Copy link






The 2021 Personal Information Protection Law (PIPL) is China’s first comprehensive law on personal information protection. Private personal information is protected as a right of privacy under the Civil Code, and individual rights in personal information, private or public, are protected under the PIPL. Data security, including data that are not personal information, and cybersecurity are regulated under the Data Security Law and Cybersecurity Law, which along with the PIPL form China’s data privacy and security legal regime.


The principal authority tasked with implementing and enforcing data governance is the Cyberspace Administration of China (CAC). Various other industry and provincial regulators are tasked with supervision and administration.


Amigo L Xie, K&L Gates
Amigo L Xie
K&L Gates in Hong Kong
Phone: +852 2230 3510

To implement China’s data national security and personal information protection rules, data have been graded according to levels of risk and importance. The Data Security Law provides for a “classified and graded” data protection system that categorises data into groups according to type, and assigns different levels of importance to data within each group. A national data security co-ordination mechanism undertakes overall planning and co-ordinates departments of the State Council to formulate catalogues of “important data” and strengthen the protection of important data.

The PIPL distinguishes between personal information and sensitive personal information. Personal information refers to any kind of information related to an identified or identifiable natural person recorded electronically or otherwise, excluding anonymised information. Sensitive personal information refers to personal information that, if leaked or illegally used, would easily lead to infringement of human dignity or harm to a natural person, including biometric recognition, religious belief, medical and health, financial accounts, personal location tracking and other similar information – and any personal information of a minor under 14 years.


The data governance system does not contain separate definitions of a data controller and a data processor. The PIPL defines a personal information handler (PIH) as any organisation or individual that independently determines the purpose and method of processing personal information. A PIH may subcontract the processing of personal data to another party, but shall be responsible for the acts and omissions of the subcontractor. PIHs must take measures to protect the security of personal information, ensuring that third-party processors comply with laws and do not process personal information beyond agreed purposes.


The PIPL prescribes the circumstances when a PIH may process personal information, including:

  • Lawful consent of data subject;
  • Necessity in connection with conclusion or performance of a contract, or human resources management under an employment policy or a collective contract;
  • Necessity for performance of statutory duties;
  • Necessity in response to a public health emergency or protection of life, health or property safety in emergency;
  • News reporting or public interest; or
  • Where personal information has been disclosed already by an individual, or otherwise legally, such information may be processed within reasonable scope.


Susan Munro, K&L Gates
Susan Munro
Registered Foreign Lawyer
K&L Gates in Hong Kong
Tel: +852 2230 3518

The Cybersecurity Law contains provisions that apply to cross-border transfers of personal information and important data produced and collected by critical information infrastructure operators (CIIOs), which will be designated by the authorities. By contrast, the PIPL contains a comprehensive framework for cross-border transfers of personal information.

Several implementing rules and guidelines or drafts, including the Regulations on Network Data Security Management (NDSM) and Measures for Security Assessment of Cross-border Data Transfer (MSA), address cross-border data transfers. Several industry laws and regulations impose restrictions and prohibitions on cross-border transfers of certain types of data. General requirements for PIHs include:

  • Cross-border transfers of personal information must be on a lawful basis.
  • PIHs are required to take all necessary measures to ensure transferred personal information is processed and protected by overseas recipients to the same standards mandated in the PIPL.
  • Personal information protection impact assessments are required before transfers of personal information outside mainland China.

There are also specific requirements for certain PIHs for data localisation and national security assessment, including:

  • CIIOs are required to store personal information and important data collected and produced during their operations in mainland China.
  • PIHs whose processing of personal information reaches thresholds prescribed by the CAC are subject to data localisation requirements. Current thresholds in MSA refer to, among other things, data of one million or more individuals.
  • Banking financial institutions are not permitted to provide personal financial information overseas unless specifically permitted by law and the central bank.
  • If a CIIO or a PIH whose processing personal information reaches a statutory threshold intends to provide such information to an overseas recipient, it must pass a national security assessment.
  • MSA extends the national security assessment requirement to other data handlers if the data to be transferred includes “important data”.
  • MSA also applies the national security assessment requirement to overseas transfers by a PIH who has transferred the personal information of more than 100,000 individuals, or the “sensitive personal information” of more than 10,000 individuals from 1 January of last year on a cumulative basis.

