Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and
strict privacy legislation to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation
and growth. (Republic Act. No. 10173, Ch. 1, Sec. 2). This comprehensive
privacy law also established a National Privacy Commission that enforces and
oversees it and is endowed with rulemaking power. On September 9, 2016, the
final implementing rules and regulations came into force, adding specificity to
the Privacy Act.
The Data Privacy Act is broadly applicable to individuals and legal entities that
process personal information, with some exceptions. The law has extraterritorial
application, applying not only to businesses with offices in the Philippines, but
when equipment based in the Philippines is used for processing. The act further
applies to the processing of the personal information of Philippines citizens
regardless of where they reside.
One exception in the act provides that the law does not apply to the processing
of personal information in the Philippines that was lawfully collected from
residents of foreign jurisdictions an exception helpful for Philippines companies
that offer cloud services.
Approach
The Philippines law takes the approach that The processing of personal data
shall be allowed subject to adherence to the principles of transparency,
legitimate purpose, and proportionality.
The act states that the collection of personal data must be a declared,
specified, and legitimate purpose and further provides that consent is required
prior to the collection of all personal data. It requires that when obtaining
consent, the data subject be informed about the extent and purpose of
processing, and it specifically mentions the automated processing of his or her
personal data for profiling, or processing for direct marketing, and data sharing.
Consent is further required for sharing information with affiliates or even mother
companies.
Consent must be freely given, specific, informed, and the definition further
requires that consent to collection and processing be evidenced by recorded
means. However, processing does not always require consent.
Consent is not required for processing where the data subject is party to a
contractual agreement, for purposes of fulfilling that contract. The exceptions of
compliance with a legal obligation upon the data controller, protection of the
vital interests of the data subject, and response to a national emergency are
also available.
An exception to consent is allowed where processing is necessary to pursue the
legitimate interests of the data controller, except where overridden by the
fundamental rights and freedoms of the data subject.
Required agreements
The law requires that when sharing data, the sharing be covered by an
agreement that provides adequate safeguards for the rights of data subjects,
and that these agreements are subject to review by the National Privacy
Commission.
About an individuals race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
Surveillance
Interestingly, the Philippines law states that the countrys Human Security Act of
2007 (a major anti-terrorism law that enables surveillance) must comply with the
Privacy Act.
The law requires that any entity involved in data processing and subject to the
act must develop, implement and review procedures for the collection of
personal data, obtaining consent, limiting processing to defined purposes,
access management, providing recourse to data subjects, and appropriate
data retention policies. These requirements necessitate the creation of a privacy
program. Requirements for technical security safeguards in the act also
mandate that an entity have a security program.
The law enumerates rights that are familiar to privacy professionals as related to
the principles of notice, choice, access, accuracy and integrity of data.
Notably, the law provides a private right of action for damages for inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of
personal data.
The law defines security incident and personal data breach ensuring that
the two are not confused. A security incident is an event or occurrence that
affects or tends to affect data protection, or may compromise availability,
integrity or confidentiality. This definition includes incidents that would result in a
personal breach, if not for safeguards that have been put in place.
Requirement to notify
The law further provides that not all personal data breaches require
notification., which provides several bases for not notifying data subjects or the
data protection authority. Section 38 of the IRRs provides the requirements of
breach notification:
The law provides that the Commission may determine that notification to data
subjects is unwarranted after taking into account the entitys compliance with
the Privacy Act, and whether the acquisition was in good faith.
Notification timeline and recipients
Notification contents
Penalties
The law provides separate penalties for various violations, most of which also
include imprisonment. Separate counts exist for unauthorized processing,
processing for unauthorized purposes, negligent access, improper disposal,
unauthorized access or intentional breach, concealment of breach involving
sensitive personal information, unauthorized disclosure, and malicious disclosure.
Notably, there is also the previously mentioned private right of action for
damages, which would apply.