Stanford CIS

WILMap: Philippines

Legislation | Bills and Pending Proposals | Decisions | Other Resources | Contributors | Feedback | Return to WILMAP Home Page

LEGISLATIONRepublic Act No. 10175 (a.k.a. the Cybercrime Prevention Act of 2012),  September 12, 2012 (1) On Service Providers (i) The law defines service provider as “any public or private entity that provides to users of its service the ability to communicate by means of a computer system” and “any other entity that processes or stores computer data on behalf of such communication service or users of such service” [Section 3(n)]. Other relevant terms defined by the law include “computer data”, “subscriber’s information”, and “traffic data" [Section 3(e), (o) and (p)]. (ii) For law enforcement purposes, service providers are required to preserve computer data within a specified period. The mandatory retention period (6 months) may be extended pursuant to an order by a law enforcement authority (one-time extension for another 6 months) (Section 13). (iii) Law enforcement authorities may thereafter compel the service provider to disclose such traffic data and subscriber information, as well as any other relevant data or information in its possession, pursuant to a court-issued warrant, within 72 hours from receipt of the order (Section 14). (iv) To gain possession of and examine relevant computer data, law enforcement authorities also have the option of securing a search and seizure warrant, which may be then enforced against a computer user or service provider, as the case may be (Section 15). (v) Once the mandatory data retention periods imposed by the law have expired, both service providers and law enforcement authorities are required to delete or destroy the computer data subject involved (Section 17). (vi) A service provider’s failure to comply with an order issued by a law enforcement authority is punishable under the law. Section 20 is clear on this point: "Noncompliance. — Failure to comply with the provisions of Chapter IV hereof specifically the orders from law enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with imprisonment of prision correctional in its maximum period or a fine of One hundred thousand pesos (Php100,000.00) or both, for each and every noncompliance with an order issued by law enforcement authorities." (PD No. 1829, as referred to in the foregoing provision, refers to an old law penalizing acts constituting obstruction to the apprehension of suspects in a criminal investigation, or the prosecution of criminal offenses.) (2) Miscellaneous Provisions (i) To date, there is no available data to suggest if any of the punishable acts (i.e., illegal access, illegal interception, etc.) treated by the law as constituting cybercrimes may be held against a service provider or any intermediary liability. There is, however, one particular offense cited in the law that could pose the greatest challenge: “aiding or abetting in the commission of a cybercrime”. Section 5(a) reads: "Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets or aids in the commission of any of the offenses enumerated in this Act shall be held liable." (ii) If and when a service provider is held liable for any of the offenses prescribed by the law, a key provision—other than those prescribing the corresponding penalties—is that which accounts for corporate liability. In this wise, Section 9 is instructive:

"SEC. 9. Corporate Liability. — When any of the punishable acts herein defined are knowingly committed on behalf of or for the benefit of a juridical person, by a natural person acting either individually or as part of an organ of the juridical person, who has a leading position within, based on: (a) a power of representation of the juridical person provided the act committed falls within the scope of such authority; (b) an authority to take decisions on behalf of the juridical person: Provided, That the act committed falls within the scope of such authority; or (c) an authority to exercise control within the juridical person, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Ten million pesos (PhP10,000,000.00).

If the commission of any of the punishable acts herein defined was made possible due to the lack of supervision or control by a natural person referred to and described in the preceding paragraph, for the benefit of that juridical person by a natural person acting under its authority, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Five million pesos (PhP5,000,000.00).

The liability imposed on the juridical person shall be without prejudice to the criminal liability of the natural person who has committed the offense." (3) Relevant Provisions Declared Unconstitutional - In a recent decision by the country’s Supreme Court, Disini v Secretary of Justice (Febraury 11, 2014), Section 12 and 19 were stricken down and declared void for being unconstitutional (see below).] Republic Act No. 9775 (a.k.a. the Anti-Child Pornography Act of 2009), November 17, 2009 [(1) On Internet Content Hosts (i) Under the law, an internet content host is defined as any person who hosts or who proposes to host internet content in the Philippines [Section 3(f)]. Each one is bound to observe and perform certain specific duties, thus:

“Duties of an Internet Content Host. – An internet content host shall:

(a)   Not host any form of child pornography on its internet address;

(b)   Within seven (7) days, report the presence of any form of child pornography, as well as the particulars of the person maintaining, hosting, distributing or in any manner contributing to such internet address, to the proper authorities; and

(c)   Preserve such evidence for purposes of investigation and prosecution by relevant authorities.

