NPC clears Comelec, Smartmatic of data privacy violations in 2022 polls

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10

Metro Manila (CNN Philippines, January 18) — The National Privacy Commission (NPC) has cleared the Commission on Elections (Comelec) and software provider Smartmatic of data privacy violations related to the 2022 elections for “lack of merit.”

The decision was dated Sept. 22, 2022, but Comelec spokesperson John Rex Laudiangco only released a statement on Wednesday.

“Triumph of Comelec’s Transparency and Integrity in the case further validates the resounding success of the May 9, 2022 National and Local Elections,” Laudiangco said.

In the 31-page ruling, the NPC said its investigation found that Comelec and Smartmatic were “not liable” for Concealment of Security Breaches Involving Sensitive Personal Information under Section 30 of the Data Privacy Act (DPA).

The case stemmed from the alleged breach of election data involving survey forms and the overseas voters list.

Instead, the NPC will recommend to the justice secretary the prosecution of dismissed Smartmatic employee Ricarco Argana, a certain Winston Steward, and other unidentified individuals for Unauthorized Access or Intentional Breach under Section 29 of the DPA.

“The Commission acknowledges that there had been a breach in Smartmatic’s servers through the acts of Argana, Steward, and other unknown individuals. The Commission, however, finds that there is no obligation on the part of Comelec, the Personal Information Controller (PIC), and Smartmatic, the Personal Information Processor (PIP), to report the breach to the Commission because the first and third requisites for mandatory breach notification are not present,” the NPC explained.

While there was indeed a breach, the NPC said “it did not involve sensitive personal information or information that may be used to enable identity fraud.”

“The unauthorized acquisition is not likely to give rise to a real risk of serious harm,” it added.

The case was lodged after Manila Bulletin in early January last year reported that a group of hackers allegedly breached the poll body’s servers and downloaded files – including usernames and PINS of vote-counting machines (VCM).

In March, the NPC said its initial findings showed no hacking occurred, but it did not yet conclude if Comelec had no responsibility for the incident.

According to the National Bureau of Investigation, Argana admitted to giving unauthorized access to Smartmatic data to Steward via Facebook Messenger in exchange for free tech training and cash worth ₱50,000 to ₱300,000.

The data ended up with hacker group XSOX, which reached out to offer cybersecurity services to Smartmatic. It later threatened to leak the data after being ignored.