Keeping watch on Data Privacy: Philippines

The Philippine Data Privacy Act of 2012 (DPA, or Republic Act No. 10173) was signed into law on 15 August 2012. It is a comprehensive law that governs personal data privacy protection in the Philippines. The National Privacy Commission (NPC) – the government agency primarily mandated to oversee its administration and implementation – promulgated the last implementing rules and regulations in August 2016.

The Data Privacy Act comes in response to the freer exchange of personal data on the global stage and the setting of international standards for data protection. It is important for the Philippines as a global leader in business outsourcing processing services.

Prior to Republic Act No. 10173, with no centralised regulatory oversight for personal data processing or comprehensive protective measures for data subjects, the wealth of personal data at that time was subject to abuse and misuse – from the unmitigated use and sharing of contact details for purposes beyond those initially contemplated, to identity theft and security breaches – to the detriment of the data subject’s constitutionally guaranteed right to privacy.

As early as 2006, the Philippine Department of Trade and Industry (DTI) issued DTI Administrative Order No. 8 on the Guidelines on the Protection of Personal Data. This was patterned on the EU’s then Data Protection Directive of 1995 – the predecessor of the current EU General Data Protection Regulation (GDPR). Hence, the Philippine DPA is deeply rooted in the standards and principles espoused by the EU.

Republic Act No. 10173 applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing, both private and government. It covers data controllers and processors not found in the Philippines, but either:

• Using equipment located in the Philippines; or
• Maintaining an office, branch or agency in the Philippines.

The law also applies to personal data of a Philippine citizen or resident, regardless of the location of the data subject, and wherever the data is processed. For example, Republic Act No. 10173 will apply in the case of an overseas Filipino worker in the US whose personal data is being processed by a local Philippine bank. Also, our local privacy law will apply if the same worker’s personal data is processed by a foreign bank outside the Philippines. As to how the law can be enforced is a totally different matter.
Processing is defined under Republic Act No. 10173 as any operation or set of operations performed on personal information (such as, but not limited to, collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data).

“Personal information controller” refers to any person or organisation that controls the collection, holding, processing or use of personal information (except those who perform such functions as instructed by another person or organisation; and an individual who performs the same functions in connection with an individual’s personal, family or household affairs). Meanwhile, “personal information processor” refers to any natural or juridical person to whom a personal information controller may outsource the processing of personal data.

The following is exempt from Republic Act No. 10173:

• Information on any current or previous government servant that relates to their position or functions;
• Information relating to an individual’s services performed under a government contract;
• Information relating to any discretionary financial benefit given by the government to an individual;
• Personal information processed for journalistic, artistic, literary or research purposes;
• Information necessary for the functions of a public authority;
  Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
• Personal information collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions.

Republic Act No. 10173 makes distinctions between personal information and sensitive personal information, prescribing different requirements for their lawful processing.

• Personal information is any information from which an individual’s identity is apparent or can be reasonably and directly ascertained, or would directly and certainly identify an individual when put with other information.
• Sensitive personal information refers to personal information about: one’s race; marital status; age; colour; religious, philosophical or political affiliations; health; education; court proceedings issued by government agencies peculiar to an individual (e.g. social security numbers, health records, licences, tax returns, copies of government-issued IDs and/or their numbers); and those specifically declared as classified by law or regulation.

The law generally requires consent from data subjects before one can validly process personal data, unless the processing is covered by any of the conditions expressly outlined in Republic Act No. 10173, its rules or regulations. Please note that this law only recognises express consent and frowns on implied consent (consent being defined under the act as “any freely given, specific, informed indication of will … [and] shall be evidenced by written, electronic or recorded means”).

Republic Act No. 10173 extensively outlines the rights of data subjects to their personal information, which are similar to the rights recognised under the EU GDPR. These include the rights to: be informed; access; object; erasure and blocking; rectify; file a complaint; damages; and data portability.

These rights must be observed and respected by data controllers and data processors, except when the personal information is for scientific and statistical research, and no activities are carried out and no decisions are taken regarding the data subject, or are gathered for investigations into any criminal, administrative or tax liabilities of a data subject.

The law outlines general principles on security of personal information, as well as accountability for transferring personal information. Specific provisions are laid down concerning security of sensitive personal information in the government, as well as provisions on data breach and the basic guidelines for reporting instances of data breach.

Similar to the GDPR, our local privacy law and regulations impose breach notification obligations on personal information controllers in cases of personal data breaches. Such breach notifications must be served on the affected data subjects and reported to the NPC. Breach notifications must be submitted to the NPC within 72 hours “upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred”.

Local privacy regulations require the designation/appointment of a data protection officer (DPO). However, not all DPOs are required to register with the NPC. Registration with the NPC is mandatory:

• If the entity employs 250 or more people;
• If the entity “processes” records containing sensitive personal information of at least 1,000 individuals; and
• If the entity’s processing of personal information is either “likely to pose a risk to the rights and freedoms of data subjects” or deemed “not occasional”.

As regards the last criteria, the NPC’s guidelines list the sectors that it considers covered by the mandatory registration requirement regardless of the number/volume of data subjects or personal information being processed. These sectors, considered critical, are the following:

• Government agencies;
• Banks and the non-banking financial institutions;
• Telecoms and internet service providers;
• BPO companies;
• Universities, colleges and all other schools and training institutions;
• Hospitals, clinics and other healthcare facilities;
• Insurance companies and insurance brokers;
• Those involved in direct marketing, networking and other companies providing reward cards and loyalty programmes;
• Pharmaceutical companies engaged in research; and
• Personal information processors processing personal data for a personal information controller included in any of these critical sectors.

Apart from the DPO, certain forms of data processing systems must be registered with the NPC. With the launch by the NPC of its new registration portal, compliance with the submission of both the DPO and DPS details are required to complete the NPC registration requirements.

Finally, violations of Republic Act No. 10173 are meted by mandatory imprisonment and fines – one of the very few data privacy legislations that impose imprisonment as a penalty. A higher range of penalties is imposed if sensitive personal information is involved.

Maximum penalties are imposed when the personal information of at least 100 people is affected. Although there was a move initiated by the NPC and other concerned sectors to propose the amendment of Republic Act No. 10173, which included the removal of the penalty of imprisonment, this was put on hold due to the covid pandemic.

ANGARA ABELLO CONCEPCION REGALA & CRUZ LAW OFFICES (ACCRALAW)

22nd to 26th Floors ACCRALAW Tower, Second Avenue corner
30th Street, Crescent Park West, Bonifacio Global City
Taguig, Metro Manila, Philippines
Tel: (632) 88308000
Email: accra@accralaw.com
www.accralaw.com