An internet content host shall, upon the request of proper authorities, furnish the particulars of users who gained access to an internet address that contains any form of child pornography. An internet content host who shall knowingly, willfully and intentionally violate this provision shall be subject to the penalty provided under Section 15(j) of this Act: Provided, That the failure of the internet content host to remove any form of child pornography is hitting its server shall be conclusive evidence of willful and intentional violation thereof.” (Section 11) (ii) For this purpose, Section 15(j) reads:

“Any person found guilty of violating Section 11 of this Act shall suffer the penalty of prison correccional in its medium period and a fine of not less than one million pesos (Php1,000,000.00) but not more than two million pesos (Php2,000,000.00) for the first offense. In the case of a subsequent offense, the penalty shall be a fine not less than Two million pesos (Php2,000,000.00) but not more than Three million pesos (Php3,000,000.00) and revocation of its license to operate and immediate closure of the establishment;” (2) On Internet Service Providers (i) On the other hand, an internet service provider (ISP) is defined as a “person or entity that supplies or proposes to supply, an internet carriage service to the public” [Section 3(g)]. Its duties under the law are, as follows:

“Duties of an Internet Service Provider (ISP). All internet service providers (ISPs) shall notify the Philippine National Police (PNP) or the National Bureau of Investigation (NBI) within seven (7) days from obtaining facts and circumstances that any form of child pornography is being committed using its server or facility. Nothing in this section may be construed to require an ISP to engage in the monitoring of any user, subscriber or customer, or the content of any communication of any such person: Provided, That no ISP shall be held liable for damages on account of any notice given in good faith in compliance with this section.

Furthermore, an ISP shall preserve such evidence for purpose of investigation and prosecution by relevant authorities.

An ISP shall, upon the request of proper authorities, furnish the particulars of users who gained or attempted to gain access to an internet address which contains any form of child pornography.

All ISPs shall install available technology, program or software to ensure that access to or transmittal of any form of child pornography will be blocked or filtered.

An ISP who shall knowingly, willfully and intentionally violate this provision shall be subject to the penalty provided under Section 15(k) of this Act. The National Telecommunications Commission (NTC) shall promulgate within ninety (90) days from the effectivity of this Act the necessary rules and regulations for the implementation of this provision which shall include, among others, the installation of filtering software that will block access to or transmission of any form of the child pornography.” (Section 9) (ii) Section 15(k) of the law reads:

“Any ISP found guilty of willfully and knowingly failing to comply with the notice and installation requirements under Section 9 of this Act shall suffer the penalty of a fine not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) for the first offense. In case of subsequent offense, the penalty shall be a fine of not less than One million pesos (Php1,000,000.00) but not more than Two million pesos (Php2,000,000.00) and revocation of its license to operate.” (3) On Telecommunications Companies (i) Inasmuch as some telecommunications companies already operate as ISPs, and may therefore be held liable as such under the applicable provisions of the law, there is nevertheless a separate provision directed specifically at such entities. Section 4(f) of the law declares:

“Unlawful or Prohibited Acts. – It shall be unlawful for any person:

(f) For film distributors, theaters and telecommunications companies, by themselves or in cooperation with other entities, to distribute any form of child pornography;”

(ii) The imposable penalty for such violation may be found in Section 15(c) of the law:

“Any person found guilty of violating Section (d), (e), and (f) of this Act shall suffer the penalty of reclusion temporal in its medium period and a fine of not less than seven hundred fifty thousand pesos (Php750,000.00) but not more than One million pesos (Php1,000,000.00);”(iii) It is unclear how else telecommunications companies may be expected to distribute child pornography other than by operating as ISPs. (4) Miscellaneous Provisions (i) Where the offender involved is a juridical person, the penalty shall be imposed upon the “owner, partner, member of the board of directors and/or any responsible officer who participated in the commission of the crime or shall have knowingly permitted or failed to prevent its commissions” (Section 16). (ii) The law also mandates the confiscation and forfeiture of equipment used in child pornography. However, it is unclear if and how this applies to intermediaries who are held liable for violating the provisions of the law (Section 17). (iii) It is also worth noting that under Section 6 of the more recently enacted law of Republic Act No. 10175 (Cybercrime Prevention Act of 2012) (see above), the imposable penalty for crimes defined and made punishable by the Revised Penal Code or a special law like Republic Act No. 9775, shall be one (1) degree higher than that provided by the RPC or special law concerned, if committed “by, through and with the use of information and communications technologies”.] Republic Act No. 8792 (a.k.a. the Electronic Commerce Act), June 14, 2000 [(1) On Intermediaries The law defines an intermediary as “a person who in behalf of another person and with respect to a particular electronic document sends, receives, and/or stores, provides other services in respect of that electronic data message or electronic document”. [Sec. 5(h)] However, except where it excludes this person from the concepts of “addressee” [see: Section 5(a)] and “originator” [see: Section 5(i)], the law makes no mention the term anywhere else in its text. (2) On Service Providers (ii) A service provider, on the other hand, is defined by the law in the following manner:

“’Service Provider’ refers to a provider of:

i. online services or network access or the operator of facilities therefor including entities offering the transmission, routing, or providing of connections for online communications, digital or otherwise, between or among points specified by a user of electronic documents of the user’s choosing; or

ii. the necessary technical means by which electronic documents of an originator may be stored and made accessible to designated or undesignated third party.

