Comelec cleared of security breaches concealment in 2022 polls

MANILA, Philippines — The Commission on Elections (Comelec) has been cleared of liability for concealment of security breaches in the general elections on May 9 last year.

In a statement issued yesterday, lawyer John Rex Laudiangco, director of the education and information department of the poll body, said the National Privacy Commission (NPC) itself has found that the Comelec and its automated election systems provider Smartmatic are not liable for data privacy violations.

The Comelec’s clearing of liability was based on a decision, dated Sept. 22, 2022, in a case initiated by the NPC’s Complaints and Investigation Division (CID).

The NPC-CID alleged that the personal data breaches in the servers of Comelec and Smartmatic involved survey forms and overseas voters list.

However, upon investigation, it was found that Comelec and Smartmatic are not liable for concealment of security breaches involving sensitive personal information under Section 30 of the Data Privacy Act of 2012.

“The triumph of the Comelec’s transparency and integrity in this case further validates the resounding success of the May 9, 2022 national and local elections,” Laudiangco said.

Violation of Section 30 requires that first, a personal data breach occurred; second, the breach is one that requires notification to the NPC and third, the person knowingly conceals the fact of such breach from the NPC.

As to the second requisite, the alleged concealed security breach must be one that requires mandatory breach notification, Laudiangco said.

With respect to the survey forms, the NPC found that while there had been a breach in Smartmatic’s servers due to the actions of some of its employees, there is no obligation on the part of Comelec to comply with the mandatory breach notification.

The NPC also found that there was no breach in Smartmatic’s servers in relation to the overseas voters list.

The NPC-CID was not able to provide substantial evidence that directly links the alleged breach in Smartmatic’s servers to the Comelc’s servers or system.

“Thus, Comelec may not be held liable for violation of Section 30 of the DPA in relation to the overseas voters list,” Laudiangco said.