If a national security assessment is not required, PIHs must either obtain a certification of personal information protection from a designated professional institution, or enter into a data transfer agreement with an overseas recipient that includes standard clauses mandated by the CAC. The draft NDSM extends these requirements to handlers of non-personal data.

No individual or organisation is permitted to provide data located within mainland China to a foreign judicial or law enforcement agency without first obtaining approval from relevant authorities.


The PIPL also provides the following penalties and punishments for violations:

  • Initial punishments include corrective orders, warnings, confiscation of illegal gains and suspension of services;
  • If uncorrected, fines up to RMB1 million (USD150,000) per violation and between RMB10,000 and RMB100,000 on persons who have caused or are otherwise responsible for violations;
  • For serious violations, fines up to RMB50 million, or 5% of previous year’s revenue, and business suspensions, or revocation of business licences. Persons liable can be fined RMB100,000 to RMB1 million and banned from holding positions such as directorships.
  • A PIH must prove it has not infringed personal information rights if a data subject incurs damages. If a PIH cannot do this, it may incur tortious liability and be liable for damages based on losses or gains received, or alternatively damages determined by a court.
  • If a PIH infringes the rights of a large number of people, prosecutors, consumer organisations specified by law or certain organisations designated by the CAC may file a lawsuit against the PIH.

The Data Security Law and Cybersecurity Law contain punishments in connection with violations as well.


The Cybersecurity Law implements a classified protection system. Upon occurrence of a data breach, the data governance system requires data handlers and network operators to immediately initiate contingency plans, take corresponding remedial measures, notify data subjects as required, and report the incident to the CAC and relevant regulators.

Under the National Contingency Plans for Cyber Security Incidents and the Emergency Response Plan for Unexpected Network Security Incidents of the Public Internet, cybersecurity incidents are classified into four levels: (1) especially major, (2) major, (3) relatively major and (4) general. The regulations also specify detailed rules regarding regulators, monitoring and early warning systems, emergency and reporting systems, investigations and assessments, and safeguard measures.


The PIPL mandates the appointment of a data protection officer (DPO) and prescribes the following role and liabilities:

  • Supervision of a PIH’s data processing activities, protection measures, etc.;
  • Reporting directly to the principal of a PIH; and
  • Personal liabilities include fines ranging from RMB10,000 to RMB1 million, depending on the severity of the violation. A DPO also risks being banned from senior positions, negative records in state social credit files, public disclosure and, in a worst-case scenario, administrative detention or criminal prosecution.

The PIPL does not prescribe the detailed tasks of a DPO but guidance regarding the role can be found in the PIS specification.

K&L Gates Logo

44/F Edinburgh Tower, The Landmark
15 Queen’s Road Central, Hong Kong
Tel: +852 2230 3500


Since the EU tightened the protection of personal data with the General Data Protection Regulation (GDPR), calls for implementing measures reducing data vulnerability and preventing erosion of user privacy have been resounding worldwide.

A series of allegations against tech giants for misuse and mishandling of personal data was a major turning point in how people look at the issue of data privacy breaches. Many jurisdictions subsequently overhauled existing laws to pave the way for stricter regulatory regimes.

India is no exception – and is also making efforts on this front.

Currently, this space is regulated by the Information Technology Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Section 43A of the IT act entitles a data principal to seek compensation for unauthorised disclosure of sensitive personal information. Section 72A is the penal provision under which a person, including an intermediary who discloses sensitive personal information without consent, can be punished with imprisonment or a fine.

However, these laws are considered inadequate as their scope is quite limited. Therefore, a comprehensive draft law, the Personal Data Protection Bill, was introduced in 2018 to reshape the regulatory regime. It is aimed at providing the right governing mechanism and deploying the right data infrastructure so that the power of data could be unlocked for India.

Manisha Singh, LexOrbis
Manisha Singh
LexOrbis in New Delhi

But the bill has been hit by a series of controversies – and has already been amended thrice.