Such service providers shall have no authority to modify or alter the content of the electronic document received or to make any entry therein on behalf of the originator, addressee or any third party unless specifically authorized to do so, and who shall retain the electronic document in accordance with the specific request or as necessary for the purpose of performing the services it was engaged to perform.” [Section 5(i)]

(ii) Unlike in the case of an intermediary, an entire section is devoted to delineating the extent of liability of a service provider as regards a particular electronic data message or electronic document. Thus, Section 30 reads:

“Extent of Liability of a Service Provider. – Except as otherwise provided in this Section, no person or party shall be subject to any civil or criminal liability in respect of the electronic data message or electronic document for which the person or party acting as a service provider as defined in Section 5, merely provides access if such liability is founded on –

(a) The obligations and liabilities of the parties under the electronic data message or electronic document;

(b) The making, publication, dissemination or distribution of such material or any statement made in such material, including possible infringement of any right subsisting in or in relation to such material. Provided, That

i. The service provider does not have actual knowledge, or is not aware of the facts or circumstances from which it is apparent, that the making, publication, dissemination or distribution of each material is unlawful or infringes any rights subsisting in or in relation to such material;

ii. The service provider does not knowingly receive a financial benefit directly attributable to the unlawful or infringing activity; and

iii. The service provider does not directly commit any infringement or other unlawful act and does not induce or cause another person or party to commit any infringement or other unlawful act and/or does not benefit financially from the infringing activity or unlawful act or another person or party; Provider, further, That nothing in this Section shall affect –

a. Any obligation founded on contract;

b. The obligation of a service provider as such under a licensing or other regulatory regime established under written law;

c. Any obligation imposed under any written law;d. The civil liability of any party to the extent that such liability forms the basis for injunctive relief issued by a court under any law requiring that the service provider take or refrain from action necessary to remove, block or deny access to any material, or to preserve evidence of a violation of law.”]

BILLS AND PENDING PROPOSALS[There are currently no known new legislative proposals on the issue of intermediary liability.] [There are currently no known new legislative proposals on the issue of intermediary liability.]

DECISIONS

Superior CourtsSupreme Court, Disini v. Secretary of Justice, G.R. No. 203335, February 11, 2014[privacy, data retention, real-time collection, service providers, cooperation and assistance] [In a recent decision by the country’s Supreme Court, two provisions of the Cybercrime Prevention Act of 2012 (see above) were stricken down and declared void for being unconstitutional.  (i) In its original text, the law provided for the real-time collection of traffic data by law enforcement authorities and service providers were required to “cooperate and assist law enforcement authorities in the collection or recording” of said traffic data. Section 12 previously read as:

"Real-Time Collection of Traffic Data. — Law enforcement authorities, with due cause, shall be authorized to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system.

Traffic data refer only to the communication’s origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities.

All other data to be collected or seized or disclosed will require a court warrant.

Service providers are required to cooperate and assist law enforcement authorities in the collection or recording of the above-stated information.

The court warrant required under this section shall only be issued or granted upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce and the showing: (1) that there are reasonable grounds to believe that any of the crimes enumerated hereinabove has been committed, or is being committed, or is about to be committed: (2) that there are reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and (3) that there are no other means readily available for obtaining such evidence."(ii) Moreover, it also authorized the Department of Justice to order the blocking or restriction of access to a computer data if the latter is prima facie found to be in violation of the law. This is found under then Section 19: "Restricting or Blocking Access to Computer Data.When a computer data is prima facie found to be in violation of the provisions of this Act, the DOJ shall issue an order to restrict or block access to such computer data."]

Lower Courts[There are currently no known new legislative proposals on the issue of intermediary liability.]

OTHER RESOURCESFoundation for media Alternatives, http://fma.ph

CONTRIBUTORSJamael JacobDirector, National Privacy CommissionEmail: jamael at gmail.com

FEEDBACK

Please use this form to provide your feedback or suggest any amendments or updates to this page.