Dear Atty. Joji,

A bank where I work recently received a Cyber Warrant for Disclosure of Computer Data requiring us to disclose the identity and basic information of a depositor allegedly involved in online fraud. Management is hesitant to comply, citing the Bank Secrecy Law. Can the bank legally refuse to disclose depositor information covered by the cyber warrant?

Kate

□□□□□

Dear Kate,

The Supreme Court has clarified that banks are considered “service providers” under the Cybercrime Prevention Act. As such, depositors may be treated as “subscribers,” and their subscriber information may be subject to a valid Cyber Warrant for Disclosure of Computer Data.

In the recently decided case of Eastwest Rural Bank vs. PNP Cybercrime Group Unit 1 et al., (G.R. No. 273720, 29 July 2025) the Cybercrime Prevention Act defines “service provider” as: “(I) [a]ny public or private entity that provides to users of its service the ability to communicate by means of a computer system; and (2) [a]ny other entity that processes or stores computer data on behalf of such communication service or users of such service.” Service providers bear specific duties and responsibilities toward law enforcement authorities. Specifically, service providers are obligated, among others, to cooperate and assist law enforcement in the collection and recording of various types of data, including traffic data, subscriber information, content data, and computer data.

The High Court held that “While the Cybercrime Prevention Act emphasizes the protection of data confidentiality, it also recognizes that legitimate circumstances require information disclosure, providing a legal framework for such disclosures when justified and authorized by the courts.

The Cybercrime Prevention Act explicitly permits the disclosure of information under defined circumstances. The Act establishes the following requisites for permissible information disclosure: (1) a court warrant issued upon a written application demonstrating reasonable grounds to believe that any of the crimes enumerated in the Act has been, is being, or is about to be committed, that the evidence to be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes, and that there are no other means readily available for obtaining such evidence; 109 (2) the existence of a valid complaint officially docketed and assigned for investigation, where the disclosure is demonstrably necessary and relevant to the investigation; 110 and (3) prior authorization by a court through a WDCD, strictly limiting the disclosed information to that specifically permitted under the Cybercrime Prevention Act, namely subscriber information and relevant traffic data held by the service provider.”

In its ruling, the Court held that bank secrecy cannot be used to defeat compliance with a cyber warrant that lawfully seeks basic identifying information of depositors. Subscriber information is distinct from the contents of bank deposits, and the law expressly authorizes disclosure when supported by a valid court-issued cyber warrant. Thus, the bank is legally obligated unpack to comply, provided the warrant is valid and properly issued.

Hope this helps.

Atty. Joji Alonso