Metadata and Data Retention Policies
An interesting piece of news from Down Under: Australia’s Privacy Commissioner comes out with a ruling that declares metadata as personal data.
While this development comes as no surprise to privacy advocates—it has been their position all along—the declaration is quite significant in that it bolsters the chorus of demands for a closer scrutiny of the growing number of state-sponsored data retention policies around the world. For quite some time now, governments have downplayed the privacy issues hounding these regulations on the ground that no personal data is actually being collected and retained by telecommunication companies (and the state, by extension).
The Philippines is no stranger to data retention. With little fanfare involved, the National Telecommunications Commission (NTC) came up with a regulatory issuance (MC 04-06-2007) a couple of years ago requiring the country’s telcos to retain communications metadata (voice and non-voice records) supposedly to aid the agency in the “prosecution of consumer complaints”. Without specifically using the term “metadata”, the circular speaks of records that consist of the “origin, destination, date, time, and duration of communications”.
The Mamasapano debacle that occurred early this year—particularly the Congressional investigations that ensued—partially directed the public’s attention to the data collection (and retention) being implemented today by local telcos. When the legislative inquiry turned to the supposed SMS exchange between the President and the embattled former police chief (then only suspended) Alan Purisima, the Senate requested Smart Communications (presumably the service provider of one or both parties) to produce a record of their communication. In response, Smart was obliged to explain that it is only able to produce metadata records relating to the mobile phone activities of their customers, and only upon a court order or written consent of the subscriber/s involved—a claim echoed by its main rival, Globe.
Surprisingly enough, Smart’s implied admission of the existence of a data retention regime garnered no adverse reaction or additional scrutiny. Not even the media—usually averse to the mere notion that the anonymity of their sources is at risk—seemed bothered. They did not appear to take issue with the fact that any communication records they may have with their confidants are retained for a period of time, during which they are susceptible to interception or access by overzealous members of the country’s intelligence and law enforcement agencies (or maybe even other private entities).
To its credit, the NTC memorandum circular does provide, on its face, some control or protection against unlawful access. It states that access to a record shall only be in relation to a complaint filed before the Commission, and that retention shall only be for a limited amount of time unless case resolution calls for an extended retention period as determined by the NTC.
Nevertheless, absent any effective oversight mechanism (which appears to be the case here) the operationalization of the policy remains suspect and vulnerable to possible abuse by state agencies, or illegal access by third parties. Indeed, is there an independent and impartial party that can confirm whether the supposed built-in protections are in fact being observed? Who sets the standards against which the measures adopted by telcos to ensure the security and/or confidentiality of the personal data in their possession will be accessed? How does the policy reconcile itself with the much more recent Data Privacy Act?
Under the current legal regime of the Philippines, one government entity actually stands out as the ideal oversight body to address this matter: the National Privacy Commission. Too bad this option falls flat on its face, considering the Commission remains nonexistent today, for reasons only the President (charged with appointing the members of the privacy agency) seems to know.
Consequently, mobile phone users (especially members of the media, whistleblowers, and activists) in the country needs to be constantly aware of the fact that somewhere out there records of their calls and messages are being kept. Unless they have access to any encryption apparatus that would assure the confidentiality of their mobile phone communications, it is probably best that they avail of more secure communication media.
Meanwhile, the NTC would do well to take note of the Oz ruling and the latter’s implications on its data retention issuance, along with the eventual implementation of the Philippines’s very own data privacy law.