National Privacy Commission

NPC clears Comelec, Smartmatic of data privacy violation over breach in 2022

Dwight de Leon

This is AI generated summarization, which may have errors. For context, always refer to the full article.

NPC clears Comelec, Smartmatic of data privacy violation over breach in 2022

Nico Villarete/Rappler

(1st UPDATE) Philippine privacy officials say the Comelec and Smartmatic did not deliberately conceal security breaches involving sensitive personal information

MANILA, Philippines – The National Privacy Commission (NPC) said the Commission on Elections (Comelec) and software provider Smartmatic were not liable of violating the Data Privacy Act, in connection with a server breach that gripped the electronic voting firm in the run-up to the 2022 elections.

The NPC dismissed the complaint against the Comelec and Smartmatic in a decision dated September 22, 2022, but the Comelec said it was only notified about the decision on Tuesday, January 17.

The Comelec subsequently notified the media on Wednesday, January 18. The NPC later clarified, “September 22 is the date of the adjudication meeting, and the drafting, review, and mailing process is the reason why it only reached the Comelec now.”

The ruling also recommended prosecution only for certain individuals: the rogue Smartmatic employee who shared his credentials to someone he met via FB Messenger, and that third-party individual who bribed the fired staff.

What happened

The Comelec was put in hot water in January 2022 after a Manila Bulletin report claimed that hackers supposedly breached the poll body’s servers. The commission eventually denied this.

Two months later, the Senate electoral reforms panel insisted there really was a data breach, but involving Smartmatic’s servers.

The National Bureau of Investigation said in April that Smartmatic employee Ricardo Argana whose laptop had access to the company’s network gave his credentials to someone who contacted him via FB Messenger (a certain Winston Steward) in exchange for cash. Smartmatic told a Senate panel that the staff had been fired, but insisted no data in connection with the 2022 elections were affected.

In its decision in September, the NPC said it did not find the Comelec and Smartmatic liable of deliberately concealing security breaches involving sensitive personal information, an act punishable under the Data Privacy Act.

In order for the Comelec and Smartmatic to be held liable, three factors must have been present: (1) a personal data breach occurred, (2) the breach is one that requires notification to the commission, and (3) the person knowingly conceals the fact of such a breach from the commission.

“The [NPC] notes that there is no evidence on record that shows that there was a lack of reasonable and appropriate security measures that could have resulted in the breach. Smartmatic’s servers or system being breached was caused by employee malfeasance,” the ruling read.

Argana, Steward, and other unknown individuals, however, are liable of committing intentional breach or unauthorized access under the Data Privacy Act, the NPC said.

“[T]hey broke into Smartmatic’s servers that store personal or sensitive personal information. These individuals are recommended for prosecution to the Department of Justice,” the ruling read.

NPC clears Comelec, Smartmatic of data privacy violation over breach in 2022

The 2022 elections concluded with Ferdinand Marcos Jr. and Sara Duterte elected president and vice president, respectively.

While there have been reports of election day irregularities, there is so far no compelling evidence to determine that the automated polls have been rigged. –

Add a comment

Sort by

There are no comments yet. Add your comment to start the conversation.

Summarize this article with AI

How does this make you feel?

Download the Rappler App!
Avatar photo


Dwight de Leon

Dwight de Leon is a multimedia reporter who covers President Ferdinand Marcos Jr., the Malacañang, and the Commission on Elections for Rappler.