The Commission on Elections (COMELEC) and its service provider, Smartmatic, have been cleared by the National Privacy Commission (NPC) of having violated the Data Privacy Act (DPA) for allegedly concealing last year’s breach and hack of the poll body’s servers.
“The National Privacy Commission (NPC) has found that COMELEC and Smartmatic are not liable for data privacy violations, according to its Decision dated 22 September 2022 in a case initiated by the NPC-Complaints and Investigation Division (CID),” COMELEC Spokesperson John Rex Laudiangco said in a statement.
The lawyer noted that the case stemmed from the CID’s discovery that “the personal data breaches in the servers of COMELEC and Smartmatic involved first, survey forms and second, overseas voters list.”
“With respect to the survey forms, the NPC found that while there had been a breach in Smartmatic’s servers due to the actions of some of its employees, there is no obligation on the part of COMELEC to comply with the mandatory breach notification under Section 11 of NPC Circular 16-03 (Personal Data Breach Management) in relation to Section 20(f) of the DPA,” Laudiangco cited.
The lawyer explained there are three requirements that should be met for concealment of security breaches involving sensitive personal information under Section 30 of the DPA and this includes that “the breach requires notification to the NPC.”
Prior to the May 9 elections last year, it was discovered that an employee of Smartmatic allowed his laptop to be used by a certain group in downloading contents.
On the issue of the overseas voter’s list, Laudiangco said “it was not sufficiently proved that the list containing the personal data of 138,900 individuals came from a breach of Smartmatic and COMELEC’s servers.”
“Moreover, the list contained data fields for height and weight, which are not collected by COMELEC in any of its forms for voter registration,” he added.
