SIM Registration Act of 2022: Challenging the Future of PH Communication and Cybersecurity
Stepping Stones Towards a New Age
President Ferdinand Marcos Jr. recently signed the Republic Act No. 11934, more commonly known as the Subscriber Identity Module (SIM) Registration Act. It was signed on the 10th of October, 2022, and the official registrations commenced on the 27th of December, 2022.
According to the Office of the Press Secretary officer-in-charge, Cheloy Garafil, the SIM Card Registration Act aims to provide “accountability in the use of SIM cards and aid law enforcers to track perpetrators of crimes committed through phones”. The signing of the measure will “significantly boost government initiatives against scams committed through text and online messages, which have become more prevalent this year” (Galvez, 2022).
The RA No. 10173, or the Data Privacy Act of 2012, was the first comprehensive law covering data privacy in the Philippines. It became enforceable on the 8th of September, 2012. The National Privacy Commission (NPC) then filed the Implementing Rules and Regulations (IRR) of RA No. 10173, which became enforceable on September 9, 2016. The IRR provides, in greater detail, the requirements that individuals and entities must comply with when processing personal data and the sanctions for violations of the Act (Mundin, 2022).
The SIM Card Registration Act was implemented to counter the uprising of numerous cybercrimes involving fraudulence, intentional misinformation, and online defamation. Anyone who purchases or has purchased a SIM card must register with telecommunication companies using their real names before activating the card. At the same time, those with pre-existing SIM cards are given up until April 26, 2023, to register with their designated telco companies.
Galvez (2022) stated that SIM Card Registration Act highlights the following:
- Telco companies and main sellers must ask for a document of a valid identification before selling SIM cards.
- Registering a SIM card with illegitimate information, using fake identities, or attempting fraudulent conduct will be subject to punishment.
- Telco companies must give out SIM card owners’ full names and addresses in case of a subpoena or court order.
- People with SIM cards must register with telco companies within a specific time frame. SIM cards will be deactivated if you do not.
- Subscriber SIM cards must be kept on file by telco companies. Companies must submit a list of authorized dealers and agents nationwide quarterly to the National Telecommunication Commission.
- Law enforcement agencies may ask telco companies to look up the owner of a SIM card when they investigate crimes committed through phones.
Cons Outweighing the Pros
On paper, the SIM Card Registration Act poses many benefits as it is a countermeasure to the cyber-related criminal acts witnessed on the Internet. However, the risks and consequences prove the law to be counterproductive.
As IT experts and ICT rights advocates argued, RA 11934 may invade users’ privacy and be ineffective in reducing scams and crimes via text messages or phones.
Cybersecurity policy analyst Mary Grace Mirandilla Santos said last February 2022 that registering SIM cards “has the potential to put the security, privacy, and welfare of citizens at risk,” citing experiences from other developing countries such as Sri Lanka, India, and European Union posing more risks than benefits (Purnell, 2022).
Even though some countries, namely the United Kingdom and the United States, have implemented data privacy acts, it has not stamped out the worst problems concerning data brokers stockpiling your information and selling it, and online advertising industries remain littered with potential abuses (Burgess, 2022). It is even included as one of the reasons former President Rodrigo Duterte vetoed the SIM Registration Act in 2022.
Gregorio (2022) inferred that President Duterte has rejected the bill that requires registering SIM cards and social media accounts over concerns that it may “give rise to a situation of dangerous state intrusion and surveillance.”
A Third-world Country’s Hardships
As the Philippines is a developing country, its cybersecurity is undeniably still far from approaching the necessary effectiveness of preventing cybercrimes and malpractices. Regarding the response to these issues, the nation is still mainly in a reactive and manual state.
The finding of Sophos, a security software and hardware company, showed that 69% of the organizations in the Philippines experienced cyber-attacks or ransomware attacks. This result is higher than reports from past years, wherein only 42% of Philippine firms had issues with ransomware attacks in 2020 and a lower rate of 30% in 2019 (Modgil, 2022). This shows the drastic increase in the Philippines’ vulnerability towards cybercrimes as it shifted to a more digitally immersed nation due to the impact of the pandemic.
