Comelec, Smartmatic not liable for 2022 data breach, NPC says

The Commission on Elections (Comelec) and its technology provider for the automated election system (AES) Smartmatic are not liable for the data privacy violations that occurred in 2022, the National Privacy Commission (NPC) stated.

Teachers acting as members of the electoral board conduct the final testing and sealing of vote counting machines (VCMs) at the San Juan Elementary School as witnessed by Commission on Elections (Comelec) Chairman Saidamen Pangarungan in San Juan City on May 3 2022, less than a week before the 2022 national and local elections. (Noel B. Pabalate)

This was stated in NPC's decision dated Sept. 22, 2022, which was released by Comelec on Wednesday, Jan. 18, 2023, in relation to the case initiated by the NPC-Complaints and Investigation Division (CID).

According to the statement provided by Comelec spokesperson Atty. John Rex Laudiangco, CID alleged that the personal data breaches in the servers of Comelec and Smartmatic involved first, survey forms and second, overseas voters list. However, upon investigation, it was found that Comelec and Smartmatic are not liable for the Concealment of Security Breaches Involving Sensitive Personal Information under Section 30 of the Data Privacy Act (DPA).

He also mentioned violation of Section 30 requires that first, a personal data breach occurred, second, the breach is one that requires notification to the NPC, and third, the person knowingly conceals the fact of such breach from the NPC. As to the second requisite, the alleged concealed security breach must be one that requires mandatory breach notification under Section 20(f) of the DPA.

"With respect to the survey forms, the NPC found that while there had been a breach in Smartmatic's servers due to the actions of some of its employees, there is no obligation on the part of Comelec to comply with the mandatory breach notification under Section 11 of NPC Circular 16-03 (Personal Data Breach Management) in relation to Section 20(f) of the DPA," he added.

The findings also of the NPC disclosed that, first, the breach does not involve sensitive personal information or information that may be used to enable identity fraud, and second, the unauthorized acquisition is not likely to give rise to a real risk of serious harm.

Laudiangco also stated that the breach in the servers does not require mandatory breach notification to the NPC. And since Comelec and Smartmatic do not have an obligation to notify the NPC of the breach under Section 20(f) of the DPA, both may not be held liable for the violation of Section 30 of the DPA. On the issue of the overseas voter's list, it was not sufficiently proved that the list containing the personal data of 138,900 individuals came from a breach of Smartmatic and COMELEC's servers.

Moreover, the list contained data fields for height and weight, which COMELEC does not collect in any of its forms for voter registration. The NPC found that there was no breach in Smartmatic's servers in relation to the overseas voter's list.

"CID could not provide substantial evidence that directly links the alleged breach in Smartmatic's servers to Comelec's servers or system. Thus, Comelec may not be held liable for violation of Section 30 of the DPA in relation to the overseas voters list," Laudiangco explained.

He added that the "triumph" of Comelec's "transparency and integrity" in this case further validates the resounding success of the May 9, 2022 National and Local Elections.

Cybersecurity Division

In a separate statement, Laudiangco stated that in the coming months, they will be creating their own Cybersecurity Division under the poll body's Information and Technology Department. He mentioned that some officials and staff of Comelec are undergoing cybersecurity training for this new division which is currently needed now.

Even before NPC's decision came, he said that Comelec has been fully committed to following the Data Privacy Act of 2012 (RA 10173). Proof of this, according to him, is the creation of Comelec's own Data Privacy Management Policies which is based on RA 10173 and approved by NPC.

He said that this decision proves that it's clear that no data breach occurred with any server or with any of Comelec's IT equipment. He stressed that the data of the voters especially those pertaining to the elections are safe and secure.