Comelec, Smartmatic cleared of data privacy violations in 2022 polls

The National Privacy Commission (NPC) has cleared the Commission on Elections and the Smartmatic Group of Companies of alleged violation of the Data Privacy Act (DPA) over the supposed breach of election data during the 2022 national and local polls.

This was announced by Comelec spokesperson Rex Laudiangco in a press statement Wednesday.

The 31-page decision was promulgated last September 22, 2022 but Laudiangco said they were only notified of the decision on Tuesday.

It was signed by Deputy Privacy Commissioner Leandro Angelo Aguirrer and concurred in by Privacy Commissioner John Henry Naga.

“Wherefore, premises considered, this Commissioner hereby…DISMISSES the case against Commission on Elections and the Smartmatic Group of Companies for lack of merit,” the decision read.

While it dismissed the case against the Comelec and Smartmatic, the NPC found former Smartmatic employee Ricardo Argana, a certain Winston Steward, and other unknown individuals to have violated Section 29 of the DPA.

The NPC ordered to forward the decision to the secretary of the Department of Justice and recommended the prosecution of Argana, Steward and the said unknown individuals.

According to the facts of the case, Argana, through his sworn testimony, claimed that he received a private message from Steward through Facebook messenger, promising to pay him P50,000 to P300,000 in exchange for giving access to his computer while connected to Smartmatic’s servers.

Argana said that when he went to the Comelec office for work, he gave access to his computer using an application through the internet while connected to Smartmatic servers in the last week of December 2021.

Although he accomplished his end of the deal, Argana said Steward did not pay him.

“The Commission notes that there is no evidence on record that shows that there was lack of reasonable and appropriate security measures that could have resulted in the breach. Smartmatic’s servers or system being breached was caused by employee malfeasance. While there is no security measure that is 100% effective, this becomes all the more true when there is employee malfeasance involved,” the NPC decision read.

“Nevertheless, it remains the obligation of PICs to take proactive steps to ensure that its security measures minimize, if not altogether eliminate, these risks. The inevitability of breaches should not give rise to indolence but instead spur action. After all, the protection of our fundamental human right to privacy is at stake.”

The case was filed by the NPC Complaints and Investigation Division (CID) which alleged that the personal data breaches in the servers of Comelec and Smartmatic involved survey forms and overseas voters list.

However, the NPC found that the Comelec and Smartmatic are not liable for concealment and security breaches involving sensitive personal information under Section 30 of the DPA.

Laudiangco explained that violation of Section 30 of the said law requires that a personal data breach occurred; the breach is one that requires notification to the NPC; and the person knowingly conceals the fact of such breach from the NPC.

“The Commission acknowledges that there had been a breach in Smartmatic’s servers through the acts of [former Smartmatic Ricardo] Argana, [Winston] Steward, and other unknown individuals. The Commission, however, finds that there is no obligation on the part of COMELEC, the Personal Information Controller (PIC), and Smartmatic, the Personal Information Processor (PIP) to report the breach to the Commission because the first and third requisite for mandatory breach notification are not present,” the decision read.

The NPC said the breach on the survey forms does not involve sensitive personal information or information that may be used to enable identity fraud and its unauthorized acquisition is likely to give rise to a real risk of serious harm is also not present.

The privacy commission likewise cleared the Comelec and Smartmatic from alleged violation of Section 30 of DPA in relation to the overseas absentee voters list.

It said that the NPC CID “failed to sufficiently prove: that the list containing personal data of around 138,900 individuals were from the alleged breach of Smartmatic or Comelec’s servers.

The NPC noted that the list presented by the CID contained information on height and weight which were not collected by the Comelec.

“Thus, in comparing CID’s artifacts to Comelec’s sample registration forms that have been used in the past several elections, the irregularities between the two opposing evidence cast doubt on the veracity and authenticity of CID’s evidence,” the decision read.

Laudiangco said the “triumph of Comelec’s transparency and integrity in this case further validates the resounding success of the May 9,2022 National and Local Elections.”–LDF, GMA Integrated News