opt-out)
from the same source;
(bb)
The commercial
electronic communication does not purposely disguise the source of the
electronic message; and
(cc)
The commercial
electronic communication does not purposely include misleading information in
any part of the message in order to induce the recipients to read the message.
The SC found this
provision unconstitutional. The SC that
“[t]o prohibit the transmission of unsolicited ads would deny a person the
right to read his emails, even unsolicited commercial ads addressed to him.
Commercial speech is a separate category of speech which is not accorded the
same level of protection as that given to other constitutionally guaranteed
forms of expression but is nonetheless entitled to protection. The State cannot
rob him of this right without violating the constitutionally guaranteed freedom
of expression. Unsolicited advertisements are legitimate forms of expression.”
On Libel
In the Revised Penal
Code (RPC)
Art. 353. Definition
of libel. — A libel is public and malicious imputation of a crime, or of a
vice or defect, real or imaginary, or any act, omission, condition, status, or
circumstance tending to cause the dishonor, discredit, or contempt of a natural
or juridical person, or to blacken the memory of one who is dead.
Art. 354. Requirement
for publicity. — Every defamatory imputation is presumed to be malicious,
even if it be true, if no good intention and justifiable motive for making it
is shown, except in the following cases:
1.
A private
communication made by any person to another in the performance of any legal,
moral or social duty; and
2.
A fair and
true report, made in good faith, without any comments or remarks, of any
judicial, legislative or other official proceedings which are not of
confidential nature, or of any statement, report or speech delivered in said
proceedings, or of any other act performed by public officers in the exercise
of their functions.
Art. 355. Libel
means by writings or similar means. — A libel committed by means of
writing, printing, lithography, engraving, radio, phonograph, painting,
theatrical exhibition, cinematographic exhibition, or any similar means, shall
be punished by prision correccional in its minimum and medium periods or
a fine ranging from 200 to 6,000 pesos, or both, in addition to the civil
action which may be brought by the offended party.
In the Cybercrime
Prevention Act of 2012
Sec. 4. Cybercrime
Offenses. — The following acts constitute the offense of cybercrime
punishable under this Act:
x x x
(c)
Content-related
Offenses:
x x x
(4)
Libel. — The unlawful or prohibited acts of libel as defined
in Article 355 of the Revised Penal Code, as amended, committed through a
computer system or any other similar means which may be devised in the future.
The SC upheld the
constitutionality of the libel provisions in the RPC and the Cybercrime
Prevention Act even as petitioners claimed that said provisions violate the right
to freedom of expression because the provisions require “presumed malice” while
the latest jurisprudence already replaces it with the higher standard of
“actual malice” as a basis for conviction.”
The SC held that, although
Art. 356 of the RPC states that “[e]very defamatory imputation is presumed to
be malicious”, where the offended party is a public official or a public figure,
the accused can claim absence of actual malice even when his/her statement
turns out to be false. But “where the
offended party is a private individual, the prosecution need not prove the
presence of malice [as it is presumed]. xxx For
his defense, the accused must show that he has a justifiable reason for the
defamatory statement even if it was in fact true.”
When petitioners claimed
that the provisions violated the Philippines’ obligations under the
International Covenant of Civil and Political Rights (ICCPR), citing the UNHRC
case “Adonis v. Republic of the Philippines” which held that “penal defamation
laws should include the defense of truth”, the SC qualified this ruling by
stating that the UNCHR did not hold “that the truth of the defamatory statement
should constitute an all-encompassing defense.” The SC further cites Art. 361 of
the RPC which “recognizes truth as a defense but under the condition that the accused
has been prompted in making the statement by good motives and for justifiable
ends.”
When petitioners claimed
that the UNCHR, in the Adonis case, enjoined the Philippines to decriminalize libel,
the SC noted that the UNCHR merely “suggested that defamation laws be crafted
with care to ensure that they do not stifle freedom of expression.” It can be argued that it is in criminalizing
libel that ensures freedom of expression is stifled – for who would dare speak freely
if imprisonment is the consequence? But,
that is not how the SC sees it.
Aiding and Abetting Libel
under the Cybercrime Prevention Act
Sec. 5. Other
Offenses. — The following acts shall also constitute an offense:
(a)
Aiding or
Abetting in the Commission of Cybercrime. – Any person who willfully abets or
aids in the commission of any of the offenses enumerated in this Act shall be
held liable.