On referral to a Joint Parliamentary Committee (JPC) comprising members of both Houses of the Indian Parliament, the JPC report was published along with the revised Data Protection Bill on 16 December 2021. The new bill seeks to regulate both personal and non-personal data, which means that the scope of the proposed law has been widened.

As regards the foundation of the proposed legislation, it is based on the principle laid down by the Supreme Court of India in KS Puttaswamy v Union of India, according to which anything that restricts the right to privacy of a person should be sanctioned by law and must have procedural safeguards against abuse.

The most controversial element of the bill is virtually carte blanche exemptions for the government. Clause 35 exempts the government from compliance with all provisions when necessary for protecting the sovereignty and integrity of India, national security, friendly relations with foreign states, and public order. Despite sharp criticism, the JPC has retained this provision.

To limit the surveillance powers of the government, it has added an explanation saying the procedure to be followed by the government must be “fair, just, reasonable and proportionate”. Although adding this qualifier to exemption is a welcome move, it may not be sufficient.

Judicial oversight is critical to avoid arbitrary government actions – government requests for availing of exemptions should be sanctioned by courts. Moreover, the broad procedural mechanism providing for enough safeguards should be captured in the bill itself. Also, as suggested by some JPC members in their dissent notes, “public order” should be deleted for the purpose of narrow tailoring of the provision.

Another issue surrounds the composition of Data Protection Authority (DPA), which would be responsible for monitoring compliance and enforcement of the law. According to the 2019 bill, all DPA members need to be appointed by the central government, on the recommendation of a selection committee comprising the cabinet secretary and two secretory level bureaucrats. After the original provision attracted criticism, in the 2021 bill, the JPC has now included the attorney general as a member of the committee. To make JPC abundantly independent, judicial participation needs to be considered – and a senior judge (preferably someone who has delivered a few notable pronouncements on data privacy) should be made a member.

Simtrat Kaur, LexOrbis
Simtrat Kaur
Associate Partner
LexOrbis in New Delhi

The provision on data localisation is also one of the most contentious. The original 2018 bill had a blanket data localisation provision that was severely critiqued. In subsequent versions of the bill, this was relaxed a bit because of heavy pushbacks from other countries. The Data Protection Bill of 2021 now provides for soft localisation, requiring the mirroring of sensitive personal data and mandatory local processing for critical data. In other words, it permits the transfer and storage of sensitive personal data outside India, provided that a copy is stored locally.

Sensitive personal data includes data relating to health, religion, sex life, political beliefs, biometrics, genetics, finance, etc. Such data can be transferred outside the country if certain conditions are met – exactly along the lines of the GDPR’s adequacy mechanism. However, there is a bar on the transfer of critical data outside the country. It must be processed and stored exclusively in India. But the precise definition of critical data is awaited. Hence, there is not enough clarity as to what kinds of data it would cover.

The government has given quite a few reasons as to how data localisation would be beneficial for India. India is a huge data market, a large amount of India’s data is physically stored on servers located in the US, Ireland, etc. Mandating local storage would lead to the emergence of large-scale data centres in India, thereby aiding employment generation locally. It is believed that boosting the country’s overall IT or data infrastructure in this manner would fuel economic progress and help make India a global data processing hub.

While this protectionist vision on cross-border transfers of data seems to be good, the calculation of net benefits is important before implementing it. To ascertain if this regime would produce net profits or not, it would be crucial to assess if it would risk losing a considerable number of foreign businesses that offer data-based services in the country due to the added burden of complying with data localisation requirements. And the possibility of retaliatory actions by foreign governments against Indian companies should also be factored in.

Better law enforcement is another advantage which is touted by many. Enforcement agencies in India face constraints in accessing data stored in other jurisdictions. For instance, if a serious crime is committed and investigated in India, and critical evidence lies with some US-based service provider, the government would have no option but to use the data gathering mechanism provided under the India-US Mutual Legal Assistance Treaty (MLAT), which is quite cumbersome.

