Every time one provides personal information like one's name, address, contact number, email address, or sensitive personal information like race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations and other similar information, one is deemed to be a "data subject" protected under the Data Privacy Act of 2012.
Under the DPA, natural or juridical persons who collect, control, or process personal data are bound to uphold the rights of data subjects and adhere to general data privacy principles and the requirements of lawful processing.
In the interest of adhering to the principle of transparency, Personal Information Controllers (PIC) are required to obtain the consent of the data subject in a manner that complies with all the requisites for valid consent. PICs are bound to ensure that the data subject is aware of the nature, purpose, and extent of the processing of personal data.
This includes the identity of the PIC, the risks and safeguards involved, the rights of the data subject, and how these rights can be exercised. It empowers the data subject to make informed choices and, where applicable, to have reasonable control over the processing of their personal data, and to hold a PIC accountable based on the information provided when the data subject gave their consent.
This is why privacy notices appear every time one accesses a website and mobile applications, especially those that collect personal information from its users and site visitors.
However, it is not uncommon for data subjects to be overwhelmed by numerous lengthy forms and privacy notices when accessing certain websites or mobile applications. Within the context of Data Privacy, the experience is called "Consent Fatigue." It elevates the risk that the consent will be improperly given. It undermines the purpose of obtaining consent as it desensitizes the data subject and causes them to ignore the requisites for valid consent.
The National Privacy Commission, the state agency charged with administering and implementing the DPA, recently issued Circular 2023–04, further requiring PICs to obtain the consent of the data subject in a manner that complies with all the requisites for valid consent. In the same circular, the regulator clarified what "valid consent" is within the context of the DPA. The data subject's consent must be (1) freely given; (2) specific; (3) an informed indication of will; and (4) evidenced by written, electronic, or recorded means.
First, consent must be freely given, meaning the data subject must be given a genuine choice and control over the decision to consent to process their data.
Second, the consent of the data subject must be specific to the declared purposes for processing personal data.
Third, consent must be expressly given through a clear assenting action that signifies agreement to the specific purposes of the processing of personal data as conveyed to the data subject at the time consent was given.
Lastly, a PIC must ensure that the consent obtained from a data subject is evidenced by written, electronic, or recorded means.
It is worth stressing that as of January 2023, more than three out of four Filipinos were internet and social media users. On average, Filipinos aged 16 to 64 spend an average of 9 hours and 14 minutes on the internet daily. Given this backdrop, the country's unimaginable scale of data sharing calls for protecting Filipino data subjects from its inherent risks.
The DPA provides safeguards for data subjects in the Philippines from the prying eyes of unscrupulous information controllers and processors. Privacy notices are one such safeguard. But do they genuinely tend to obtain the intended "valid consent" contemplated ordinarily and under the law, especially in the face of "Consent Fatigue?" This will be elaborated on in Part II.
(To be continued)
