NPC dismisses case accusing Comelec, Smartmatic of data privacy violations | Inquirer News

NPC dismisses case accusing Comelec, Smartmatic of data privacy violations

By: - Reporter / @zacariansINQ
/ 07:47 PM January 18, 2023

NPC dismisses case accusing Comelec, Smartmatic of data privacy violations

FILE PHOTO

MANILA, Philippines — The National Privacy Commission (NPC) has dismissed a case against the Commission and Elections (Comelec) and its election software partner Smartmatic over data privacy violations.

According to the Comelec in a statement on Sunday, the NPC, through a decision dated Sept. 22, found the two  “not liable” for Concealment of Security Breaches Involving Sensitive Personal Information under Section 30 of the Data Privacy Act (DPA)

Article continues after this advertisement

“The CID (Complaints and Investigation Division) alleged that the personal data breaches in the servers of survey forms and Smartmatic involved first, survey forms and second, overseas voters list,” said NPC.

FEATURED STORIES

“However, upon investigation, it was found that Comelec and Smartmatic are not liable for Concealment of Security Breaches Involving Sensitive Personal Information under Section 30 of the Data Privacy Act (DPA),” it added.

According to the NPC, Violation of Section 30 requires that first, a personal data breach occurred, second, the breach requires notification to the PC, and third, the person knowingly conceals the fact of such breach from the NPC.

Article continues after this advertisement

The alleged concealed security breach must also require mandatory breach notification under Section 20 of the DPA.

Article continues after this advertisement

However, the NPC found that while there was indeed a breach, “it did not involve sensitive personal information or information that may be used to enable identity fraud.”

Article continues after this advertisement

“The unauthorized acquisition is not likely to give rise to a real risk of serious harm,” it said.

“Thus, the breach in the servers does not require mandatory breach notification to the NPC. And since the COMELEC and Smartmatic do not have an obligation to notify the NPC of the breach under Section 20(f) of the DPA, both may not be held liable for violation of Section 30 of the DPA,” it added.

Article continues after this advertisement

Overseas voters list

Meanwhile, the NPC also said that it was not “sufficiently proved” that the list containing the personal data of at least 139,100 individuals came from a breach of Smartmatic and Comelec servers.

Apart from this, the list contains data fields for height and weight, which Comelec does not collect in any of its forms for voter registration.

Thus, the NPC concluded that no breach occurred in Smartmatic’s servers concerning the overseas voters’ list.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our daily newsletter

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

“CID was not able to provide substantial evidence that directly links the alleged breach in Smartmatic’s servers to Comelec’s servers or system. Thus, Comelec may not be held liable for violation of Section 30 of the PA in relation to the overseas voters list,” it said.

RELATED STORIES:

Comelec to review contract with Smartmatic amid security breach allegations

Smartmatic assures ‘2022 PH elections are 100% safe and secure’

NBI: Ex-employee of Smartmatic admitted ‘deal’ in systems breach

JMS
TAGS: Comelec, Smartmatic

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter!

By providing an email address. I agree to the Terms of Use and acknowledge that I have read the Privacy Policy.

© Copyright 1997-2024 INQUIRER.net | All Rights Reserved

This is an information message

We use cookies to enhance your experience. By continuing, you agree to our use of cookies. Learn more here.