The Philippines is one of those countries with a data privacy law (“Republic Act 10173 — Data Privacy Act of 2012”) , and according to those I talked with who are familiar with the Philippine law, it is similar to the European General Data Protection Regulation (GDPR). With RA 10173, you expect the government to be the first one to comply, right? Unfortunately, government websites and services are often leaking information to the likes of Facebook and Google. Let’s take a look at some of these sites.
National Privacy Commission (NPC, privacy.gov.ph)
This is the agency created from RA 10173. On their main site, visitors are informed that data is being collected. Their privacy policy specifically mentions a third-party web analytics, WP Statistics.
First, let’s make it clear that I am not a lawyer, nor am I an expert on the data privacy law. If I understand the law correctly, users, in this case, visitors, should be provided an option not to have their data collected, which is not possible on the NPC website. However, they do provide a mechanism to request for your data to be deleted from their database. Fair enough.
One thing the NPC does not disclose is that it is leaking information to Google. Google knows that you are on the NPC website. Check out <https://themarkup.org/blacklight?url=privacy.gov.ph>. Isn’t this a violation of the law?
Department of Information and Communications Technology (DICT, dict.gov.ph)
Similar to the NPC website above, the Department of Information and Communications Technology (DICT) website leaks information to Google. Duckduckgo reports the same tracker, and so does <https://themarkup.org/blacklight?url=privacy.gov.ph>. However, unlike the NPC website, DICT does not provide a privacy policy or notice on its main website.
National Telecommunications Commission (NTC, ntc.gov.ph)
Like the DICT website, the NTC leaks information to Google and does not have an easily discoverable privacy policy or notice (I am still trying to locate it on their website).
Most of the government websites are hosted by iGov and have exactly the same template as DICT and NTC, i.e., they all leak information to Google, and that their privacy policy or notice is a bit difficult to find, if it even exists.
The legislative branch websites, Congress.gov.ph and Senate.gov.ph, both do not have trackers, nor do they have a privacy policy or notice, but then again, they might not need to since they don’t collect any information anyway. The Senate’s website, however, does not encrypt its web traffic (no HTTPS), which does not really matter, except that modern browsers will tag it as not secure.
The Supreme Court website, sc.judiciary.gov.ph, leaks to both Facebook and Google, see <https://themarkup.org/blacklight?url=sc.judiciary.gov.ph>. The Supreme Court has two (2) mobile applications, one on Play Store and one on the App Store. For some weird reason, the mobile app for iOS is not available on both the US and Philippine App Store. The Android version, however, requires access to your storage, camera, files, including photos, and it also collects your location data. Why? Your guess is as good as mine.
As you can see, some government websites (and online services) leak information to Google and Facebook. On each visit, these sites inform Google and/or Facebook without your consent. Whilst there are browsers, as well as browser plug-ins, designed to block these trackers, it still does not make it okay and AFAIK, they’re still not compliant with RA 10173, right? Let us not collect, and worse share, user data without consent. It is not as if there are no alternatives available that are privacy preserving. It is high time that this practice stops!