A good understanding of data privacy frameworks is crucial in Asia. while the laws in the region share similar elements, gaps remain as privacy compliance culture is relatively new and jurisdictions vary in their approaches. Here, experts spell out how the Philippines, Thailand and Indonesia have built their legal frameworks governing personal data
The Philippine Data Privacy Act of 2012 was signed into law on 15 August 2012. This is a comprehensive law that governs data privacy protection in the country. The National Privacy Commission (NPC) – the government agency primarily mandated under the law to oversee the administration and implementation of the act – promulgated on 24 August 2016 the Implementing Rules and Regulations (IRR) of the act. The act was promulgated in response to the freer exchange of personal data at the global stage, and the setting of international standards for data protection, with the Philippines being the global leader in business process outsourcing (BPO) services.
Prior to the enactment of the act, without centralised regulatory oversight for personal data processing, or comprehensive protective measures, the wealth of personal data at that time was subject to abuse and misuse – from the unmitigated use and sharing of contact details for purposes beyond those initially contemplated, to identity theft or security breaches – to the detriment of the data subject’s constitutionally guaranteed right to privacy.
The data privacy regime had its origins as early as 2006, when the Department of Trade and Industry (DTI) issued DTI Administrative Order No. 8-2006, the Guidelines on the Protection of Personal Data. This issuance was patterned after the EU’s then Data Protection Directive of 1995, the predecessor of the current General Data Protection Regulation (GDPR). Hence, the act is deeply rooted in the standards and principles espoused by the GDPR.
The privacy law applies to the processing of all types of personal information, and to any natural or juridical person involved in personal information processing in the private and government sectors. It covers data controllers and processors not found in the Philippines, but who either: (1) use equipment that is located in the Philippines; or (2) maintain an office, branch or agency in the Philippines. It also applies to personal information processing in the event that the personal data being processed pertains to either a Philippine citizen or resident, regardless of the location, and wherever such processing takes place. For example, the act will apply in a case where personal data of an overseas Filipino worker (OFW) currently working in the US is being processed by a local Philippine bank. Also, the privacy law will apply in a case where personal data of the same OFW is being processed by a foreign bank located outside of the Philippines.
“Processing of personal data” is defined under the act as any operation or set of operations performed on personal information (such as collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, and destruction). “Personal information controller” refers to any person or organisation that controls the collection, holding, processing or use of personal information (except for those who perform such functions as instructed by another person or organisation, or an individual who performs the same functions in connection with the individual’s personal, family or household affairs). “Personal information processor” refers to any natural or juridical person to whom a personal information controller may outsource the processing of personal data.
The following types of information are exempt from the coverage of the act:
(1) Information on any current or previous government servant that relates to the position or functions of said individual;
(2) Information relating to the services performed by an individual under a government contract;
(3) Information relating to any discretionary financial benefit given by the government to an individual;
(4) Personal information processed for journalistic, artistic, literary or research purposes;
(5) Information necessary in order to carry out the functions of public authority;
(6) Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
(7) Personal information collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions.
The act distinguishes “personal information” from “sensitive personal information”, as different requirements for lawful processing are prescribed. Personal information refers to any information from which the identity of an individual is apparent, or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify the individual. Sensitive personal information refers to personal information about one’s race, marital status, age, and religious, philosophical or political affiliations. It includes health and education, any court proceedings, information issued by government agencies peculiar to an individual (e.g., social security numbers, health records, licences and tax returns), and those specifically declared as classified by law or regulation.
The law and its IRR generally require consent from the data subjects before one can validly process personal data, unless the processing is covered by any of the conditions expressly outlined in the act and its IRR. Note that the act only recognises a valid express consent – and frowns on implied consent – which is defined under the act as “any freely given, specific, informed indication of will … [and] shall be evidenced by written, electronic or recorded means”.
The act extensively outlines the rights of the data subject with respect to his/her personal information, which are similar to the rights recognised under the GDPR. These rights include:
(1) the right to be informed;
(2) the right to access;
(3) the right to object;
(4) the right to erasure and blocking;
(5) the right to rectify;
(6) the right to file a complaint;
(7) the right to damages; and
(8) the right to data portability.
These rights of the data subject must be observed and respected by data controllers and data processors, except when the personal information shall be used for scientific and statistical research, and no activities are carried out and no decisions are taken regarding the data subject, or are gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.
The law outlines the general principles on security of personal information, as well as accountability with respect to the transfer of personal information. Specific provisions are laid down concerning the security of sensitive personal information in the government, as well as provisions on a data breach and the basic guidelines for reporting instances of data breaches.
Similar to the regime implemented under the GDPR, Philippine privacy law and regulations impose breach notification obligations on the personal information controller in cases of a personal data breach. Such a notification must be served on the affected data subjects and reported to the NPC within 72 hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor, that a personal data breach requiring notification has occurred.
Philippine privacy regulations require the designation or appointment of a data privacy officer (DPO). Not all DPOs are required to register with the NPC, but it is mandatory for the following: (1) if the entity employs 250 people or more; (2) if the entity processes records containing sensitive personal information of at least 1,000 individuals; or (3) if processing personal information of the entity is either likely to pose a risk to the rights and freedoms of data subjects, or is deemed not occasional. The NPC issued guidelines enumerating the sectors that it considers covered by the mandatory registration requirement, regardless of the number or volume of data subjects, or personal information being processed.
These sectors, considered as critical, are the following:
(1) government agencies;
(2) banks and non-bank financial institutions;
(3) telecommunications and internet service providers;
(4) BPO companies;
(5) universities, colleges and all other schools and training institutions;
(6) hospitals, clinics and other healthcare facilities;
(7) insurance companies and brokers;
(8) those involved in direct marketing, networking, and other companies providing reward cards and loyalty programmes;
(9) pharmaceutical companies engaged in research; and
(10) personal information processors processing personal data for a personal information controller included in any of these critical sectors.
Apart from the DPO, the IRR specifically provides that certain forms of data processing systems must be registered with the NPC.
Finally, violations of the act are punished with mandatory imprisonment and fines. A higher range of penalties is imposed in cases where sensitive personal information is involved. Maximum penalties are imposed when the personal information of at least 100 persons is affected, and considered as large scale. Although there have been moves initiated by the NPC and other concerned sectors to propose amendments to the act that include removal of the penalty of imprisonment, such initiatives have been put on hold due to the current pandemic.
22nd Floor, ACCRALAW Tower
2nd Avenue corner, 30th Street
Crescent Park West Bonifacio Global City,
1635 Taguig, Metro Manila, Philippines
Tel: +63 2 8830 8000