Eastwest Rural Bank vs. Philippine National Police Anti-Cybercrime Group Regional Anti-Cybercrime Unit 1

The Cybercrime Prevention Act of 2012 (R.A. 10175) authorizes the issuance of a Warrant to Disclose Computer Data (WDCD) for the limited purpose of obtaining a bank account holder's basic identifying information (e.g., name, address, contact details) during a cybercrime investigation, and this constitutes a valid statutory exception to the confidentiality mandate of the Bank Secrecy Law (R.A. 1405).

The case arose from a cybercrime investigation into a "vhishing" scheme where the perpetrator deceived the victim into revealing an OTP, leading to an unauthorized fund transfer to an EWRB account. Law enforcement sought to identify the account holder through a WDCD, triggering a legal clash between modern cybercrime investigation tools and the long-standing principle of bank deposit confidentiality.

• Filed in RTC (San Fernando City, La Union) for the issuance of a WDCD (WDCD No. 15-2023).
• RTC granted the WDCD on June 21, 2023. EWRB's Motion for Clarificatory Order was denied by the RTC in Orders dated July 3, 2023, and July 27, 2023.
• EWRB filed a Petition for Certiorari with the CA (CA G.R. SP. No. 180524).
• CA dismissed the petition in a Resolution dated September 26, 2023 (and denied reconsideration on April 30, 2024) based on procedural defects and finding no grave abuse of discretion by the RTC.
• EWRB elevated the case to the SC via a Petition for Review on Certiorari under Rule 45.

• Complainant Leonard Vendiola was a victim of "vhishing," resulting in a PHP 10,000 unauthorized transfer from his BDO account to EWRB Account No. 500023412872.
• The PNP-ACG RACU 1 investigated for violation of Section 9(s) of the Access Devices Regulation Act (R.A. 8484, as amended) in relation to Section 6 of the Cybercrime Prevention Act (R.A. 10175).
• The RTC issued a WDCD ordering EWRB to disclose: (a) account holder's full name, personal information, address; (b) verification ID; (c) contact details; and (d) any other information leading to the identity and digital footprint of the account holder.
• EWRB refused, citing the Bank Secrecy Law (R.A. 1405), and challenged the WDCD's validity.

• The Bank Secrecy Law (R.A. 1405) absolutely prohibits the disclosure of "any information" concerning bank deposits, including the identity of the depositor.
• The Cybercrime Prevention Act did not expressly or impliedly repeal the Bank Secrecy Law.
• EWRB is not a "service provider" as defined under the Cybercrime Prevention Act, so its provisions on WDCDs do not apply.
• The procedural defects in its CA petition (lack of address, illegible annex, missing MCLE details) were minor and should not have warranted dismissal.

• The WDCD seeks only the account holder's identity information, not the confidential financial details of the deposit itself.
• The Cybercrime Prevention Act (Sections 12 & 14) and its Rule on Cybercrime Warrants authorize the disclosure of "subscriber's information" upon issuance of a court warrant.
• EWRB, by providing online banking services, qualifies as a "service provider" under the Act's broad definition.
• The Bank Secrecy Law is not a bar to disclosure because the Cybercrime Prevention Act provides a subsequent, specific exception for cybercrime investigations.

• Procedural Issues: Whether the CA erred in dismissing the petition for certiorari based on technical defects (missing address, illegible annex, notary's MCLE details).
• Substantive Issues:
  1. Whether the Cybercrime Prevention Act repealed or superseded the Bank Secrecy Law regarding the confidentiality of bank deposits.
  2. Whether EWRB qualifies as a "service provider" under the Cybercrime Prevention Act.
  3. Whether the WDCD, which seeks the account holder's identifying information, violates the Bank Secrecy Law.

• Procedural: The SC found the CA should have been more lenient. The petitioner had substantially complied with the rules by providing its counsel's address, later submitting a clearer annex, and supplying the notary's MCLE details in its Motion for Reconsideration. The defects were not fatal, and the case should have been decided on the merits.
• Substantive:
  1. No Repeal. The Cybercrime Prevention Act did not repeal the Bank Secrecy Law, either expressly or by implication. The laws have different subject matters (bank deposit confidentiality vs. cybercrime/data disclosure) and can be harmonized.
  2. EWRB is a Service Provider. The definition of "service provider" in the Cybercrime Prevention Act is broad ("any public or private entity that provides... the ability to communicate by means of a computer system"). EWRB, through its online banking platforms, meets this definition.
  3. WDCD is Valid. The Bank Secrecy Law protects the financial details of a deposit. The basic identifying information sought by the WDCD (name, address, contact details) falls under "subscriber's information" as defined in the Cybercrime Prevention Act. The disclosure of such information is a recognized exception to bank secrecy under the current legal framework, which includes the Cybercrime Prevention Act, the Data Privacy Act (R.A. 10173), and the Anti-Financial Account Scamming Act (R.A. 12010). The requisites for a valid WDCD under the Cybercrime Prevention Act were met.

• Doctrine of Implied Repeal — A later law repeals an earlier one only if they are on the same subject and are irreconcilably inconsistent, or if the later law covers the entire subject of the earlier one as a substitute. The SC found no implied repeal here because the laws have distinct scopes.
• Statutory Construction: Ubi lex non distinguit nec nos distinguere debemos — Where the law does not distinguish, the courts should not distinguish. The SC applied this to the broad definition of "service provider," refusing to limit it to traditional communication companies.
• Harmonization of Statutes — The SC interpreted the Bank Secrecy Law and the Cybercrime Prevention Act in harmony, giving full effect to both by distinguishing between deposit financial details (protected) and subscriber identity information (disclosable under a WDCD).

• "While bank secrecy constitutes a statutory right... the mandate imposed by WDCD... must be examined not only through the lens of the Bank Secrecy Law but also in the context of the Cybercrime Prevention Act, which permits disclosure of information under defined conditions."
• "A strictly literal interpretation of the Bank Secrecy Law would undermine the stated objectives of the Cybercrime Prevention Act and the recently enacted AFASA, potentially hindering the prosecution of cyber-related crimes."

• Duremdes v. Jorilla — Cited for the principle that courts should be lenient with procedural defects when there is substantial compliance and the petition has merit.
• Chamber of Customs Brokers, Inc. v. Commissioner of Customs — Cited for the distinction between express and implied repeals of statutes.
• Commissioner of Internal Revenue v. Semirara Mining Corp. — Cited for the two categories of implied repeal (irreconcilable conflict and full substitution).

• Republic Act No. 1405 (Bank Secrecy Law), Sections 2 & 3 — Established the general rule of absolute confidentiality of bank deposits.
• Republic Act No. 10175 (Cybercrime Prevention Act of 2012), Sections 3(n), 6, 12, 14 — Defined "service provider" and "subscriber's information," and provided the procedure for obtaining a WDCD for disclosure of data.
• Republic Act No. 8484 (Access Devices Regulation Act), Section 9(s) — The substantive crime being investigated (access device fraud/vhishing).
• A.M. No. 17-11-03-SC (Rule on Cybercrime Warrants) — The procedural rules implementing the warrant provisions of the Cybercrime Prevention Act.
• Republic Act No. 10173 (Data Privacy Act of 2012) — Referenced to show a parallel legal framework allowing disclosure of personal information for legal compliance and public authority functions.
• Republic Act No. 12010 (Anti-Financial Account Scamming Act) — Cited as a recent law explicitly recognizing the investigation of financial accounts for cybercrimes and the application for cybercrime warrants.

• N/A (The decision was unanimous with the Chairperson and three other Justices concurring).