The US government seeks a court order before accepting a MLAT request from India. A US court determines if the Indian request satisfies relevant legal requirements under US law before passing the order accordingly. Once the order is granted, the US service provider produces the requisite data and shares it with the US Department of Justice to review for legal compliance before finally releasing it to India. This is a time-consuming process that generally takes several months – and the lack of timely access to data might frustrate any investigation.

Data localisation would offer a solution and ease data access by Indian government agencies. However, measuring and analysing as to what extent it would reduce India’s reliance on MLAT systems is crucial. We may look at the percentage of data or evidence required by enforcement agencies, which would be easy to access if the proposed soft variant of data localisation that requires mirroring of only sensitive personal data (and not all personal data) is adopted. Localisation is expected to supplement MLAT systems and other bilateral executive agreements with countries for direct access to data. But it is important to assess the risk of the local storage mandate hitting India’s eligibility to sign such agreements – and hence proving to be counterproductive.

Various thoughts on this are flowing in from different quarters. A recent report by India-based global think tank (Observer Research Foundation) argues that India’s local storage mandates may be an obstacle in negotiating an execution agreement with the US under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), an enabling US law that opens the way for international cooperation on data access by foreign governments for investigating “serious crimes” when national data laws are in conflict.

If India was a CLOUD agreement signatory, investigating a crime with related data stored by a US-based service provider, then no US warrant or court order would be required to access that data. An Indian court order could be used for that purpose. Indian government agencies could directly reach out to this US service provider and ask for the requisite data. But, to qualify for CLOUD Act agreement, India must have adequate domestic data protection laws. The CLOUD Act lists out factors to be considered in ascertaining adequacy.

India has not yet shown any interest in signing the CLOUD agreement. But nonetheless, it would be important to keep in mind that, in the future, if India considers signing the agreement, localisation mandates and wide surveillance powers of the government under its domestic law may affect the country’s adequacy status.

India is envisioning using its leverage in the global data economy, because of its huge size and number of internet users. But the Data Protection Bill is super critical to making a holistic assessment of the proposed law and the risks that some provisions carry – particularly those on cross-border transfers – to ensure the eventual law doesn’t go contrary to the stated vision.

Given the complexities of the issues at play, fine-tuning the critical provisions and reaching a consensus is indeed a challenge. Therefore, it may still take more time before the law finally sees the light of the day.

LexOrbis Logo

709-710 Tolstoy House
15-17 Tolstoy Road
New Delhi – 110001, India


Thailand’s Personal Data Protection Act, 2019 (PDPA) was promulgated to protect natural persons from the unauthorised or unlawful collection, use or disclosure of their personal data. The law came into force on 27 May 2019, but its full enforcement has been postponed twice, most recently until 1 June 2022.


The PDPA provides for the establishment of the Personal Data Protection Committee (PDPC) with duties including:

  • Determining measures or procedures for the protection of personal data;
  • Issuing notifications or regulations;
  • Announcing criteria for data protection procedures and the protection of data transferred overseas; and
  • Preparing a master plan to support and protect personal data.

The PDPC also has the power to appoint sub-committees for the consideration or performance of any acts, and provides for the establishment of an expert committee under it to investigate and consider complaints, as well as settling disputes in connection with personal data.

Finally, the PDPA provides for the establishment of the office of the PDPC and a supervisory commission. The office performs academic and administrative tasks for the PDPC, its committee and the supervisory commission. The office also has the power to review and certify policy for international data transfer.


The PDPA regulates the collection, use and disclosure of personal data (collectively, the act of processing data) by a data controller or a data processor in Thailand, regardless of whether the act of processing data takes place in the country.

If a data controller or a data processor is outside Thailand, the PDPA applies to the act of processing data of subjects in Thailand, where the activities of the data controller or data processor involve: (1) offering goods or services to data subjects in Thailand, regardless of whether any payment is made by the data subjects; and (2) monitoring data subjects’ behaviour in Thailand. However, the PDPA does not apply to:

  • Data collected for personal benefit or household activities of such person only;
  • Data concerning the operations of public authorities;
  • Data collected solely for activities in relation to mass media, fine arts or literature;
  • Data that fall under the duties and power of parliament or parliamentary committees;
  • Data concerning trials and adjudications of courts, as well as work operations of officers in legal proceedings; and
  • Data collected by a credit bureau company and its members.


