Is the disclosure of a person’s mobile number to a third party without prior consent, a violation of RA 10173 or the Data Privacy Act of 2012? As of today, no case had reached the Supreme Court regarding the said issue. In the absence of the jurisprudence on the matter, it is imperative to examine the true intent of the law as well as its application by using the well established rule in statutory construction, to arrive at the proper and legal answer. Analysis of the intent of the law, the scope of protected rights, the prohibited acts, the protected person and the person liable is a must. Now, what is the intent of the law? The law was approved last August 15, 2012 by the President Benigno Aquino III with the declaration of protecting the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. Section 2 of RA 10173 also provides that the State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. The law basically aims to protect human privacy, but is a person’s mobile number part of his privacy?
Black’s law dictionary defines privacy as the right to be let alone, the right of a person to be free from unwarranted publicity. Holloman v. Life Ins. Co. of Virginia, 192 S.C. 454, 7 S.E.2d 169, 171, 127 A.L.R. 110. The right of an individual (or corporation) to withhold himself and his property from public scrutiny, if he so chooses. It is said to exist only so far as its assertion is consistent with law or public policy, and in a proper case equity will interfere, if there is no remedy at law, to prevent an injury threatened by the invasion of, or infringement upon, this right from motives of curiosity, gain, or malice.In the case of Ople vs Torres decided by the Supreme Court last July 23, 1998, the question of what is privacy was put in issue. The Supreme Court held that the right to privacy as such is accorded recognition independently of its identification with liberty; in itself, it is fully deserving of constitutional protection. The language of Prof. Emerson is particularly apt: ‘The concept of limited government has always included the idea that governmental powers stop short of certain intrusions into the personal life of the citizen. This is indeed one of the basic distinctions between absolute and limited government. Ultimate and pervasive control of the individual, in all aspects of his life, is the hallmark of the absolute state. In contrast, a system of limited government safeguards a private sector, which belongs to the individual, firmly distinguishing it from the public sector, which the state can control. Protection of this private sector– protection, in other words, of the dignity and integrity of the individual–has become increasingly important as modern society has developed. All the forces of a technological age –industrialization, urbanization, and organization– operate to narrow the area of privacy and facilitate intrusion into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.'” Indeed, the right of privacy and privacy itself has a broad scope of rights.
The privacy, which the Data Act of 2012 protects, includes personal information. Therefore, if a mobile number is a personal information its protection will fall within the ambits of RA 10173. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. From the wordings of the law, it seems that in order to consider an information as a protected personal information, the identity of the person must be apparent or can be reasonably or directly ascertained from the information or such information when put together with other information can directly and certainly identify an individual. A person can acquire a mobile number by two ways, first is by purchasing a prepaid sim card of any telephone company in the Philippines, and second is by availing of postpaid line connection contract with any of the telephone company in the country.
A prepaid sim card can be easily purchased by any person from any convenient store, supermarket, malls, and other commercial areas and even from street vendors. The vendor of the prepaid sim card does not require the purchaser to submit any personal data or information or whatever documents, which proves the buyer’s identity. Acquisition of mobile number from sellers of prepaid sim cards is plain and simple, and the contract of sale is normally verbal. Art. 1403 of the New Civil code provides that “the following contracts are unenforceable, unless they are ratified:(1) Those entered into in the name of another person by one who has been given no authority or legal representation, or who has acted beyond his powers; (2) Those that do not comply with the Statute of Frauds as set forth in this number. In the following cases an agreement hereafter made shall be unenforceable by action, unless the same, or some note or memorandum, thereof, be in writing, and subscribed by the party charged, or by his agent; evidence, therefore, of the agreement cannot be received without the writing, or a secondary evidence of its contents:(a) An agreement that by its terms is not to be performed within a year from the making thereof; (b) A special promise to answer for the debt, default, or miscarriage of another; (c) An agreement made in consideration of marriage, other than a mutual promise to marry; (d) An agreement for the sale of goods, chattels or things in action, at a price not less than five hundred pesos, unless the buyer accept and receive part of such goods and chattels, or the evidences, or some of them, of such things in action or pay at the time some part of the purchase money; but when a sale is made by auction and entry is made by the auctioneer in his sales book, at the time of the sale, of the amount and kind of property sold, terms of sale, price, names of the purchasers and person on whose account the sale is made, it is a sufficient memorandum; (e) An agreement of the leasing for a longer period than one year, or for the sale of real property or of an interest therein; (f) A representation as to the credit of a third person.