© Copyright Thinc Office Corp. All rights reserved

Disini, Jr. vs Secretary of Justice (2014)

Summary Cases:

Jose Jesus M. Disini, Jr. vs. The Secretary of Justice●

Subject:Strict Scrutiny Standard, Overbreadth Doctrine, As Applied Challenge, Equal Protection Clause, Right toPrivacy, Freedom of Expression, (Online) Libel, Right to Property, Right Against Unreasonable Search,Undue Delegation of Legislative Power

Facts:

Petitioners Jose Jesus M. Disini, Jr. and company, as taxpayers, file a Petition for Certiorari andProhibition under Rule 65, seeking to nullify Sections 4(c)(4), 6, 7, 12 and 19 of RA 10175 (CybercrimePrevention Act of 2012) for violating the fundamental rights protected under the Constitution.

Held:

Strict Scrutiny Standard

1. Petitioners contend that Section 4(a)(1) --which punishes Illegal Access to a computer system-- failsto meet the strict scrutiny standard and should be struck down

2. According to the strict scrutiny standard, a legislative classification that impermissibly interferes withthe exercise of fundamental right or operates to the peculiar class disadvantage of a suspect class ispresumed unconstitutional. The burden is on the government to prove that the classification is necessaryto achieve a compelling state interest and that it is the least restrictive means to protect such interest.Later, the strict scrutiny standard was used to assess the validity of laws dealing with the regulation ofspeech, gender, or race as well as other fundamental rights, as expansion from its earlier applications toequal protection.

3. The Court finds nothing in Section 4(a)(1) that calls for the application of the strict scrutiny standardsince no fundamental freedom, like speech, is involved in punishing what is essentially a condemnableact – accessing the computer system of another without right. It is a universally condemned conduct.

4. With respect to ethical hackers, a client’s engagement of an ethical hacker requires an agreementbetween them as to the extent of the search, the methods to be used, and the systems to be tested.Since the ethical hacker does his job with prior permission from the client, such permission wouldinsulate him from the coverage of Section 4(a)(1).

Overbreadth Doctrine (Data Interference)

5. Petitioners claim that Section 4(a)(3) suffers from overbreadth in that, while it seeks to discouragedata interference, it intrudes into the area of protected speech and expression, creating a chilling anddeterrent effect on these guaranteed freedoms.

6. Under the overbreadth doctrine, a proper governmental purpose, constitutionally subject to stateregulation, may not be achieved by means that unnecessarily sweep its subject broadly, therebyinvading the area of protected freedoms.

7. Section 4(a)(3) does not encroach on these freedoms at all. It simply punishes what essentially is a

© Copyright Thinc Office Corp. All rights reserved

form of vandalism, the act of willfully destroying without right the things that belong to others, in this casetheir computer data, electronic document, or electronic data message. Such act has no connection toguaranteed freedoms.

8. All penal laws, like the cybercrime law, have of course an inherent chilling effect, an in terrorem effector the fear of possible prosecution that hangs on the heads of citizens who are minded to step beyondthe boundaries of what is proper. But to prevent the State from legislating criminal laws because theyinstill such kind of fear is to render the state powerless in addressing and penalizing socially harmfulconduct. Here, the chilling effect that results in paralysis is an illusion since Section 4(a)(3) clearlydescribes the evil that it seeks to punish and creates no tendency to intimidate the free exercise of one’sconstitutional rights.

9. Besides, the overbreadth challenge places on petitioners the heavy burden of proving that under noset of circumstances will Section 4(a)(3) be valid. Petitioner has failed to discharge this burden

Overbreadth Doctrine (Aiding and Abetting)

10. Section 5 (Aiding and Abetting) in relation to Section 4(c)(4) on Libel, Section 4(c)(3) onUnsolicited Commercial Communications, and Section 4(c)(2) on Child Pornography is unconstitutional.

11. Section 5 renders criminally liable any person who willfully abets or aids in the commission orattempts to commit any of the offenses enumerated as cybercrimes. It suffers from overbreadth, creatinga chilling and deterrent effect on protected expression.

12. Penal laws should provide reasonably clear guidelines for law enforcement officials and triers of factsto prevent arbitrary and discriminatory enforcement. The terms “aiding or abetting” constitute broadsweep that generates chilling effect on those who express themselves through cyberspace posts,comments, and other messages.

