含羞草社区

Comprehensive regulations targeted at personal data privacy protection are being implemented across jurisdictions in the Philippines, Taiwan and India

Impact of 含羞草社区 data protection framework on policy and business

In 2023, India embarked on a new era of data protection by enacting the Digital Personal Data Protection Act, 2023 (DPDP Act). Subsequently, the government released the Draft Digital Personal Data Protection Rules, 2025 (draft DPDP rules) in January 2025 for stakeholder consultation, which concluded on 5 March 2025.

The DPDP Act has been signed into law by the president of India but is not yet in force. Until it is enforced, the 2011 SPDI (sensitive personal data or information) rules will govern data protection in India. The Ministry of Electronics and Information Technology (MeitY) is considering a two-year transition period for businesses to align with the DPDP Act and forthcoming rules.

Some of the recent statements of the MeitY minister suggest that while the government expects businesses to start aligning their policies and practices with the DPDP Act, this is easier said than done. This is because the details of various provisions of the DPDP Act will not only be clarified through the upcoming rules, which are yet to be finalised, but the government and the Data Protection Board of India (DPB) are also expected to mandate even more operational aspects. Until the draft DPDP rules are finalised and the DPDP Act comes into force, businesses would also have to continue complying with the SPDI rules while ensuring that their policies and practices are ready for compliance with the DPDP Act and the rules, when they come into effect.

Compliance with one regulation and the road to readiness to adhere to another appears feasible, particularly considering a two-year transition period. However, the reality presents a stark contrast. The SPDI rules provide merely a foundational framework for data protection in India, characterised by less rigorous requirements and inconsistent enforcement, thereby complicating the transition to compliance with the DPDP Act. Furthermore, the DPDP Act, in conjunction with the anticipated DPDP rules, in certain aspects yields to sector-specific laws and functions as a basic data protection framework, enabling sectoral regulations to impose additional or more stringent requirements, especially concerning the cross-border transfer of personal data. The necessity to align with other regulations may lead to substantial operational and logistical hurdles, affecting the ease of doing business, particularly for startups and smaller entities, which may lack the infrastructure and resources to implement and maintain compliance protocols effectively.

The DPDP Act’s principles-based approach presents additional challenges at the policy and operational levels.

Potential policy uncertainty. The provisions of the DPDP Act leave room for policy uncertainty, especially when read with requirements under sectoral laws. For instance, in 2020, the government banned certain Chinese mobile apps that were “stealing and transmitting users’ data in an unauthorised manner” outside India. However, now the position is marked by an unexplained shift in the government’s stance towards Chinese technology. This is illustrated by recent comments made by the MeitY minister concerning hosting the Chinese open-source AI model, DeepSeek, on Indian servers to alleviate concerns surrounding data security and privacy.

The DPDP Act authorises the central government to restrict personal data transfer to foreign countries or territories. It mandates that such cross-border data transfers adhere to stringent protections outlined in sectoral laws. The draft DPDP rules further stipulate that any data transfer, within and outside India, would have to comply with restrictions articulated in general or special orders by the central government, particularly regarding accessibility to foreigners or entities linked to foreign states.

However, the legislation’s lack of detailed safeguards and reliance on executive discretion for cross-border data transfers risk arbitrary decision making and frequent regulatory changes. This can create policy uncertainty, undermining confidence in the legal framework. The potential unpredictability of these notifications and shifting policies impose compliance challenges and elevate regulatory risks for businesses and stakeholders.

Another provision that potentially creates policy uncertainty is the clause in the draft DPDP rules concerning the notification of personal data breaches. According to the clause, a data fiduciary must inform each affected data principal and the DPB of any personal data breach “without delay”. Subsequently, the data fiduciary is required to submit a detailed report to the DPB within 72 hours. The term “without delay” remains undefined in the draft DPDP rules. This lack of specified initial reporting timelines may conflict with existing regulations mandated by the CERT-In, further contributing to policy uncertainty and unnecessary duplication of efforts in high-risk cases.