Chumpicha Vivitasevi, Weerawong Chinnavat & Partners
Chumpicha Vivitasevi
Weerawong Chinnavat & Partners in Bangkok
Tel: +66 2264 8000 (ext. 8116)

The PDPA defines personal data as any information related to an identifiable person, directly or indirectly, but excludes information about deceased persons.

There are two types of personal data – general personal data and sensitive data. General personal data comprises personal data of any type that is not sensitive data. Sensitive data includes personal data on race, ethnic origin, political opinion, cult, religious or philosophical belief, sexual behaviour, criminal record, disability, trade union information, health data, genetic data, biometric data, and any other information that may similarly impact the data subject, as prescribed by the PDPC.

Unless there is a lawful basis allowing otherwise, processing of personal data requires explicit consent of the data subject. However, lawful bases for processing personal data without consent include: research; vital interests; contract; tasks carried out in the public interest or under official authority; the legitimate interest of the data controller (balanced against the rights of the data subject); legitimate non-profit activities; public data; legal claims; and legal obligation.


International transfer of personal data is only permitted under the PDPA in a limited number of circumstances, including: (1) where the transfer is to a destination country with adequate data protection standards, as determined by the PDPC; (2) the transfer is based on a group data protection policy that has been reviewed and approved by the office of the PDPC; and (3) under specific derogations, including where the transfer is for compliance with the law or where the consent has been obtained, provided that the data subject has been informed of the inadequacy of the data protection standards of the destination country.


Thaya Uthayophas, Weerawong Chinnavat & Partners
Thaya Uthayophas
Weerawong Chinnavat & Partners in Bangkok
Tel: +62 2264 8000 (ext. 8070)

The PDPA makes a distinction between a data controller, who has the authority to make decisions on the act of processing data, and a data processor, who operates in relation to the act of processing data pursuant to orders given by, or on behalf of, a data controller.

The data controller must implement security measures and verification procedures, as well as provide notification of any violations to the office of the PDPC. The PDPA requires the data controller to take appropriate measures to prevent the unauthorised or unlawful loss, access, use, alteration, correction or disclosure of personal data. The data controller must enter into an agreement with the data processor to ensure compliance with the PDPA.

The data processor is responsible for implementing security measures, notifying the data controller of any violations, and preparing and maintaining logs.


Transparency is a key principle under the PDPA, and the data controller must inform the data subject of the following before, or at the time of, data collection:

  • Purpose of the collection, including its legal basis;
  • Impact of not providing information;
  • Data to be collected and period of storage;
  • Categories of persons or entities to whom the personal data may be disclosed;
  • Contact information, addresses and contact details of the data controller and the controller’s representative or data protection officer (as applicable); and
  • Rights of data subjects.

In addition, the act of processing data must be conducted in accordance with the purpose previously notified to the data subject, unless the data subject has been informed of a new purpose and prior consent has been obtained.

For accountability under the PDPA, the data controller must also maintain the following records and make them available for inspection by the data subject and the office of the PDPC:

  • Personal data collected;
  • Purpose of the collection;
  • Details of the data controller;
  • Retention period for the personal data;
  • Rights and methods in accessing the personal data;
  • Uses or disclosures of personal data exempted from the consent requirement;
  • Rejections of requests or objections; and
  • Explanation of appropriate security measures to prevent data breaches.


The PDPA requires the data controller to notify the office of the PDPC within 72 hours of becoming aware of any personal data breach, unless the breach is unlikely to compromise the rights and freedoms of data subjects. If a breach poses high risks to the rights and freedoms of data subjects, the data controller must notify them and take remedial measures immediately.


Data subjects have rights against the data controller, including the right to request access to, and obtain a copy of, their personal data, to data portability, to object to processing, to be forgotten, to restrict the use of personal data, and to amend their data for accuracy purposes.