(3) Those where both parties are incapable of giving consent to a contract”. Since the cost of prepaid sim cards ranges from Php50 to Php 300, the same is not covered by the statute of frauds and does not require any form for its validity or enforceability. The mobile number acquired from buying a sim card does not of itself qualify as a personal information. The owner’s identity is not apparent nor can it be reasonably ascertained from the mobile number. Black’s law define apparent as that which is obvious, evident, or manifest; what appears, or has been made manifest; appearing to the eye or mind. Walker v. John Smith, T., 199 Ala. 514, 74 So. 451, 453; in respect to facts involved in an appeal or writ of error, that which is stated in the record. An error discovered by close scrutiny of the entire evidence is not “apparent.” Stewart v. McAllister, Tex.Civ.App., 209 S.W. 704, 706. Obviously, the mobile number cannot patently and conspicuously show the identity of its owner. A stranger who came to know the mobile number of another cannot from identify the latter by just knowing latter’s mobile number. Even a reasonable diligent person cannot easily identify a person’s identity by simply reading or looking at the mobile number. Thus, it can be said that the mobile number acquired from prepaid sim cards does not qualify under the first criteria as personal information. Since the source of the mobile number does not require the buyer’s identity, the telephone company or the service provider of the mobile number, cannot identify the owner of the said number. There will be no way that a person can be identified by a mobile number because tracing its origin will not reveal the buyer’s identity. Even applying the second criteria, a mobile number acquired from sim cards cannot stand to identify a person. If other information will be match with the mobile number, such as the birth date or the address of the owner, there is still no way to determine the identity of the person owning such information. Let us take for example Mr.X, who bought a sim card from a vendor in Quiapo. Mr.X will now have a mobile number even if the vendor does not know his personal identity or even his name. Suppose, Mr.X gave his mobile number to Ms. J, a seller of prepaid loads, and she gave Mr.X’s number to Mr.A. Mr.A, who now acquires the mobile number of Mr.X, cannot, from the mobile number alone, identify Mr.X, nor can he reasonably ascertain from the mobile number of Mr.X, the latter’s personality. Even if Mr.A knows other information regarding MR.X, connecting the other information with the mobile number will not lead to identifying MR.X. The reason is simple the mobile number has no link to Mr.X. The mobile number can be replace by Mr. X, as quick as when he bought the sim card from the vendor in Quaipo. Therefore, if the object is a mobile number acquired from prepaid sim card, no violation of the data privacy act can be committed by disclosing the mobile number of a person to another even if without the latter’s consent. The mobile number acquired from prepaid sim card is not a protected personal information under the data privacy act, in other words, it is beyond the scope of protected right under the law. Hence, if the object of disclosure is not within the coverage of personal information as defined under the law, no violation can be committed by disclosing it to others, regardless of the personality, status, or position of the owner or the giver.
A postpaid line contract with any telephone company requires a rigid process as compared to the simple purchase of the prepaid sim card. Normally, telephone company provides for three ways to apply for postpaid line connection. One who intend to avail of the postpaid line connection can apply online, or via telephone, or by visiting the company’s sales office. The applicant needs to fill out an information sheet covering personal data such as name, age, address, occupation, date of birth, nationality, civil status, contact details, gender and other matters of the same kind and nature. This application form has an agreement clause providing that the applicant agrees to the term and condition of the subscription contract and the applicant must sign it as a form of consent. The telephone line company will require the applicant to submit proof of billing, proof of identification, proof of financial capacity. Proof of billing includes Company I.D. (from top 8000 corporations), Credit card billing statement, driver’s license, postal ID, BIR forms, electric bill, Bank statement, rental lease contract, and other utility statement of account. Proof of identification are the following Philippine passport or Foreign Passport, Driver’s License, Professional Regulations Commission (PRC) ID, National Bureau of Investigation (NBI) Clearance, Police clearance, Postal ID, Voter’s ID, Barangay certification, Government Service Insurance System (GSIS), Social Security System (SSS) card, Overseas Workers Welfare Administration (OWWA) ID, OFW ID, Seaman’s Book, Alien Certificate of Registration (ACR)/Immigrant Certification of Registration, Government Office and GOCC ID e.g. Armed Forces of the Philippines (AFP ID), Home Development Mutual Fund (HDMF ID), Certification from the National Council for the Welfare of Disabled Persons (NCWDP), Department of Social Welfare and Development (DSWD) Certification, Major Credit Cards, Bureau of Internal Revenue (BIR) Taxpayer’s ID, Firearms License, National ID, Work Permit,