(b)
Attempt in the
Commission of Cybercrime. — Any person who willfully attempts to commit any of
the offenses enumerated in this Act shall be held liable.
The SC made distinctions
here and declared “Section 5, in relation to Section 4(c)(4) on Libel, Section
4(c)(3) on Unsolicited Commercial Communications, and Section 4(c)(2) on Child
Pornography” is unconstitutional for its “chilling effect on the freedom of
expression”.
The SC acknowledged that
the “complex web of interaction on social media websites” - like pressing “Like”,
“Comment” or “Share” in relation to, or re-tweeting, an alleged libelous
statement or a statement relating to child pornography – creates many actors
(potentially millions) who may be held liable under Sec. 5 thus giving “law
enforcers such latitude that they could arbitrarily or selectively enforce the
law” and giving the law a “broad sweep that generates chilling effect on those
who express themselves through cyberspace posts, comments, and other messages.“
However, Section 5 in
relation to “Section 4(a)(1) on Illegal Access, Section 4(a)(2) on Illegal
Interception, Section 4(a)(3) on Data Interference, Section 4(a)(4) on System
Interference, Section 4(a)(5) on Misuse of Devices, Section 4(a)(6) on
Cyber-squatting, Section 4(b)(1) on Computer-related Forgery, Section 4(b)(2)
on Computer-related Fraud, Section 4(b)(3) on Computer-related Identity Theft,
and Section 4(c)(1) on Cybersex is constitutional. The SC determined that “none of these offenses
borders on the exercise of the freedom of expression” and the “crime of
willfully attempting to commit any of these offenses is for the same reason not
objectionable.”
On the Penalty for Committing a Crime through the
use of ICT
Sec. 6. All crimes defined and penalized by the
Revised Penal Code, as amended, and special laws, if committed by, through and
with the use of information and communications technologies shall be covered by
the relevant provisions of this Act: Provided, That the penalty to be imposed
shall be one (1) degree higher than that provided for by the Revised Penal
Code, as amended, and special laws, as the case may be.
In upholding this
provision, he SC held that “Section 6 merely makes commission of existing
crimes through the internet a qualifying circumstance x x x In
using the technology in question, the offender often evades identification and
is able to reach far more victims or cause greater harm. The distinction, therefore, creates a basis
for higher penalties for cybercrimes.”
The increase in penalty by
one full degree, with no opportunity to mitigate the same, seems unjustifiably
harsh, especially when it comes to libel where the threat of a higher penalty
may deter free speech and which act, in a more enlightened world, would not be criminal in
the first place.
Liability under Other Laws
Sec. 7. Liability
under Other Laws. — A prosecution under this Act shall be without prejudice
to any liability for violation of any provision of the Revised Penal Code, as
amended, or special laws.
This is about double
jeopardy and the SC made distinctions on this provision’s application. In cases of online libel and online child
pornography, the SC held that double jeopardy applies such that one can’t be
separately prosecuted for the same online libel under the RPC and under the Cybercrime
Prevention Act nor can one be separately prosecuted for the same online libel
under the ACPA and the Cybercrime Prevention Act.
However, as regards all
other cases, the SC held that it “would rather leave the determination of the
correct application of Section 7 to actual cases”.
On the Penalties
Sec. 8. Penalties.
— Any person found guilty of any of the punishable acts enumerated in Sections
4(a) and 4(b) of this Act shall be punished with imprisonment of prision mayor
or a fine of at least Two hundred thousand pesos (PhP200,000.00) up to a
maximum amount commensurate to the damage incurred or both.
Any person found
guilty of the punishable act under Section 4(a)(5) shall be punished with
imprisonment of prision mayor or a fine of not more than Five hundred
thousand pesos (PhP500,000.00) or both.
If punishable acts
in Section 4(a) are committed against critical infrastructure, the penalty of reclusion
temporal or a fine of at least Five hundred thousand pesos (PhP500,000.00)
up to maximum amount commensurate to the damage incurred or both, shall be
imposed.
Any person found
guilty of any of the punishable acts enumerated in Section 4(c)(1) of this Act
shall be punished with imprisonment of prision mayor or a fine of at
least Two hundred thousand pesos (PhP200,000.00) but not exceeding One million
pesos (PhP1,000,000.00) or both.
Any person found
guilty of any of the punishable acts enumerated in Section 4(c)(2) of this Act
shall be punished with the penalties as enumerated in Republic Act No. 9775 or
the “Anti-Child Pornography Act of 2009:” Provided, That the penalty to
be imposed shall be one (1) degree higher than that provided for in Republic
Act No. 9775, if committed through a computer system.