Penalties for non-compliance with the PDPA include criminal, administrative and civil penalties. Criminal penalties include imprisonment for up to one year and/or fines of up to THB1 million (USD29,250). If the violation is caused by the instruction or omission of a person responsible for a company, the person may also be subject to the same penalties. Civil liabilities include punitive damages of up to twice the amount of actual damages, and civil damages may be claimed under a class action lawsuit. The PDPC is authorised to order administrative fines of up to THB3 million for general data and THB5 million for sensitive data.


Public hearings have been conducted on three groups of draft sub-regulations, which are all currently under consideration by the PDPC concerning the following matters:

  • Criteria and methods for obtaining consent;
  • Processing of personal data;
  • Proper data protection methods for sensitive personal data;
  • Criteria and protections for data transfer overseas;
  • Activity records, methods for data subject requests, and reports on breaches;
  • Data protection officers;
  • Appointment of foreign representatives;
  • Industry exceptions for compliance with specific provisions;
  • Duties with regard to data subject rights;
  • Duties of data processors;
  • A code of conduct;
  • Data protection impact assessment and automated decision making; and
  • Personal data protection standards and certifications.
WCP Logo

22/F, Mercury Tower, 540 Ploenchit Road, Lumpini
Pathumwan, Bangkok 10330, Thailand
Tel: +662 264 8215


The Philippines’ Data Privacy Act (DPA) applies to the processing of all types of personal information and any natural or juridical person involved in it, whether personal information controllers or processors.

The act has extraterritorial applications to personal information controllers (PIC) and processors (PIP) who, although not found or established in the Philippines, use equipment located in the country, or maintain an office, branch or agency in the Philippines, subject to exceptions stated in section 4 of the DPA.

The Philippines’ Data Privacy Act (DPA) applies to the processing of all types of personal information and any natural or juridical person involved in it, whether personal information controllers or processors.

The act has extraterritorial applications to personal information controllers (PIC) and processors (PIP) who, although not found or established in the Philippines, use equipment located in the country, or maintain an office, branch or agency in the Philippines, subject to exceptions stated in section 4 of the DPA.


Personal information refers to “any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”.

The act also distinguishes personal information and sensitive personal information such as age, ethnic origin, marital status, colour, religious, philosophical and political affiliations, individual’s health, education, genetic or sexual life, offences committed or alleged, government-issued identification, health records, and tax returns. Meanwhile, privileged information under the Rules of Court, namely information disclosed during an attorney-client relationship, is treated as sensitive personal information.


Enrique Dela Cruz, DivinaLaw
Enrique Dela Cruz
Senior Partner
DivinaLaw in Makati City

Processing, as intended by the law, is “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organising, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data”.

Personal information may be processed if the requirements under sections 11 and 12 of the act are complied. Under section 11, the processing should adhere to the principles of transparency, legitimate purpose and proportionality. Section 12 states that processing is permitted as long as it is not prohibited by law and at least one of the conditions exists, such as consent of the data subject, necessary for fulfilment of contract or to comply with legal obligations, etc.

Processing sensitive personal information is generally prohibited. Exceptions are: the data subject has given his consent; allowed by existing laws and regulations; necessary to protect the life and health of the data subject or another person in instances where the former cannot express his consent; necessary to achieve lawful and non-commercial objectives of public organisations and their associations; necessary for purposes of medical treatment; necessary for protection of lawful rights and interests of natural or legal persons in court proceedings; or for establishment, exercise or defence of legal claims, or when provided to a government or public authority.

Finally, the National Privacy Commission (NPC) Advisory Opinion, issued in August 2017, clarified how consent should be given.

It emphasised that implied or inferred consent is not valid, and cited recital 32 of the EU’s General Data Protection Regulation, which specifies that “silence, pre-ticked boxes or inactivity should not constitute consent”.

Rights of data subjects. Under section 16 of the DPA, the data subject is entitled to the following rights:

  • Right to be informed of the processing of personal information including the existence of automated decision-making and profiling.
    Moreover, this includes a data subject’s right to know to whom their personal information is sold or disclosed, and contents of personal information processed;
  • Right to access;
  • Right to object to processing;
  • Right to erasure or blocking;
  • Right to damages;
  • Right to file a complaint, subject to the requirement of exhaustion and timeliness;
  • Right to rectify; and
  • Right to data portability.