We are not the first ones
Anyhow, the Philippines is not the first country to impose a law like this. Today, there are about more than 150 countries that, in some sort, implement an act covering the privacy of their citizens. Most of these laws are influenced substantially by the European Union’s General Data Privacy Regulation or GDPR, but with many variations in such implementations (Greenleaf, 2022).
The GDPR is a guideline set by the union to help companies around the world guide and regulate their customers’ privacy and personal information. GDPR was aimed to help with processing information and personal data of those who are “EU citizens” or are part of the European Economic Area. Since then, countries, even those not part of the EU territory, have adopted a similar law to implement in their country.
Currently, as reported by the European Commission, the GDPR is almost entirely implemented across the EU though some countries — it namechecks Slovenia — have dragged their feet (Bluestone, 2021). Since then, changes and adjustments have been made to comply with the law, one of which is shutting down privacy shields. Essentially, Privacy Shields allow out-border investors such as the United States to monitor the data of those that are citizens of the EU as long as companies have signed into their higher privacy standards. Nevertheless, since the law’s implementation and through Austrian privacy advocate Max Schrem, the EU struck down Privacy Shields, leaving American SMEs no choice but to adapt to the EU standards.
Another country that imposes a similar and new law is Sri Lanka, which enacted the law last March 2022. They are also the first South Asian country to have the law. Since the GDPR of the EU heavily influences the law, it imposes many of its provisions on the corporations and businesses that are responsible for controlling and ensuring data security. As Nahra et al. (2022) concluded, the Act applies to companies and does not apply to personal information processed “purely for personal, domestic or household purposes” by individuals.
Undoubtedly, the United States has data privacy laws that may be similar to the Europeans, but they still have their differences. Arguably, the most significant difference in US legislation versus the EU is the need for a comprehensive data privacy law that applies to all types of data and all U.S. companies. Instead, American law takes a more fragmented approach with various regulations governing different sectors and data types (Pop, 2022).
One known law in America is the California Privacy Rights Act which will be freshly implemented in the first month of 2023. As cited by Bluestone (2021), the law provides such high amounts of security to its citizens that it goes to such lengths to protect Californian’s sensitive data, including their race, ethnicity, gender, sexual orientation, health data, and government IDs.
Mutual Circumstances
Nonetheless, with everything that these laws provide to ensure a safe and foolproof system, there are still concerns and issues that they are attending to. Since the GDPR went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding (Burgess, 2022). Major problems before its implementation still exist four years into it. Brokers are still collecting private digital information and selling it. At the same time, online advertising industries are still polluted with potential abuses.
“To say that GDPR is well enforced, I think it is a mistake. It is not enforced as quickly as we thought,” says Roman Robert, a program director at NOYB, a nonprofit. Burgess (2022) mentioned that the nonprofit’s complaints centered on alleging specific sites such as Google, WhatsApp, Instagram, and Facebook to force people into giving up their information without their consent. Surprisingly, the first time the group complained was four years ago, and they still have not received a single response that speaks volume about how unprepared companies and the government are. Furthermore, to think that these countries belong in the first world can be baffling compared to what can happen to the Philippines.
While the country has had a lot of developments and improvements over the years, it is undeniable that it still needs more development in its cybersecurity.
According to an article by Castillo (2022), cybersecurity statistics and reports all indicate that the Philippines is a hotspot for cyber-attacks. In banking, the Bankers Association of the Philippines (BAP) reported that P1 billion was lost in 2021 alone due to fraud and unauthorized withdrawals. The country also stands in fourth place globally as one of the most targeted by web threats in 2021.
Castillo (2022) added four reasons why these are happening even to this date, wherein technology should be advanced enough to stop heinous cybersecurity crimes.
- First, the government needed to be more proactive and hands-on in ensuring cybersecurity laws are in place to prevent crimes. Then, she mentioned
- Second, the country gives low prioritization to ICT-related issues, especially cybersecurity.