Any person found
guilty of any of the punishable acts enumerated in Section 4(c)(3) shall be
punished with imprisonment of arresto mayor or a fine of at least Fifty
thousand pesos (PhP50,000.00) but not exceeding Two hundred fifty thousand
pesos (PhP250,000.00) or both.
Any person found
guilty of any of the punishable acts enumerated in Section 5 shall be punished
with imprisonment one (1) degree lower than that of the prescribed penalty for
the offense or a fine of at least One hundred thousand pesos (PhP100,000.00)
but not exceeding Five hundred thousand pesos (PhP500,000.00) or both.
The SC found this
provision constitutional and held that “[t]he matter of fixing penalties for
the commission of crimes is as a rule a legislative prerogative. xxx Judges and
magistrates can only interpret and apply them and have no authority to modify
or revise their range as determined by the legislative department. The courts
should not encroach on this prerogative of the lawmaking body.”
On Real-time Collection of Data
Sec. 12. Real-Time
Collection of Traffic Data. — Law enforcement authorities, with due cause,
shall be authorized to collect or record by technical or electronic means
traffic data in real-time associated with specified communications transmitted
by means of a computer system.
Traffic data refer
only to the communication’s origin, destination, route, time, date, size,
duration, or type of underlying service, but not content, nor identities.
All other data to
be collected or seized or disclosed will require a court warrant.
Service providers
are required to cooperate and assist law enforcement authorities in the
collection or recording of the above-stated information.
The court warrant
required under this section shall only be issued or granted upon written
application and the examination under oath or affirmation of the applicant and
the witnesses he may produce and the showing: (1) that there are reasonable
grounds to believe that any of the crimes enumerated hereinabove has been
committed, or is being committed, or is about to be committed; (2) that there
are reasonable grounds to believe that evidence that will be obtained is
essential to the conviction of any person for, or to the solution of, or to the
prevention of, any such crimes; and (3) that there are no other means readily
available for obtaining such evidence.
The SC found this
provision unconstitutional for violating the right to privacy. The SC said that “[I]n assessing regulations
affecting privacy rights, courts should balance the legitimate concerns of the
State against constitutional guarantees.”
To be upheld, a law requiring the disclosure of private matters must show
that 1) “the requirement has a rational relation to the purpose of the law”, 2)
“there is a compelling State interest behind the law”, and 3) “the provision
itself is narrowly drawn”.
The SC held that the
provision failed the “narrowly drawn” element.
A crucial term in the challenged provision is in the opening sentence:
“Law enforcement authorities, with due cause, shall be authorized …”. ‘Due cause’ was deemed vague in this instance
as it justifies “a general gathering of data … akin to the use of a general
search warrant that the Constitution prohibits.” Due Cause was also deemed “not descriptive of
the purpose for which data collection will be used” and gave law enforcement agencies
authority that is “too sweeping and without restraint”. The Court stated that laws that allow the use
of technology to monitor individuals must be “written with specificity and
definiteness as to ensure respect for the rights that the Constitution
guarantees”.
The SC further noted that
while the provision says “that traffic data collection should not disclose
identities or content data, such restraint is but an illusion. Admittedly, nothing can prevent law
enforcement agencies holding these data in their hands from looking into the
identity of their sender or receiver and what the data contains. This will
unnecessarily expose the citizenry to leaked information or, worse, to
extortion from certain bad elements in these agencies.”
On Preservation of Computer Data
Sec. 13.
Preservation of Computer Data. — The integrity of traffic data and subscriber
information relating to communication services provided by a service provider
shall be preserved for a minimum period of six (6) months from the date of the
transaction. Content data shall be similarly preserved for six (6) months from
the date of receipt of the order from law enforcement authorities requiring its
preservation.
Law enforcement
authorities may order a one-time extension for another six (6) months:
Provided, That once computer data preserved, transmitted or stored by a service
provider is used as evidence in a case, the mere furnishing to such service
provider of the transmittal document to the Office of the Prosecutor shall be
deemed a notification to preserve the computer data until the termination of
the case.
The service
provider ordered to preserve computer data shall keep confidential the order
and its compliance.
The SC found this
provision constitutional. Petitioners claimed that “Section 13 constitutes an
undue deprivation of the right to property. They liken the data preservation
order that law enforcement authorities are to issue as a form of garnishment of
personal property in civil forfeiture proceedings. Such order prevents internet
users from accessing and disposing of traffic data that essentially belong to
them.”