Data protection officer. A PIC must appoint a data protection officer who shall be accountable for compliance under the DPA.

Registration. DPA implementing rules and regulations mandate the registration of personal data processing systems of organisations if:

  • Sensitive personal information of at least 1,000 individuals is processed;
  • The PIC or PIP employs at least 250 persons;
  • Less than 250 persons are employed but the processing is not occasional; or
  • Less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.

Transfer. The PIC is responsible for personal information transmitted to third parties.

Breach. The PIC or PIP is required to notify the NPC and affected data subject of a personal data breach within 72 hours of its discovery.


The following are up-to-date applications of the DPA.

Contact tracing apps. The NPC clarified that contact tracing apps must “allow users to opt-in and out of digital contact tracing. Use of the app must be voluntary, with data subjects allowed to withdraw consent at any time … When different purposes exist in the app, there must be a separate consent and the purpose must be explained beforehand to users.”

Ian Jerny De Leon, DivinaLaw
Ian Jerny De Leon
Junior Partner
DivinaLaw in Makati City

Employee surveillance. Under the NPC advisory opinion No. 2018-084, monitoring employee activities on company-issued computers “may be allowable under the DPA, provided the processing falls under any of the criteria for lawful processing of personal data under section 12 and/or 13 of the law”.

The same opinion clarified that “secret surveillance” is frowned upon and it “is the duty of the employer to explain the conduct of computer monitoring to the employees, the specific purpose, scope and actual method of monitoring, security measures to protect personal data, as well as the procedure for redress in cases where the rights of the employee as a data subject are violated … Every employer conducting computer monitoring or employee monitoring should ensure that the data collected directly satisfies the purpose of monitoring, and that it clearly aligns with the need(s) and objectives of the organisation.”

The NPC public health emergency bulletin No. 14 later clarified that work monitoring software may be installed in company-issued devices, but employers are required to notify employees of the existence of such software, to conduct a privacy impact assessment to determine risks and mitigation procedures, and to use less privacy-intrusive means of monitoring employees.

To elaborate, the means of monitoring should only be proportional to the intended purpose. Requiring employees to stay on video while working is thus considered excessive. The means of monitoring should be “adequate, relevant, suitable and necessary, and not excessive”.

Terence Mark Arthur Ferrer, DivinaLaw
Terence Mark Arthur Ferrer
Senior Associate
DivinaLaw in Makati City

E-learning. The NPC recommends that teachers “must always consider the privacy, equity and peculiarity among students during online classes”.

The NPC recommends making webcam use optional in online classes, but also understands that video-conferencing might be helpful during online proctoring or examination monitoring. The NPC advises that teachers should balance the interests of students and the educational institution, and always obtain explicit consent of the students.

Moreover, the NPC reminds teachers not to publicly post personal data such as grades and results of assignments. Teachers should ensure that personal data are safeguarded and stored in personal accounts or devices.

In addition, teachers should allow alternative means of submitting projects and assignments, not disincentivise non-use of webcams and lack of eye contact, and not force students to turn on webcams.

Proof of vaccination. Private establishments may refuse the entry of persons who do not present vaccination records. Access to private establishments is subject to the consent and conditions imposed by the owner of the said establishment. However, vaccination records contain sensitive personal information, so private establishments cannot force data subjects to disclose it.

The practice of some government offices to require presentation of vaccination records for basic government services is highly disputable at this point. This, in turn, is an indirect mandate for citizens to be vaccinated to avail of basic government services. However, under Jacobson v Massachusetts, the US Supreme Court ruled that state police power allows the state to enact a compulsory vaccination law.

Surveillance advertising. The NPC emphasises that “it is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without regulation”.

The NPC also clarified that marketers become PICs of the personal information of potential clients they obtained from publicly available sources. Therefore, marketers should follow the criteria for lawful processing of personal, sensitive personal and privileged information as provided in the DPA.

DivinaLaw Logo

8/F Pacific Star Building
Sen. Gil Puyat Ave. cor. Makati Ave.,
Makati City, Metro Manila – 1200
The Philippines
Tel: +632 8822 0808

Copy link