The Manila Times : Court upholds ruling vs ex-Comelec chief

By Jomar Canlas | The Manila Times

THE Court of Appeals (CA) has affirmed the findings of the National Privacy Commission (NPC) that former Commission on Elections chairman Andres Bautista violated Republic Act 10173 or the “Data Privacy Act of 2012” in connection with the April 2016 data breach that placed the personal information of millions of voters at risk.

The NPC recommended the prosecution of Bautista for the crime of accessing sensitive personal information due to negligence.

It also urged the Department of Justice (DoJ) to investigate him for possible violation of the cybercrime law “on the finding that there was an unauthorized exfiltration of data in connection with this data breach from the Comelec web server on March 23, 2016, through a computer with an IP address of, registered with the National Bureau of Investigation.”

The appellate court also gave credence to the findings of the NPC to hold Bautista as the only one liable for the offense and clear former Comelec commissioners Christian Robert Lim and Al Parreno; executive director Jose Tolentino Jr.; director James Arthur Jimenez; Ferdinand de Leon; Jeannie Flororita; and Eden Bolo.

The Manila Times obtained a copy of the 22-page decision of the CA’s Second Division dated March 25, 2021, which ruled to dismiss Bautista’s petition for review.

Under the law, violation of the Data Privacy Act due to negligence is punishable by three to six months of imprisonment and a fine of P500,000 to P4 million. If a government official is proven guilty of this crime, he or she will be disqualified from public office.

The CA ruling was penned by Justice Pedro Corales and was concurred by Justices Fernanda Lampas-Peralta and Alfredo Ampuan.

Bautista reportedly fled to the US in November 2017, a few weeks after resigning from his post. He was impeached by the House of Representatives amid allegations of unexplained wealth after his estranged wife, Patricia, disclosed that he accepted commissions on referred cases, had ghost employees and went on questionable trips. Bautista also has a standing arrest warrant from the Senate.

In its ruling, the CA said the NPC exercised its fact finding investigation “on how the security breach in the Comelec database happened and recommended that the DoJ exercise its own prosecutorial functions against Chairman Bautista.”

The appeals court added that Bautista availed of the wrong remedy, thus his petition was dismissed.

On March 27, 2016, unknown and unauthorized persons calling themselves “Anonymous PH” hacked the homepage of the official website of Comelec.

The poll body sought the assistance of the NBI, which led to the arrest of Paul Biteng who admitted defacing the Comelec website.

In its June 27, 2016 report, the NPC found there was a security breach that provided access to the Comelec database, which contains personal and sensitive information that might be used to enable identity fraud.

As such, it found that the Comelec might have been remiss in its duties to protect the personal data of millions of Filipinos that were illegally accessed in the Comelec database.

The NPC ruled that the Comelec should have implemented measures to prevent the security breach as it failed to designate a chief information officer or data protection officer.

It also held that Bautista’s disregard of his duties as Comelec’s head amounted to gross negligence.