13. In effect, actions such as “Liking”, or Commenting” on or “Sharing” an online post that is found to bedefamatory is not punishable as “aiding or abetting” a cybercrime offense

14. However, if the “Comment” does not merely react to the original posting but creates an altogethernew defamatory story, then that should be considered an original posting published on the internet. Boththe penal code and the cybercrime law clearly punish authors of defamatory publications.

15. But the crime of aiding or abetting the commission of cybercrimes under Section 5 should bepermitted to apply to Section 4(a)(1) on Illegal Access, Section 4(a)(2) on Illegal Interception, Section4(a)(3) on Data Interference, Section 4(a)(4) on System Interference, Section 4(a)(5) on Misuse ofDevices, Section 4(a)(6) on Cyber-squatting, Section 4(b)(1) on Computer-related Forgery, Section4(b)(2) on Computer-related Fraud, Section 4(b)(3) on Computer-related Identity Theft, and Section4(c)(1) on Cybersex. None of these offenses borders on the exercise of the freedom of expression.Thecrime of willfully attempting to commit any of these offenses is for the same reason not objectionable.

“As Applied” challenge in relation to Void for Vagueness/Overbreadth

16. Generally, the void for vagueness doctrine does not apply to penal statutes. By way of exception,when a penal statute encroaches upon the freedom of speech, a facial challenge grounded on thevoid-for-vagueness doctrine is acceptable.

17. In an “as applied” challenge, the petitioner who claims a violation of his constitutional right can

© Copyright Thinc Office Corp. All rights reserved

raise any constitutional ground – absence of due process, lack of fair notice, lack of ascertainablestandards, overbreadth, or vagueness. One can challenge the constitutionality of a statute only if heasserts a violation of his own rights. It prohibits one from assailing the constitutionality of the statutebased solely on the violation of the rights of third persons not before the court. This rule is also known asthe prohibition against third-party standing.

18. But this rule admits of exceptions. A petitioner may for instance mount a “facial” challenge to theconstitutionality of a statute even if he claims no violation of his own rights under the assailed statutewhere it involves free speech on grounds of overbreadth or vagueness of the statute. The rationale forthis exception is to counter the “chilling effect” on protected speech that comes from statutes violatingfree speech. A person who does not know whether his speech constitutes a crime under an overbroad orvague law may simply restrain himself from speaking in order to avoid being charged of a crime. Theoverbroad or vague law thus chills him into silence

Equal Protection Clause

19. Petitioners claim that Section 4(a)(6) or cyber-squatting violates the equal protection clause in that,not being narrowly tailored, it will cause a user using his real name to suffer the same fate as those whouse aliases or take the name of another in satire, parody, or any other literary device.

20. But there is no real difference whether he uses his real name or a pseudo-name for it is the evilpurpose for which he uses the name that the law condemns. The law is reasonable in penalizing him foracquiring the domain name in bad faith to profit, mislead, destroy reputation, or deprive others who arenot ill-motivated of the rightful opportunity of registering the same. The challenge to the constitutionalityof Section 4(a)(6) on ground of denial of equal protection is baseless.

Right to Privacy

21. Petitioners claim that Section 4(b)(3) on Computer Related Identity Theft violates theconstitutional rights to due process and to privacy and correspondence, and transgresses the freedom ofthe press.

22. The right to privacy, or the right to be let alone, was institutionalized in the 1987 Constitution as afacet of the right protected by the guarantee against unreasonable searches and seizures. But the Courtacknowledged that the right to privacy exists independently of its identification with liberty; it is in itselffully deserving of constitutional protection. (Morfe v. Mutuc)

23. Zones of privacy are recognized and protected in our laws. Two constitutional guarantees createthese zones of privacy: (a) the right against unreasonable searches and seizures, which is the basis ofthe right to be let alone, and (b) the right to privacy of communication and correspondence.

24. In assessing the challenge that the State has impermissibly intruded into these zones of privacy, acourt must determine whether a person has exhibited a reasonable expectation of privacy and, if so,whether that expectation has been violated by unreasonable government intrusion.

25. The law punishes those who acquire or use identifying information (such as name, citizenship,residence address, contact number, place and date of birth, name of his spouse if any, occupation)without right, implicitly to cause damage. Petitioners fail to show how government effort to curbcomputer-related identity theft violates the right to privacy and correspondence as well as the right to dueprocess of law.

