The Philippines House of Representatives recently approved the SIM-Card Registration Act, a measure that requires the registration of subscriber identity module (SIM) cards. It is expected to benefit the country by enabling SMEs engaged in e-commerce and engendering consumer trust in a fast-growing identity-linked digital services society. The National Privacy Commission (NPC) Commissioner, Raymund E. Liboro, issued a statement that said that the bill is welcome amid rapid digitalisation driven by the pandemic, which has resulted in an unprecedented rise in e-commerce, fintech, and mobile services. The bill aims to promote accountability and help enforcement agencies track down criminals through mobile phones with pre-paid and post-paid SIM cards.
Liboro explained that under these circumstances the need to know your customer or know your caller becomes imperative not only to protect the public from ICT-enabled scams and frauds but to build consumer and business confidence to engage productively in the digital economy. However, NPC has also maintained that mandatory SIM-card registration will succeed only under a framework of guaranteed privacy protection for mobile users. At present, the Data Privacy Act (DPA) of 2012 protects citizens’ privacy and ensures that the data privacy rights of mobile users are upheld. Liboro noted that the approved bill comes at a time when the country has put in place a foundational platform for identification, which can strengthen trust in the registration of SIM cards.
As a foundational platform, the Philippine Identification System Act (PhilSys) establishes a single source of truth for identification. With PhilSys, validating identities is no longer a barrier in SIM-card registration proposals. PhilSys is the government’s unified, centralised form of identification for Filipino citizens and resident aliens. PhilSys aims to transform how services are delivered and accessed in the Philippines and accelerate the country’s transition to a digital economy, including promoting paperless and cashless transactions.
The House approved the proposed SIM-Card Registration Act earlier this month. A similar measure has been filed in the Senate. The bill includes a confidentiality clause that prohibits disclosing any information of a subscriber, unless upon subpoena or order from a court or written request from a law enforcement agency about an investigation that a particular number is used in the commission of a crime.
Under the bill, every public telecommunication entity (PTE) or direct seller shall require the end-user to present valid identification to register a SIM. PTEs or telcos must provide the data protection citizens expect. They are required by the DPA to afford appropriate organisational, technical, and physical security measures to secure the personal data they will collect and prevent its unauthorised use and abuse. Under the DPA, telcos are required to conduct privacy impact assessments, enable their employees and supply chains on data security and privacy to prevent data breaches, and ensure end-to-end protection of personal data.
The final version of the proposed law must clearly articulate the requirements for the implementation of data security measures by entities identified to handle SIM-card registration. These entities must be held accountable for any violation of data privacy rights under the DPA. Furthermore, the final version should provide sufficient time for registration to prevent mobile users from being unjustly cut off from enjoying mobile services due to a limiting SIM-card registration period. Liboro further stated that NPC will continuously perform its regulatory function and assess the potential risks of the proposed law and provide practical recommendations to mitigate these risks so mobile users can be protected.