Challenges in notifying personal data breaches. While the draft DPDP rules and the DPDP Act require the reporting of all personal data breaches to the DPB and the affected data principal, they do not provide any threshold or criteria for reporting such breaches, obliging data fiduciaries to report every instance of a personal data breach, no matter how trivial. This requirement, lacking guidance on the nature, scale and risk associated with an incident, may result in excessive reporting to the DPB, hampering its ability to mitigate the risks arising from breaches effectively. Furthermore, this stipulation could misrepresent system failures as personal data breaches, adding to confusion and potentially overwhelming affected individuals and the DPB, ultimately causing reputational damage.

The personal data breach reporting requirement also does not consider other sectoral regulations such as the CERT-In Directions on Cybersecurity and the Telecommunications (Telecom Cyber Security) Rules, 2024, issued under the Telecom Act, 2023, which mandate the notification of similar data breaches to various regulatory authorities. This oversight stems from a silo-based approach by government authorities who should have engaged in a comprehensive whole-of-government exercise to establish a single-window regulatory pathway for reporting personal data breaches. Multiple “reporting nodes” are likely to exacerbate vulnerabilities rather than mitigate them.

Vague data localisation requirements. Any data localisation mandate is likely to conflict with various requirements under foreign laws regarding the disclosure or transfer of personal data to foreign government agencies. The draft DPDP rules propose a data localisation requirement for significant data fiduciaries, whereby certain personal datasets and traffic data are prohibited from being transferred outside India based on the recommendations of a committee established by the central government. This represents a shift from the government’s previous stance of moving away from strict data localisation requirements.

Arbitrary powers for requisition of information. The power to call for information from any data fiduciary and the intermediary has been mandated without any procedural safeguards, and appears to contradict the Supreme Court decision in the landmark case of Justice KS Puttaswamy (Retd) & Anr v Union of India & Ors (2017), which recognised the fundamental right to privacy guaranteed under Article 21 of the Indian Constitution. The judgment further identified that any request for disclosure of data that violates the right to privacy would have to meet three requirements:

1. 1. The action must be sanctioned by law;
   2. The proposed action must be necessary in a democratic society for a legitimate aim; and
   3. The action must be proportional, ensuring a rational nexus between the objects and the means adopted to achieve them.

The draft DPDP rules and the DPDP Act fail to consider these three requirements and instead endow the government with wide discretionary powers to call for any information. This power is vague and arbitrary as it lacks any procedural safeguards or basis for seeking this information. The DPDP Act does not even provide the option or recourse to the data fiduciaries/intermediaries to object to or challenge the request for information.

While the draft DPDP rules propose to seek information for certain identified purposes such as security of the state, performance of a statutory function, etc., these purposes are worded broadly. This gives excessive powers to the government to seek any information and creates an imbalance favouring the government over not only individual privacy rights but the ease of doing business.

To conclude, while the DPDP Act and the draft DPDP rules mark significant steps in providing a dedicated data protection legal framework and aligning India with global privacy standards, several ambiguities and operational challenges remain. While some of these challenges flow from the DPDP Act itself, certain issues can be resolved through a well thought out execution of the DPDP rules, which would be essential for striking the right balance between individual privacy rights, security, innovation and making the system business friendly.

ADP LAW OFFICES
B 809, ATS Bouquet, Sector 132, Noida
Uttar Pradesh 201304, India
Tel: +91 99100 31747
Email: ameet@adplawoffices.com |

Back to top

---

Overview of Philippine data privacy law and regulations

Republic Act No. 10173 (RA10173), or the Philippine Data Privacy Act (DPA) of 2012, is the comprehensive law governing personal data privacy protection in the Philippines. The National Privacy Commission (NPC) oversees the law under its implementing rules and regulations.

With the Philippines being a global leader in business outsourcing processing services, RA10173 was promulgated in response to a freer exchange of personal data on the global stage and the setting of international standards for data protection.

Prior to enactment of RA10173 – when there was no centralised regulatory oversight for personal data processing or comprehensive protective measures for data subjects – the wealth of personal data at that time was subject to abuse and misuse.

This ranged from unmitigated use and sharing of contact details for purposes beyond those initially contemplated to identity theft and security breaches to the detriment of data subjects’ constitutionally guaranteed right to privacy.

In fact, RA10173’s origins date back as early as 2006, when the Department of Trade & Industry (DTI) issued its Guidelines on the Protection of Personal Data.

This was patterned after the EU’s then Data Protection Directive of 1995 – predecessor of the current General Data Protection Regulation (GDPR).

