MANILA, Philippines – The Commission on Elections (Comelec) has been given 24 hours from Monday, April 25, to act immediately on the massive online leak of voters’ personal information, and to comply with privacy law in updating voters on what happened to their data.

The demand was made by Jose Ramon Albert, a senior research fellow of the Philippine Institute for Development Studies (PIDS) and former head of the now-defunct National Statistics Coordination Board (NSCB).

Albert, through law firm CenterLaw Philippines, wrote to Comelec Chairman Andres Bautista to demand that the Comelec “take immediate steps” in response to the massive data breach.

“In our demand letter, we are giving the Comelec 24 hours from receipt – they have until tomorrow [Tuesday] at 11:15 in the morning – to reply to our demand and inform us of the steps they have already taken or are being taken by the Commission,” explained lawyer Romel Bagares, executive director of CenterLaw Philippines.

Through the letter, the Comelec was formally asked to notify “as required by law the [National] Privacy Commission and all 55 million registered Filipino voters” of the hacking and data leak incidents, “including the exact nature of the information released.”

Albert also wanted to know the measures taken by the Comelec to address the breach, and sought for the names of officials “designated by the Comelec as accountable for its compliance with the law.”

These requirements, said CenterLaw, are mandated in Republic Act 10173 or the Data Privacy Act of 2012.

Comelec given 24 hours to respond to CenterLaw, @toots_albert‘s demand letter. @rapplerdotcom pic.twitter.com/uQevYEfwcE

— Michael Bueza (@mikebueza) April 25, 2016

“They have different modes of communication, not just those that are web-based. You have the traditional media, you have the radio, and it should be done on the national level,” said Bagares.

“We need to hear officially from the Comelec, because that’s its duty under the Data Privacy Act. And they have basically failed to do that for the last 3 or 4 weeks,” he added.

Albert made the demands as a private citizen “as a service to the public and to protect his own informational privacy.” 

Anonymous Philippines defaced the Comelec’s website on March 27. Shortly after, a separate group of hackers obtained the database from the website, containing records of over 55 million registered voters, and leaked it online. (READ: Experts fear identity theft, scams due to data leak)

The issue reached a whole new level on April 21, when a website posted the voter records and allowed these to be searchable by online users. The website has since been inaccessible.

While the Comelec has 24 hours to respond to the demand letter, Bagares clarified that the Comelec’s reply would not stop Albert and other camps from availing themselves of legal remedies, including a class suit against the poll body.

“The criminal or the administrative complaint, it’s different, because these will pertain to what we believe is the negligence of the Comelec,” he said.

Also, Bagares noted that it would still file an administrative complaint before the National Privacy Commission after the 24-hour deadline.

‘We’re all at risk’

Albert said that in statistics and census taking, they ensure that personal private information or respondents are not shared to the public. But the Comelec leak exposed voters’ basic and sensitive personal information online. (READ: After Comelec data leak, what to do to protect yourself?)

“I felt so vulnerable. I felt [we’re] being violated, that every single information that the Comelec asked of me – which I thought they would be using for their own purposes – was just made public,” Albert said.

“All of a sudden, someone can just put information together and target you. Everybody can be a target…. We’re all at risk,” emphasized Albert. “We have to start [acknowledging] that it’s a really, really big problem.”

Bagares then noted that the poll body “has been obscuring the true nature of what happened” and denying the seriousness of the hacking incident.

“They are saying that the personal information taken by the hackers, in any case, were the same information that are already publicly available” and on social media, which was “bollocks,” argued Bagares.

“They have been misrepresenting the true magnitude of what happened. That is what makes us really angry about the whole thing.”

He added, “All government agencies concerned with data privacy should put their acts together and come up with a solution to this problem.” – Rappler.com