As to who should be made liable in the Comelec, Tonson said it would be the individual(s) "who are accountable for the organization's compliance with the Data Privacy Act." He added, "Technically, it should be whoever was in charge of making the database accessible online. If that decision on accessibility required a Comelec resolution, then it could go as far up as the Commission en banc."