- Third, although improving, the strength of cybersecurity is still not up to be improved and going back to the second reason, it is mainly because the government needs to treat it as a priority.
- The last reason she gave was that this was also an issue of disproportionality. The budget to fight cybersecurity attacks is significantly low, resulting in poor security conditions.
A Challenge for Everyone
Although having a law like the Data Protection Act or the GDPR that would protect citizens from cybersecurity attacks and cyber information theft is necessary, focusing on existing issues and attending to them are much needed.
The government must learn what to prioritize better and what could be improved to stop issues from happening now. Keeping up and battling current cyberattacks are already hard and a challenge for the country, and with the lack of support from government organizations, how can we be so sure that adding a new law would cause better than harm?
How can we ensure that infiltration and hijacking will not happen if present issues and concerns that exist to this day are yet to be resolved? Moreover, is there an assurance that every individual’s private data and information will not be exposed now that the act is already in place?
This challenge will test this country’s preparedness, prioritization, and quality of cybersecurity and government agencies. And it is upon us to stipulate for good results while being vigilant with hopes that the law will be one of the pillars for cybersecurity improvements in the Philippines.
REFERENCES:
Bluestone, D. (2021, February 22). State Of GDPR In 2021: Key Updates And What They Mean. Smashing Magazine. https://www.smashingmagazine.com/2021/02/state-gdpr-2021-key-updates/
Burgess, M. (2022, May 23). How GDPR is Failing. Wired. https://www.wired.co.uk/article/gdpr-2022
Castillo, C. (n.d.). Philippine Cybersecurity in Retrospect (2016–2021). National Defense College of the Philippines. https://www.ndcp.edu.ph/philippine-cybersecurity-in-retrospect-2016-2021/#:~:text=Challenges%20and%20Implications%20to%20Philippine,to%20fraud%20and%20unauthorized%20withdrawals
Galvez, D. (2022, October 10). Bongbong Marcos signs SIM Card Registration Act. Inquirer. https://newsinfo.inquirer.net/1677723/fwd-marcos-jr-signs-into-law-sim-card-registration-act
Greenleaf, G. (2022, June 16). Now 157 Countries: Twelve Data Privacy Laws in 2021/22. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4137418
Gregorio, X. (2022, April 15). Duterte rejects bill requiring SIM card, social media account registration. Philstar Global. https://www.philstar.com/headlines/2022/04/15/2174584/duterte-rejects-bill-requiring-sim-card-social-media-account-registration
Modgil, S. (2022, June 22). A quick look at the state of cybersecurity in the Philippines. CIO South-East Asia. https://ciosea.economictimes.indiatimes.com/news/security/a-quick-look-at-the-state-of-cybersecurity-in-the-philippines/92335133
Mundin, M. (2022, October). Philippines — Data Protection Overview. OneTrust DataGuidance. https://www.dataguidance.com/notes/philippines-data-protection-overview#:~:text=10173
Nahra, J. et al. (2022, March 30). Sri Lanka Becomes the First South Asian Country To Pass Comprehensive Privacy Legislation. WilmerHale Privacy and Cybersecurity Law. https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20220330-sri-lanka-becomes-the-first-south-asian-country-to-pass-comprehensive-privacy-legislation
Pop, C. (2022, September 27). EU vs. US: What Are the Differences Between Their Data Privacy Laws? Endpoint Protector. https://www.endpointprotector.com/blog/eu-vs-us-what-are-the-differences-between-their-data-privacy-laws/#:~:text=What%20is%20the%20US%20equivalent,and%20use%20their%20personal%20information
Purnell, K. (2022, October 11). SIM Card Registration Act: Pros and cons. Philstar Global. https://www.philstar.com/lifestyle/gadgets/2022/10/11/2215885/sim-card-registration-act-pros-and-cons
TrendMicro Inc. (n.d.). EU General Data Protection Regulation (GDPR). https://www.trendmicro.com/vinfo/ph/security/definition/eu-general-data-protection-regulation-gdpr#:~:text=This%20regulation%20is%20called%20the,all%20individuals%20within%20the%20EU
