MANILA, Philippines – Following the decision by the National Privacy Commission (NPC) which found the election commission chief liable for the voters’ data leak in 2016, some lawyers have outlined possible legal scenarios arising from this move. 

In a privacy conference that tackled this data breach on Friday, January 20, a lawyer argued that this could lead to a possible impeachment of Commission on Elections (Comelec) chairman Andres Bautista.

The NPC’s findings “should be forwarded to the House of Representatives for impeachment proceedings, if we are actually serious about sending the message that data privacy is important,” said Romel Bagares of the Center for International Law.

“Of course, that would go through the political process. It’s a different ball game altogether,” added Bagares. “But that in itself is already part of the accountability mechanisms in our penal laws.”

In its decision dated December 28, 2016, the NPC ruled that Bautista is “criminally liable” for violating Republic Act 10173 or the Data Privacy Act, following the leak of voters’ registration data and other election-related records in late March 2016. (READ: Experts fear identity theft, scams due to Comelec leak)

Asked for comment, Comelec spokesperson James Jimenez said that it is proper to follow the current progress of the case.

In a text message to Rappler, Jimenez said, “As far as I know, those findings have been submitted to the Department of Justice. Adhering to that process would be, in my opinion, the proper thing to do.” 

He also said that Bautista “has already expressed his intentions to file a motion for reconsideration.” The Office of the Solicitor General will represent the Comelec. (READ: Comelec’s Bautista: Punish the hackers, not the hacked)

Article XI, Section 2 of the 1987 Constitution states that members of constitutional commissions like the Comelec are among the public officials who “may be removed from office, on impeachment for, and conviction of, culpable violation of the Constitution, treason, bribery, graft and corruption, other high crimes, or betrayal of public trust.”

In April 2016, a month after the data breach, cyberlaw and data privacy lawyers had also argued for the impeachment of Comelec officials on the ground of betrayal of public trust. (READ: Data leak enough to impeach Comelec execs – lawyers)

Scenarios, faults

The panel that tackled the so-called “Comeleak” during the 3rd National Privacy Conference also discussed other scenarios in seeking accountability for the incident.

Lawyer Marlon Tonson of the Philippine Internet Freedom Alliance (PIFA) said that while Bautista may face penalties if proven guilty for the offense, the poll chief as a constitutional officer can only be removed from office via impeachment.

“His case cannot be handled by the Ombudsman or Sandiganbayan right now… It can be filed as a separate criminal case when he steps down.”

Bagares also pointed out that the criminal prosecution in NPC’s decision “was really recommendatory.”

The length of time to resolve the case would likewise come into play, said Bagares. “We will also have to consider how long the process will be. If you refer to the DOJ or the Ombudsman, there’s going to be another procedure for determination of probable cause.”

He also argued that the NPC can impose administrative penalties against Bautista based on its findings, in accordance with related laws like the Administrative Code.

Then, aside from Bautista, “there are other officers who are responsible and accountable for what happened.” said Bagares. “The IT department should have something to answer for what happened.”

For his part, Angel Averia of the Philippine Computer Emergency Response Team (PH-CERT) observed that there was a delay on the Comelec’s part in notifying the NPC after the breach happened. The poll body also “attempted to conceal the scope” of the breach by downplaying it, said Averia.

Averia also said there are various data privacy practices available, despite the Comelec’s claim no implementing rules and regulations (IRR) for the Data Privacy Act had been promulgated at the time.

“So Comelec cannot say that there was no standard that they can look at for data protection.”

Tonson added, “Under the law, the Comelec is supposed to identify who is the responsible data privacy officer. As far as I know, the Comelec did not say who.”

The NPC found that Bautista violated Sections 11, 20, 21 and 22 in relation to Section 26 of RA 10173. Section 26, which penalizes accessing sensitive personal information due to negligence, imposes imprisonment from 3 to 6 years and a fine between P500,000 and P4 million.

Section 36 metes out additional penalties for public officers, consisting in the disqualification from public office for a period equivalent to double the term of criminal penalty. – Rappler.com