© Copyright Thinc Office Corp. All rights reserved

26. Neither does the law violate freedom of the press by restricting the ability of journalists to access andpublish unrestricted information about a person in the news. The theft of identity information must beintended for an illegitimate purpose. Moreover, acquiring and disseminating information made public bythe user himself cannot be regarded as a form of theft. Moreover, theft requires the element of “intent togain” which is not present in the situation described.

27. Also, the charge of invalidity of this section based on the overbreadth doctrine will not hold watersince the specific conducts proscribed do not intrude into guaranteed freedoms like speech. Clearly,what this section regulates are specific actions: the acquisition, use, misuse or deletion of personalidentifying data of another. There is no fundamental right to acquire another’s personal data.

Freedom of Expression

28. Petitioners claim that Section 4(c)(1) on Cybersexviolates the freedom of expression clause of theConstitution, i.e., that private communications of sexual character between husband and wife orconsenting adults, which are not regarded as crimes under the penal code, would now be regarded ascrimes when done “for favor” in cyberspace.

29. The deliberations of the Bicameral Committee of Congress reveal that the element of “engaging ina business” is necessary to constitute the illegal cybersex. The Act actually seeks to punish cyberprostitution, white slave trade, and pornography for favor and consideration.

30. In Nogales v. People, the Court weighed the property rights of individuals against the public welfare.Private property, if containing pornographic materials, may be forfeited and destroyed. Likewise,engaging in sexual acts privately through internet connection, perceived by some as a right, has to bebalanced with the mandate of the State to eradicate white slavery and the exploitation of women.

Child Pornography

31. Section 4(c)(2) on Child Pornography merely expands the scope of the Anti-Child Pornography Actof 2009 (ACPA) to cover identical activities in cyberspace.

32. As to making the penalty higher by one degree when the crime is committed in cyberspace, theintensity or duration of penalty is a legislative prerogative and there is rational basis for such higherpenalty. The potential for uncontrolled proliferation of a particular piece of child pornography whenuploaded in the cyberspace is incalculable.

Unsolicited Ads (“Spam”) as Protected Commercial Speech

33. Section 4(c)(3) on Unsolicited Commercial Communications penalizes the transmission ofunsolicited commercial communications, also known as “spam.”

34. The court did not uphold the argument that spams should be outlawed as a form of nuisance, statingthat what matters is that recipients have the option of deleting or not reading the spams.

35. Commercial speech is a separate category of speech which is not accorded the same level ofprotection as that given to other constitutionally guaranteed forms of expression but is nonethelessentitled to protection. Unsolicited advertisements are legitimate forms of expression.

Libel

© Copyright Thinc Office Corp. All rights reserved

36. Libel is not a constitutionally protected speech and that the government has an obligation to protectprivate individuals from defamation.

37. The elements of libel are: (a) the allegation of a discreditable act or condition concerning another;(b) publication of the charge; (c) identity of the person defamed; and (d) existence of malice

38. Where the offended party is a public figure, a showing of actual malice or malice in fact isrequired. There is “actual malice” when the offender makes the defamatory statement with theknowledge that it is false or with reckless disregard of whether it was false or not. Gross or even extremenegligence is not sufficient to establish actual malice.

39. But, where the offended party is a private individual, the prosecution need not prove the presenceof malice. The law explicitly presumes its existence (malice in law) from the defamatory character ofthe assailed statement. For his defense, the accused must show that he has a justifiable reason for thedefamatory statement even if it was in fact true.

40. Article 361 of the Penal Code recognizes truth as a defense but under the condition that theaccused has been prompted in making the statement by good motives and for justifiable ends.

Use of ICT as a Qualifying Circumstance

41. Section 6 merely makes commission of existing crimes through the internet a qualifyingcircumstance. There exists a substantial distinction between crimes committed through the use ofinformation and communications technology (ICT) and similar crimes committed using other means. Inusing ICT, the offender often evades identification and is able to reach far more victims or cause greaterharm. The distinction, therefore, creates a basis for higher penalties for cybercrimes.

Double Jeopardy

42. Section 7 provides that “A prosecution under this Act shall be without prejudice to any liability forviolation of any provision of the Revised Penal Code, as amended, or special laws.”

43. When two different laws define two crimes, prior jeopardy as to one does not bar prosecution of theother although both offenses arise from the same fact, if each crime involves some important act whichis not an essential element of the other.

44. With the exception of the crimes of online libel and online child pornography, the Court wouldleave the determination of the correct application of Section 7 to actual cases.