While not denying that
“the contents of materials sent or received through the internet belong to
their authors or recipients and are to be considered private communications”, and
despite the petitioners’ claim that ICT users have the right to access and
dispose “of traffic data that essentially belong to them”, the SC upheld this
provision while only addressing ICT users’ right to access their data. The SC ruled that “the data that service
providers preserve on orders of law enforcement authorities are not made
inaccessible to users by reason of the issuance of such orders. The process of
preserving data will not unduly hamper the normal transmission or use of the
same.” No mention of ICT users’ right to
dispose data that belong to them.
Disclosure of Computer
Data
Sec. 14. Disclosure
of Computer Data. — Law enforcement authorities, upon securing a court
warrant, shall issue an order requiring any person or service provider to
disclose or submit subscriber’s information, traffic data or relevant data in
his/its possession or control within seventy-two (72) hours from receipt of the
order in relation to a valid complaint officially docketed and assigned for
investigation and the disclosure is necessary and relevant for the purpose of
investigation.
The SC found this
provision constitutional and ruled that “what Section 14 envisions is merely
the enforcement of a duly issued court warrant, a function usually lodged in
the hands of law enforcers to enable them to carry out their executive
functions. The prescribed procedure for disclosure would not constitute an
unlawful search or seizure nor would it violate the privacy of communications
and correspondence. Disclosure can be made only after judicial intervention.”
On the Search, Seizure
and Examination of Computer Data
Sec. 15. Search,
Seizure and Examination of Computer Data. — Where a search and seizure
warrant is properly issued, the law enforcement authorities shall likewise have
the following powers and duties.
Within the time
period specified in the warrant, to conduct interception, as defined in this
Act, and:
(a)
To secure a
computer system or a computer data storage medium;
(b)
To make and
retain a copy of those computer data secured;
(c)
To maintain
the integrity of the relevant stored computer data;
(d)
To conduct
forensic analysis or examination of the computer data storage medium; and
(e)
To render
inaccessible or remove those computer data in the accessed computer or computer
and communications network.
Pursuant thereof,
the law enforcement authorities may order any person who has knowledge about
the functioning of the computer system and the measures to protect and preserve
the computer data therein to provide, as is reasonable, the necessary
information, to enable the undertaking of the search, seizure and examination.
Law enforcement
authorities may request for an extension of time to complete the examination of
the computer data storage medium and to make a return thereon but in no case
for a period longer than thirty (30) days from date of approval by the court.
The SC found this
provision constitutional. While petitioners claim this provision “will supplant
established search and seizure procedures, the SC ruled that the law “merely
enumerates the duties of law enforcement authorities that would ensure the
proper collection, preservation, and use of computer system or data that have
been seized by virtue of a court warrant. The exercise of these duties do not pose any
threat on the rights of the person from whom they were taken. Section 15 does
not appear to supersede existing search and seizure rules but merely
supplements them.”
On the Destruction of
Computer Data
Sec. 17. Destruction
of Computer Data. — Upon expiration of the periods as provided in Sections
13 and 15, service providers and law enforcement authorities, as the case may
be, shall immediately and completely destroy the computer data subject of a
preservation and examination.
The SC found this
provision constitutional. In denying
petitioners’ claim that “such destruction of computer data subject of previous
preservation or examination violates the user’s right against deprivation of
property without due process of law,” the SC held that “it is unclear that the
user has a demandable right to require the service provider to have that copy
of the data saved indefinitely for him in its storage system. If he wanted them
preserved, he should have saved them in his computer when he generated the data
or received it. He could also request the service provider for a copy before it
is deleted.”
On Restricting or Blocking Access to Computer Data
Sec. 19.
Restricting or Blocking Access to Computer Data.— When a computer data is prima
facie found to be in violation of the provisions of this Act, the DOJ shall
issue an order to restrict or block access to such computer data.
The SC found this provision
unconstitutional “for being violative of the constitutional guarantees to
freedom of expression and against unreasonable searches and seizures.”
The SC held that “it is
indisputable that computer data, produced or created by their writers or authors
may constitute personal property. Consequently, they are protected from
unreasonable searches and seizures, whether while stored in their personal
computers or in the service provider’s systems.”