Hence, the Philippine DPA is deeply rooted in the standards and principles espoused by the GDPR.

Application of law

RA10173 applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing, both in the private and government sectors.

It covers data controllers and processors not located in the Philippines, but either:

1. 1. Using equipment that is located in the Philippines; or
   2. Maintaining an office, branch or agency in the Philippines.

Apart from this test in determining the applicability of RA10173, the law also applies to instances where personal data being processed pertains to either a Philippine citizen or resident, regardless of location of the data subject and wherever the “processing” takes place.

For example, it applies to personal data of Overseas Filipino Workers (OFWs) working abroad with details processed by a local Philippine bank. The privacy law also applies to OFW personal data processed by a foreign bank outside the Philippines, although how the NPC can enforce that law is a totally different matter.

“Processing” is defined under RA10173 as any operation or set of operations performed on personal information, such as collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure and destruction.

“Personal information controller” refers to any person or organisation controlling the collection, holding, processing or use of personal information, except those instructed by another person or organisation, or acting in connection with personal, family or household affairs.

Meanwhile, “personal information processor” is any natural or juridical person outsourced by a personal information controller to process personal data. However, some information is exempt from RA10173.

This includes:

• • Information on any current or previous government servant relating to their position or functions;
  • Information relating to services performed by an individual under government contract;
  • Information relating to discretionary financial benefit given by the government to an individual;
  • Personal information processed for journalistic, artistic, literary or research purposes;
  • Information necessary to carry out functions of public authority;
  • Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
  • Personal information collected from residents of foreign jurisdictions in accordance with their laws.

Personal and sensitive

RA10173 distinguishes “personal information” and “sensitive personal information”, prescribing different requirements for lawful processing. “Personal information” refers to information from which the identity of an individual is apparent or reasonably identifiable and directly ascertained when put together with other information.

“Sensitive personal information” refers to race, marital status, age and ethnicity, as well as religious, philosophical or political affiliations, health records, education, court proceedings, social security numbers, licences, tax returns, copies of government-issued IDs and/or their numbers), and detail specifically declared as classified by law or regulation.

The law and its implementing rules and regulations generally require consent from data subjects before processing their personal data, unless this is covered by any expressly outlined conditions.

Note that the law only recognises valid express consent – defined as “freely given, specific, informed indication of will … evidenced by written, electronic or recorded means” – and frowns on implied consent.

Recognised rights

RA10173 extensively outlines the rights of data subjects with respect to personal information, which are similar to rights recognised under the EU’s GDPR.

These include the:

1. 1. Right to be informed;
   2. Right to access;
   3. Right to object;
   4. Right to erasure and blocking;
   5. Right to rectify;
   6. Right to file a complaint;
   7. Right to damages; and
   8. Right to data portability.

These rights must be observed and respected by data controllers and processors. The only exceptions are when used for scientific and statistical research, and no activities are carried out and no decisions taken regarding the data subject, or when gathered for the purpose of any criminal, administrative or tax investigations of a data subject.

Oversight

As well as general principles on security of personal information, the law outlines accountability with respect to the transfer of personal information.

Specific provisions are laid down concerning the security of sensitive personal information in the government, as well as provisions on data breaches and basic guidelines for reporting instances of a data breach.

Similar to the regime implemented under the GDPR, the privacy law and regulations impose breach notification obligations on the personal information controller in case of a “personal data breach”. Such a breach notification must be served on the affected data subjects and reported to the NPC.

A breach notification must be submitted to the NPC within 72 hours “upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred”.

Privacy regulations also require the designation/appointment of a Data Privacy Officer (DPO). However, not all DPOs are required to register with the NPC.

DPO registration with the NPC is mandatory only:

1. 1. If the entity employs 250 persons or more; or
   2. If the entity “processes” records containing sensitive personal information of at least 1,000 individuals; or
   3. If “processing personal information” of the entity is either “likely to pose a risk to the rights and freedoms of data subjects” or deemed “not occasional”.

As regards the last criteria, the NPC issued guidelines enumerating the sectors that it considers covered by the mandatory registration requirement regardless of the number/volume of data subjects or personal information being processed.