45. Online libel is different. There should be no question that if the published material on print, said tobe libelous, is again posted online or vice versa, that identical material cannot be the subject of twoseparate libels. The two offenses, one a violation of Article 353 of the Revised Penal Code and the othera violation of Section 4(c)(4) of RA 10175 involve essentially the same elements and are in fact one andthe same offense. Online libel under Section 4(c)(4) is not a new crime but is one already punishedunder Article 353. Section 4(c)(4) merely establishes the computer system as another means ofpublication. Charging the offender under both laws would be a blatant violation of the proscriptionagainst double jeopardy

46. The same is true with child pornography committed online. Section 4(c)(2) merely expands theACPA’s scope so as to include identical activities in cyberspace.

© Copyright Thinc Office Corp. All rights reserved

Fixing of Penalties

47. The matter of fixing penalties for the commission of crimes is as a rule a legislative prerogative. Herethe legislature prescribed a measure of severe penalties for what it regards as deleterious cybercrimes.They appear proportionate to the evil sought to be punished. The power to determine penalties foroffenses is not diluted or improperly wielded simply because at some prior time the act or omission wasbut an element of another offense or might just have been connected with another crime. Judges canonly interpret and apply them and have no authority to modify or revise their range as determined by thelegislative department. The courts should not encroach on this prerogative of the lawmaking body

Right to Privacy (Real Time Collection and Recording of Traffic Data)

48. Petitioners assail the grant to law enforcement agencies of the power to collect or record traffic datain real time as tending to curtail civil liberties or provide opportunities for official abuse.

49. The first question is whether or not Section 12 (Real-Time Collection of Traffic Data) has a propergovernmental purpose since a law may require the disclosure of matters normally considered privateupon showing (1) that such requirement has a rational relation to the purpose of the law, (2) that there isa compelling State interest behind the law, and (3) that the provision itself is narrowly drawn.

Compelling state interest and rational relation

50. The State has a compelling interest in enacting the cybercrime law for there is a need to put orderto the tremendous activities in cyberspace for public good. To do this, it is within the realm of reason thatthe government should be able to monitor traffic data to enhance its ability to combat all sorts ofcybercrimes. The requirement of “real time” collection is critical because there are many ways the cybercriminals can quickly erase their tracks. it is only real-time traffic data collection or recording and asubsequent recourse to court-issued search and seizure warrant that can succeed in ferreting them out.

51. Privacy is classified into two categories: Decisional privacy involves the right to independence inmaking certain important decisions, while Informational privacy refers to the interest in avoidingdisclosure of personal matters. It is the right to informational privacy that those who oppose governmentcollection or recording of traffic data in real-time seek to protect.

52. Informational privacy has two aspects: (1) the right not to have private information disclosed, and(2) the right to live freely without surveillance and intrusion.

53. In determining whether or not a matter is entitled to the right to privacy, this Court has laid down atwo-fold test.

(a) subjective test, where one claiming the right must have an actual or legitimate expectation ofprivacy over a certain matter.

(b) objective test, where his or her expectation of privacy must be one society is prepared to accept asobjectively reasonable.

54. ICT users must know that they cannot communicate or exchange data with one another overcyberspace except through some service providers to whom they must submit certain traffic data that areneeded for a successful cyberspace communication. The conveyance of this data takes them out of theprivate sphere, making the expectation to privacy in regard to them an expectation that society is notprepared to recognize as reasonable.

© Copyright Thinc Office Corp. All rights reserved

Not narrowly drawn

55. Section 12 empowers law enforcement authorities, “with due cause,” to collect or record bytechnical or electronic means traffic data in real-time. But the cybercrime law fails to hint at the meaningit intends for the phrase “due cause”, thus justifying a general gathering of data. It is akin to the use of ageneral search warrant that the Constitution prohibits.

56. The power is virtually limitless, enabling law enforcement authorities to engage in “fishingexpedition,” choosing whatever specified communication they want. This evidently threatens the right ofindividuals to privacy. Section 12 is therefore invalid.

Right to Property (preservation and Destruction of Computer Data)

57. Petitioners claim that Section 13 (Preservation of Computer Data) constitutes an unduedeprivation of the right to property. They liken the data preservation order that law enforcementauthorities are to issue as a form of garnishment of personal property in civil forfeiture proceedings. Suchorder prevents internet users from accessing and disposing of traffic data that essentially belong to them.