Because the government,
pursuant to this provision, will “seize[s] and place[s] the computer data under
its control and disposition without a warrant,” the provision violates “Section
2, Article III of the 1987 Constitution which provides “the right to be secure
in one’s papers and effects against unreasonable searches and seizures of
whatever nature and for any purpose shall be inviolable” and that “no search
warrant shall issue except upon probable cause to be determined personally by
the judge.”
Plus, the SC held that “content
of the computer data can also constitute speech. In such a case, Section 19
operates as a restriction on the freedom of expression over cyberspace” if the restriction
is 1) done without judicial warrant, 2) fails the dangerous tendency doctrine,
3) the balancing of interest test, or 4) the
clear and present danger rule. Section
19’s requirement that the “computer data is prima facie found to be in
violation of the provisions of this Act” is insufficient justification for the
restriction
On Noncompliance with the Enforcement and Implementation
of the Act
Sec. 20.
Noncompliance. — Failure to comply with the provisions of Chapter IV hereof
specifically the orders from law enforcement authorities shall be punished as a
violation of Presidential Decree No. 1829 with imprisonment of prision
correctional in its maximum period or a fine of One hundred thousand pesos
(Php100,000.00) or both, for each and every noncompliance with an order issued
by law enforcement authorities.
The SC found this
provision constitutional despite petitioners’ claim that it is a bill of
attainder[1]. The SC reasoned that “since the
non-compliance would be punished as a violation of Presidential Decree (P.D.)
1829, Section 20 necessarily incorporates elements of the offense which are
defined therein. If Congress had
intended for Section 20 to constitute an offense in and of itself, it would not
have had to make reference to any other statue or provision.” So violation of Section 20, in relation to P.D.
No. 1829, must still be done by “any person who knowingly or willfully
obstructs, impedes, frustrates or delays the apprehension of suspects and the
investigation and prosecution of criminal cases” in the manner provided under P.D.
1829.
On the Powers of the Cybercrime Investigation and
Coordinating Center
Sec. 24. Cybercrime
Investigation and Coordinating Center.– There is hereby created, within thirty
(30) days from the effectivity of this Act, an inter-agency body to be known as
the Cybercrime Investigation and Coordinating Center (CICC), under the
administrative supervision of the Office of the President, for policy
coordination among concerned agencies and for the formulation and enforcement
of the national cybersecurity plan.
Sec. 26. Powers and
Functions.– The CICC shall have the following powers and functions:
(c)
To formulate a
national cybersecurity plan and extend immediate assistance of real time
commission of cybercrime offenses through a computer emergency response team (CERT);
x x x.
The SC found this
provision constitutional. Petitioners claimed that the authority given the CICC
to formulate a “national cybersecurity plan without any sufficient standards or
parameters for it to follow” was an undue delegation of legislative power by
the Congress to the CICC. The SC cited
the 2 tests to determine undue delegation of legislative power: 1) the completeness test, i.e, “the law must be complete in all its terms and
conditions when it leaves the legislature such that when it reaches the
delegate, the only thing he will have to do is to enforce it”; and 2) the sufficient
standard test which “mandates adequate guidelines or limitations in the law to determine
the boundaries of the delegate’s authority and prevent the delegation from
running riot.”
The SC found the Act is
complete and gave “sufficient standards for the CICC to follow when it provided
a definition of cybersecurity.” Under
Sec. 3 (k), cybersecurity “refers to the collection of tools, policies, risk management
approaches, actions, training, best practices, assurance and technologies that
can be used to protect cyber environment and organization and user’s assets.” THE SC found that this “definition serves as
the parameters within which CICC should work in formulating the cybersecurity
plan.”
The SC also found that
since “the formulation of the cybersecurity plan is consistent with the policy
of the law” stated in Sec. 2 of the Act which is to “prevent and combat such
[cyber] offenses by facilitating their detection, investigation, and
prosecution at both the domestic and international levels, and by providing
arrangements for fast and reliable international cooperation”, and because “the
policy is clearly adopted in the interest of law and order, which has been
considered as sufficient standard”, then the 2 provisions are valid.
Because of the multifaceted
connections/transactions/relations in the realm of ITC and the nature of ITC to
evolve fast, the Cybercrime Prevention Act of 2012 will likely be subject of numerous
challenges filed with the courts, if not proposed amendments filed with the
legislature, to jibe with the times. Changes may come sooner than we think as
appeals to the decision have already been filed.
[1] bill of
attainder = a legislative act that imposes punishment without a trial.
Merriam-Webster. http://www.merriam-webster.com/dictionary/bill%20of%20attainder