The Philippines’ Data Privacy Act Of 2012

The Philippines recently adopted its first data privacy law. Republic Act No. 10173, or the Data Privacy Act of 2012¹ (the Act), which is intended to protect the integrity and security of personal data in both the private and public sectors, was signed by the President on August 15, 2012 (see report in this issue). It was published on August 24, 2012, and took effect 15 days after its publication, on September 8, 2012. The rules and regulations implementing the Act are expected to be issued within 90 days from the law’s entry into force.

The enactment of the law seeks to bring the Philippines’ data protection policies and measures on par with the international standards of data privacy protection. Government and business leaders also believe that the implementation of the law will help maintain the competitiveness of the Philippines and boost investments in its information technology-business process outsourcing (IT-BPO) sector² and support a healthy information and communications technology (ICT) industry.

Previous Legal Landscape

The new legislation fills a void in the Philippine legal system. Prior to the promulgation of the Act, there was no Philippine law dealing specifically with personal data privacy. While the Philippine Constitution and jurisprudence recognize and protect a person’s right to privacy, they deal with the protection of personal information in only a general manner.

There were also provisions scattered across several statutes, such as the Civil Code, the Revised Penal Code, the Anti-Wire Tapping Law, and the Electronic Commerce Act, dealing with the right of privacy of an individual. However, these provisions do not squarely address the issue of data privacy and so are inadequate, and, in some instances, inapplicable, in addressing the issue of personal data privacy. There was also no government agency overseeing the protection of personal data.

Guidelines issued by the Department of Trade and Industry (DTI) in connection with the Electronic Commerce Act concerning the protection of personal data in information and communications systems in the private sector (the DTI Guidelines)³ are the closest thing the Philippines had to a data privacy rule prior to the Act. The DTI Guidelines followed the basic principles of personal data processing laid down in the European Union’s Data Protection Directive (95/46/EC) (i.e., legitimate purpose, transparency, and proportionality). However, the DTI Guidelines were generally considered to have no teeth, as they did not provide for any penalties for violations. The DTI Guidelines were also limited in scope in the sense that they did not cover personal data in the public sector.

The data processing principles of legitimate purpose, transparency, and proportionality have been recognized by the Philippine Supreme Court in the case of Ople vs. Torres.⁴ In this case, the Supreme Court struck down as unconstitutional, and hence null and void, an administrative order proposing to establish a National Computerized Identification Reference System. In this connection, the administrative order sought to introduce a Population Reference Number (PRN) to establish a linkage among concerned government agencies through the use of biometrics technology (e.g., finger-scanning, retinal scanning, etc.). The Supreme Court held that the administrative order was unconstitutional because “facially, it violate[d] the right to privacy.” The Supreme Court noted that the order failed to specify what specific biological characteristics would be used to identify people sought to be covered by the system. The Supreme Court also noted that the purposes for which the data was to be collected and processed were not specified. It noted that the PRN may be used for the generation of other data “for development planning,” creating avenues for potential misuse of the data to be gathered, as well as possible leakage of the information, or manipulation of data. Furthermore, the Supreme Court stated that adequate safeguards must be in place for protection of the data collected.

These data collection and processing principles are now expressly incorporated in the Act.

What the Act Provides

As mentioned above, the Act has incorporated substantially the DTI Guidelines, which are, in turn, based on the EU Data Protection Directive, which basically allows the collection, use, processing, and storage of personal data based on the general principles of legitimate purpose, transparency, and proportionality.

The Act establishes a new government agency, the National Privacy Commission (NPC), tasked, among other things, to:

• ensure the compliance of personal information controllers with the provisions of the Act;

• receive complaints, institute investigations, adjudicate and award indemnity on matters affecting any personal information;

• issue cease and desist orders, and impose a temporary ban on the processing of personal information, upon a finding that the processing will be detrimental to national security and the public interest;

• compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;

• monitor the compliance of other government agencies or instrumentalities with their security and technical measures;

• recommend to the Department of Justice (DOJ) the prosecution and imposition of the criminal penalties specified in Sections 25 to 29 of the Act;

• review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers;

• negotiate and contract with the data privacy authorities of other countries for cross-border application and implementation of respective privacy laws; and

• generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.

The Act also includes additional features not found in the previous DTI Guidelines. It:

• provides for a more comprehensive enumeration of the rights of the data subject, including the express right to be indemnified for any damages sustained due to the use of inaccurate, incomplete, false, unlawfully obtained or unauthorized personal information;

• differentiates between “personal information” and “sensitive personal information”:

• “personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; while

• “sensitive personal information,” on the other hand, refers to personal information: 1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; 2) about an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; 3) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or license denials, suspension or revocation, and tax returns; and 4) specifically established by an executive order or an act of Congress to be kept classified;

• prohibits the processing of “sensitive personal information” except in specific cases enumerated in the Act (which include consent);

• imposes upon information controllers certain notification obligations to the Data Privacy Commission in specific cases of data privacy breach;

• obligates information controllers to designate individual/s within their organizations who are accountable for the organization’s compliance with the Act; and

• provides for criminal penalties (including imprisonment and fines) for specific violations of the Act (e.g., unauthorized processing, improper disposal, processing for unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches and malicious disclosure of personal information and sensitive personal information).

The Act provides for a wide scope of application, as it applies to the processing of “all types of personal information and to all natural and juridical persons involved in personal information processing,” including personal information controllers and processors that, although not found in the Philippines, use equipment or have offices or branches that are located in the country.

The Act also applies to an act done or practice engaged in outside the Philippines by an entity if:

• the act, practice or processing relates to personal information about a Philippine citizen or a resident;

• the entity has a link with the Philippines, and the entity is processing personal information in the Philippines or, even if the processing is outside the Philippines, it is about Philippine citizens or residents; or

• the entity has other links in the Philippines (e.g., the entity carries on business in the Philippines, and the personal information was collected or held by an entity in the Philippines).

Notably, however, the Act provides a safe harbor for business process outsourcing entities that process personal information collected from foreign residents in accordance with the laws of such foreign jurisdictions. Section 4(g) of the Act expressly excludes from the coverage of the Act:

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Moreover, the Act also includes a provision that expressly provides protection to journalists and their sources. This provision was included in the law during the deliberations in Congress amidst fears voiced by media groups that the Act may be used to unduly curtail press freedom. Section 5 of the law reads:

Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.

Challenges to Implementation

The coverage of the law is quite expansive and, based on its provisions, could apply to all types of information relating to individuals — even those found in public databases. As a case in point, protected “sensitive personal information” includes information involving any proceeding for any offense committed or alleged to have been committed by a person, the disposal of such proceedings, or the sentence of any court in such proceedings. “Personal information” also includes not only information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, but also information that “when put together with other information would directly and certainly identify an individual” (emphasis added).

In the absence of further clarification, therefore, it would be prudent to treat all information relating to individuals as protected, and data protection policies need to be re-examined to make sure they are aligned with the Act. Obtaining the data subject’s consent to the processing of any information relating to him or her, prior to collection of the data, appears to be the best practice. The consent must be “specific,” so consent forms need to be crafted to provide as much information about the data to be collected as possible, pending further details that will hopefully be provided in the implementing rules and regulations of the Act.