58. By virtue of Section 13, the law now requires service providers to keep traffic data and subscriberinformation relating to communication services for at least six months from the date of the transactionand those relating to content data for at least six months from receipt of the order for their preservation.

59. The data that service providers preserve on orders of law enforcement authorities are not madeinaccessible to users by reason of the issuance of such orders. The process of preserving data will notunduly hamper the normal transmission or use of the same.

60. Similarly, Section 17 (Destruction of Computer Data) does not violate the user’s right againstdeprivation of property without due process of law. The user has no clear demandable right to requirethe service provider to have that copy of the data saved indefinitely for him in its storage system. If hewanted them preserved, he should have saved them in his computer when he generated the data orreceived it. He could also request the service provider for a copy before it is deleted

Right Against Unreasonable Search (Disclosure and Blocking of Computer Data)

61. Section 14 (Disclosure of Computer Data) provides that “Law enforcement authorities, uponsecuring a court warrant, shall issue an order requiring any person or service provider to disclose orsubmit subscriber’s information, traffic data or relevant data in his/its possession or control ….”

62. Section 14 is being likened to the issuance of a subpoena. The power to issue subpoenas is notexclusively a judicial function. Executive agencies have the power to issue subpoena as an adjunct oftheir investigatory powers.

63. The prescribed procedure for disclosure would not constitute an unlawful search or seizure nor wouldit violate the privacy of communications and correspondence. Disclosure can be made only after judicialintervention.

64. Section 19 (Restricting or Blocking Access to Computer Data), provides that “When a computerdata is prima facie found to be in violation of the provisions of this Act, the Department of Justice shallissue an order to restrict or block access to such computer data.”

65. Computer data, produced or created by their writers or authors may constitute personal property.

© Copyright Thinc Office Corp. All rights reserved

Consequently, they are protected from unreasonable searches and seizures, whether while stored intheir personal computers or in the service provider’s systems

66. Section 2, Article III of the 1987 Constitution provides that no search warrant shall issue exceptupon probable cause to be determined personally by the judge. Here, the Government, in effect, seizesand places the computer data under its control and disposition without a warrant. The Department ofJustice order cannot substitute for judicial search warrant.

67. The content of the computer data can also constitute speech. In such a case, Section 19 operates asa restriction on the freedom of expression over cyberspace.

68. Section 19 is void for being violative of the freedom of expression and against unreasonablesearches and seizures.

Bill of Attainder

69. Petitioners claim that Section 20 (Non Compliance) is a bill of attainder since the mere failure tocomply constitutes a legislative finding of guilt, without regard to situations where non-compliance wouldbe reasonable or valid.

70. But since the non-compliance would be punished as a violation of PD 1829, Section 20 necessarilyincorporates elements of the offense which are defined therein. If Congress had intended for Section 20to constitute an offense in and of itself, it would not have had to make reference to any other statue orprovision.

71. The act of non-compliance, for it to be punishable, must be done “knowingly or willfully.” There muststill be a judicial determination of guilt, during which, defense and justifications for non-compliance maybe raised. Thus, Section 20 is valid insofar as it applies to the provisions of Chapter IV which are notstruck down by the Court

Undue Delegation of Legislative Power

72. Petitioners contend that Congress invalidly delegated its power when it gave the CybercrimeInvestigation and Coordinating Center (CICC) the power to formulate a national cybersecurity planwithout any sufficient standards or parameters for it to follow.

73. In order to determine whether there is undue delegation of legislative power, the Court has adoptedtwo tests: Under the completeness test, the law must be complete in all its terms and conditions when itleaves the legislature such that when it reaches the delegate, the only thing he will have to do is toenforce it. The sufficient standard test mandates adequate guidelines or limitations in the law todetermine the boundaries of the delegate’s authority and prevent the delegation from running riot.

74. Here, the cybercrime law is complete in itself when it directed the CICC to formulate and implement anational cybersecurity plan. Also, the law gave sufficient standards for the CICC to follow when itprovided a definition of cybersecurity.

75. Cybersecurity refers to the collection of tools, policies, risk management approaches, actions,training, best practices, assurance and technologies that can be used to protect cyber environment andorganization and user’s assets. This definition serves as the parameters within which CICC should workin formulating the cybersecurity plan.Further, the policy of the law is adopted in the interest of law andorder, which has been considered as sufficient standard. Hence, Sections 24 and 26(a) are likewise

© Copyright Thinc Office Corp. All rights reserved

valid.