DATA PRIVACY ACT (SUMMARY) The Philippines has a growing and important business process management and health information technology industry. Total IT spending reached $4.4 billion in 2016, and the sector is expected to more than double by 2020. Filipinos are heavy social media users, 42.1 million are on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn users. The country is also in the process of enabling free public Wi-Fi. In the context of the rapid growth of the digital economy and increasing international trade of data, the Philippines has strengthened its privacy and security protections. In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict privacy legislation “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2). This comprehensive privacy law also established a National Privacy Commission that enforces and oversees it and is endowed with rulemaking power. On September 9, 2016, the final implementing rules and regulations came into force, adding specificity to the Privacy Act. Scope and Application The Data Privacy Act is broadly applicable to individuals and legal entities that process personal information, with some exceptions. The law has extraterritorial application, applying not only to businesses with offices in the Philippines, but when equipment based in the Philippines is used for processing. The act further applies to the processing of the personal information of Philippines citizens regardless of where they reside. One exception in the act provides that the law does not apply to the processing of personal information in the Philippines that was lawfully collected from residents of foreign jurisdictions — an exception helpful for Philippines companies that offer cloud services. Approach The Philippines law takes the approach that “The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.” Collection, processing, and consent The act states that the collection of personal data “must be a declared, specified, and legitimate purpose” and further provides that consent is required prior to the collection of all personal data. It requires that when obtaining consent, the data subject be informed about the extent and purpose of processing, and it specifically mentions the “automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing.” Consent is further required for sharing information with affiliates or even mother companies. Consent must be “freely given, specific, informed,” and the definition further requires that consent to collection and processing be evidenced by recorded means. However, processing does not always require consent. Consent is not required for processing where the data subject is party to a contractual agreement, for purposes of fulfilling that contract. The exceptions of compliance with a legal obligation upon the data controller, protection of the vital interests of the data subject, and response to a national emergency are also available. An exception to consent is allowed where processing is necessary to pursue the legitimate interests of the data controller, except where overridden by the fundamental rights and freedoms of the data subject. Required agreements The law requires that when sharing data, the sharing be covered by an agreement that provides adequate safeguards for the rights of data subjects, and that these agreements are subject to review by the National Privacy Commission. Sensitive Personal and Privileged Information The law defines sensitive personal information as being:
About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; About an individual’s health, education, genetic or sexual life of a person, or to any proceeding or any offense committed or alleged to have committed;
Issued by government agencies “peculiar” (unique) to an individual, such as social security number; Marked as classified by executive order or act of Congress.
All processing of sensitive and personal information is prohibited except in certain circumstances. The exceptions are:
Consent of the data subject; Pursuant to law that does not require consent; Necessity to protect life and health of a person; Necessity for medical treatment; Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or regulation.
Surveillance Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a major anti-terrorism law that enables surveillance) must comply with the Privacy Act. Privacy program required The law requires that any entity involved in data processing and subject to the act must develop, implement and review procedures for the collection of personal data, obtaining consent, limiting processing to defined purposes, access management, providing recourse to data subjects, and appropriate data retention policies. These requirements necessitate the creation of a privacy program. Requirements for technical security safeguards in the act also mandate that an entity have a security program. Data subjects' rights The law enumerates rights that are familiar to privacy professionals as related to the principles of notice, choice, access, accuracy and integrity of data. The Philippines law appears to contain a “right to be forgotten” in the form of a right to erasure or blocking, where the data subject may order the removal of his or her personal data from the filing system of the data controller. Exercising this right requires “substantial proof,” the burden of producing which is placed on the data subject. This right is expressly limited by the fact that continued publication may be justified by constitutional rights to freedom of speech, expression and other rights. Notably, the law provides a private right of action for damages for inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data. A right to data portaility is also provided. Mandatory personal information breach notification The law defines “security incident” and “personal data breach” ensuring that the two are not confused. A “security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise availability, integrity or confidentiality. This definition includes incidents that would result in a personal breach, if not for safeguards that have been put in place. A “personal data breach,” on the other hand, is a subset of a security breach that actually leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Requirement to notify The law further provides that not all “personal data breaches” require notification., which provides several bases for not notifying data subjects or the data protection authority. Section 38 of the IRRs provides the requirements of breach notification:
The breached information must be sensitive personal information, or information that could be used for identity fraud, and There is a reasonable belief that unauthorized acquisition has occurred, and The risk to the data subject is real, and The potential harm is serious.
The law provides that the Commission may determine that notification to data subjects is unwarranted after taking into account the entity’s compliance with the Privacy Act, and whether the acquisition was in good faith. Notification timeline and recipients The law places a concurrent obligation to notify the National Privacy Commission as well as affected data subjects within 72 hours of knowledge of, or reasonable belief by the data controller of, a personal data breach that requires notification. It is unclear at present whether the commission would allow a delay in notification of data subjects to allow the commission to determine whether a notification is unwarranted. By the law, this would appear to be a gamble. Notification contents The contents of the notification must at least:
Describe the nature of the breach; The personal data possibly involved; The measures taken by the entity to address the breach; The measures take to reduce the harm or negative consequence of the breach; The representatives of the personal information controller, including their contact details; Any assistance to be provided to the affected data subjects.
Penalties The law provides separate penalties for various violations, most of which also include imprisonment. Separate counts exist for unauthorized processing, processing for unauthorized purposes, negligent access, improper disposal, unauthorized access or intentional breach, concealment of breach involving sensitive personal information, unauthorized disclosure, and malicious disclosure. Any combination or series of acts may cause the entity to be subject to imprisonment ranging from three to six years as well as a fine of approximately $20,000 to $100,000. Notably, there is also the previously mentioned private right of action for damages, which would apply. Penalties for failure to notify Persons having knowledge of a security breach involving sensitive personal information and of the obligation to notify the commission of same, and who fail to do so, may be subject to penalty for concealment, including imprisonment for 1 1/2 to five years of imprisonment, and a fine of approximately $10,000 - $20,000. Depending upon the circumstances additional violations might apply.