MANILA, Philippines — The National Privacy Commission (NPC) has dismissed a case against the Commission and Elections (Comelec) and its election software partner Smartmatic over data privacy violations.
According to the Comelec in a statement on Sunday, the NPC, through a decision dated Sept. 22, found the two “not liable” for Concealment of Security Breaches Involving Sensitive Personal Information under Section 30 of the Data Privacy Act (DPA)
“The CID (Complaints and Investigation Division) alleged that the personal data breaches in the servers of survey forms and Smartmatic involved first, survey forms and second, overseas voters list,” said NPC.
“However, upon investigation, it was found that Comelec and Smartmatic are not liable for Concealment of Security Breaches Involving Sensitive Personal Information under Section 30 of the Data Privacy Act (DPA),” it added.
According to the NPC, Violation of Section 30 requires that first, a personal data breach occurred, second, the breach requires notification to the PC, and third, the person knowingly conceals the fact of such breach from the NPC.
The alleged concealed security breach must also require mandatory breach notification under Section 20 of the DPA.
However, the NPC found that while there was indeed a breach, “it did not involve sensitive personal information or information that may be used to enable identity fraud.”
“The unauthorized acquisition is not likely to give rise to a real risk of serious harm,” it said.
“Thus, the breach in the servers does not require mandatory breach notification to the NPC. And since the COMELEC and Smartmatic do not have an obligation to notify the NPC of the breach under Section 20(f) of the DPA, both may not be held liable for violation of Section 30 of the DPA,” it added.
Overseas voters list
Meanwhile, the NPC also said that it was not “sufficiently proved” that the list containing the personal data of at least 139,100 individuals came from a breach of Smartmatic and Comelec servers.
Apart from this, the list contains data fields for height and weight, which Comelec does not collect in any of its forms for voter registration.
Thus, the NPC concluded that no breach occurred in Smartmatic’s servers concerning the overseas voters’ list.
“CID was not able to provide substantial evidence that directly links the alleged breach in Smartmatic’s servers to Comelec’s servers or system. Thus, Comelec may not be held liable for violation of Section 30 of the PA in relation to the overseas voters list,” it said.