Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application, applying
not only to businesses with offices in the Philippines, but when equipment based in the
Philippines is used for processing. The act further applies to the processing of the personal
information of Philippines citizens regardless of where they reside.
One exception in the act provides that the law does not apply to the processing of
personal information in the Philippines that was lawfully collected from residents of foreign
jurisdictions — an exception helpful for Philippines companies that offer cloud services.
Approach
The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”
The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent, the data subject be informed about
the extent and purpose of processing, and it specifically mentions the “automated processing of
his or her personal data for profiling, or processing for direct marketing, and data sharing.”
Consent is further required for sharing information with affiliates or even mother companies.
Consent must be “freely given, specific, informed,” and the definition further requires
that consent to collection and processing be evidenced by recorded means. However, processing
does not always require consent.
Consent is not required for processing where the data subject is party to a contractual
agreement, for purposes of fulfilling that contract. The exceptions of compliance with a legal
obligation upon the data controller, protection of the vital interests of the data subject, and
response to a national emergency are also available.
Required agreements
The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements are
subject to review by the National Privacy Commission.
About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.
Surveillance
Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a
major anti-terrorism law that enables surveillance) must comply with the Privacy Act.
The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining consent,
limiting processing to defined purposes, access management, providing recourse to data subjects,
and appropriate data retention policies. These requirements necessitate the creation of a privacy
program. Requirements for technical security safeguards in the act also mandate that an entity
have a security program.
Data subjects' rights
The law enumerates rights that are familiar to privacy professionals as related to the
principles of notice, choice, access, accuracy and integrity of data.
The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her personal data
from the filing system of the data controller. Exercising this right requires “substantial proof,”
the burden of producing which is placed on the data subject. This right is expressly limited by the
fact that continued publication may be justified by constitutional rights to freedom of speech,
expression and other rights.
Notably, the law provides a private right of action for damages for inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data.
The law defines “security incident” and “personal data breach” ensuring that the two are
not confused. A “security incident” is an event or occurrence that affects or tends to affect data
protection, or may compromise availability, integrity or confidentiality. This definition includes
incidents that would result in a personal breach, if not for safeguards that have been put in place.
A “personal data breach,” on the other hand, is a subset of a security breach that actually
leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access
to, personal data transmitted, stored, or otherwise processed.
Requirement to notify
The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority. Section 38
of the IRRs provides the requirements of breach notification:
The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and whether
the acquisition was in good faith.
The law places a concurrent obligation to notify the National Privacy Commission as
well as affected data subjects within 72 hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.
Notification contents
The measures take to reduce the harm or negative consequence of the breach;
The representatives of the personal information controller, including their contact details;
Penalties
The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for unauthorized
purposes, negligent access, improper disposal, unauthorized access or intentional breach,
concealment of breach involving sensitive personal information, unauthorized disclosure, and
malicious disclosure.
Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately $20,000 to $100,000.
Notably, there is also the previously mentioned private right of action for damages, which
would apply.