Diplomat ID, Philippine Leisure and Retirement Authority (PLRA) ID, Company IDs issued by private entities or institutions registered with or supervised or regulated either by the BSP, SEC or IC, Philhealth Card, Immigrant Certificate of Registration, Other valid IDs issued by the Government and its instrumentalities. Proof of financial capacity requires income tax return or certificate of employment. Clearly, obtaining a mobile number thru a postpaid line agreement will also require personal information of the owner. Thus, there is a link between the mobile number and the owner thereof. However, notwithstanding the voluminous documents required, the identity of the owner cannot be reasonably ascertain or is apparent from the mobile number alone. A person, who happens to obtain the mobile number under the subscription contract, will not be able to trace the personality or identity of the owner thereof. Therefore, under the first criteria of personal information under the data privacy act, a mobile number even if acquired through postpaid line subscription is not considered a personal information. But it can be submitted that this kind of mobile number will fall within the purview of the second criteria. The mobile number if connected or put together with other information will reveal the identity of its owner. The reason behind this is attributable to the manner on how the mobile number is acquired. The manner of acquisition requires the submission of other personal data. The mobile number is registered in the telephone company under the owner thereof, evidence by the application form and other submitted documents. In case the mobile number is match with other information, for example the account number of the owner, the telephone company can easily determine in its data server the identity of the owner. Moreover, if the object of disclosure is a mobile number acquired from subscription contract, disclosing the same to another without the consent of the owner constitutes as a violation of the data privacy act of 2012.
After the analysis of the intent of the law and the scope of protected rights, an analysis of acts or omission punishable under RA 10173 or the Data Privacy Act of 2012. What kind of disclosure is necessary to be punishable under the law is a mere verbal declaration sufficient, or does it require any kind of form of disclosure? Is the manner of disclosure important or does the presence of any circumstances aggravate or mitigate the act? Section 31 provides for the Malicious Disclosure which covers Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00). Section 32 provides Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00). (b) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00). The law does not mention or does not distinguish verbal and written disclosure; applying the rule on statutory construction that when the law does not distinguish the court may not distinguish, it can be inferred that both verbal and written disclosure of personal information will qualify as a punishable act. Act of disclosing means To bring into view by uncovering, to lay bare, to reveal to knowledge, to free from secrecy or ignorance, or make known.  Hence, a mere disclosure is punishable under the law and the absence or presence of bad faith will only affect the penalty but not the liability. The only thing to determine is the existence of bad faith or malice in the commission of the act. Bad faith means the opposite of “good faith,” generally implying or involving actual or constructive fraud, or a design to mislead or deceive another, or a neglect or refusal to fulfill some duty or some contractual obligation, not prompted by an honest mistake as to one’s rights or duties, but by some interested or sinister motive.
Who can be the violator of this act? Is the disclosure by any person of the mobile number punishable? Under the Data Privacy Act of 2012, the actor should be any personal information controller or personal information processor or any of its officials, employees or agents. Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:(1) A person or organization who performs such functions as instructed by another person or organization; and (2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs. Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
The law does not limit the persons who are protected by it. Any person is protected under the law as long as he did not gave his consent to the disclosure of his mobile number. Consent refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
In the light of the analysis of the law, it can be concluded that a disclosure by any Personal Information Controller and Processor of the mobile number, acquired through a postpaid line subscription, without the consent of the owner, is punishable under the Data Privacy Act of 2012.
 Black’s law dictionary 4th edition page 1358
 Ople vs Torres G.R. No. 127685. July 23, 1998]
 Section 3 par.g of RA 10173
 Black’s law dictionary 4th edition page 123
 Section 31 of RA 10173 or the Data Privacy Act of 2012
 Black’s Law Dictionary 4th Edition page 551
 Black’s Law Dictionary 4th Edition page 176
 Section 3 par H of RA 10173 or the Data Privacy Act of 2012
 Section 3 paragraph I of RA 10173 or Data Privacy Act of 2012
 Section 3 paragraph b of RA 10173 or Data Privacy Act of 2012