These sectors, considered as “critical”, are:

1. 1. Government agencies;
   2. Banks and non-banking financial institutions;
   3. Telecoms and internet service providers;
   4. BPO companies;
   5. Universities, colleges and all other schools and training institutions;
   6. Hospitals, clinics and other healthcare facilities;
   7. Insurance companies and insurance brokers;
   8. Those involved in direct marketing, networking, and other companies providing reward cards and loyalty programmes;
   9. Pharmaceutical companies engaged in research; and
   10. Personal information processors of personal data for a personal information controller included in any of these “critical” sectors.

Apart from the DPO, the implementing rules and regulations specifically provide that certain forms of data processing systems (DPS) must be registered with the NPC. With the NPC’s launch of its new registration portal, compliance with the submission of both the DPO and DPS details are required in order to complete the NPC registration requirements.

Penalties

Violations of RA10173 are meted out by mandatory imprisonment and or a fine – one of the very few data privacy legislations that can impose imprisonment as a penalty.

A higher range of penalties applies in cases when sensitive personal information is involved.

Maximum penalties are imposed when the personal information of at least 100 people are affected, regarded as “large scale”.

Although there is a move initiated by the NPC and other concerned sectors to propose an amendment of RA10173 to include removal of the penalty of imprisonment, this initiative has been put on hold due to the immediately preceding pandemic.

ACCRALAW
22nd to 26th Floors, ACCRALAW Tower
Second Avenue corner 30th Street,
Crescent Park West, Bonifacio Global City,
Taguig 1635, Metro Manila, Philippines
Tel: (632) 8830-8000
Fax: (632) 8403-7007 / (632) 8403-7009
Email: jmgaba@accralaw.com / ipd@accralaw.com

Back to top

---

Shielding personal data in Taiwan

Taiwan has a single legislation, the Personal Data Protection Act (PDPA), generally governing matters in relation to personal data protection. The PDPA applies to government agencies as well as private enterprises and individuals. Some other laws and regulations offer protection over personal data in special aspects including financial, health and insurance.

Providing a basic level of data protection, the PDPA is applicable to both Taiwanese and foreigners. Foreign entities collecting, processing or using personal data of Taiwanese people are also subject to obligations set out by the PDPA.

Supervising authorities

The Preparation Office of Taiwan’s Personal Data Protection Commission (PDPC) was established in December 2023. The PDPC is now set to begin operations in August 2025 as the sole data protection authority, enforcing and interpreting the PDPA, and supervising matters relating to data protection.

At the same time, other government agencies with authority over specific industries continue to regulate data protection matters in those specific fields.

For instance, the Ministry of Digital Affairs (MODA), with authority over digital industries, promulgated the Regulation on Personal Data Safety Maintenance in Digital Economy Industries (MODA regulations) setting out advanced data protection requirements based on the PDPA framework.

The MODA regulations apply to businesses such as e-commerce, software, computer programming, data management and information services.

Informed consent

Under the PDPA, valid informed consent may be given by a data subject only if this data subject is notified of:

1. 1. Titles of the collecting/processing/using entity;
   2. Purposes of the collection/processing/use;
   3. Types of collected personal data;
   4. Timeframe, area, persons, ways of the usage of the collected personal data;
   5. A data subject rights; and
   6. A data subject’s determination on whether to disclose personal data will not impact on his/her rights and interests.

While consent may be given by data subjects in a digital form, the entity that collects personal data bears the burden to prove that the data subject has properly consented to collection.

A private entity may use a data subject’s personal data for a different purpose than the purposes of the collection only if this data subject gives explicit consent to that secondary use. In other words, implied consent does not work for a secondary use.

If explicit consent by a data subject is not available, the entity must find another legal basis for its secondary uses.

Data protection officer

Under the current PDPA, a private entity storing files containing personal data shall take proper security measures that may include management personnel. Under the MODA regulations, an entity in the digital economy needs to appoint management personnel specifically responsible for:

1. 1. Formulating/revising the entity’s privacy protection policy; and
   2. Formulating/revising/enforcing the entity’s safety maintenance plan.

In December 2024, the PDPC proposed amendments to the PDPA, imposing obligations on government agencies and private entities designated by the PDPC to appoint a data protection officer, as well as management personnel, in charge of data protection. It would be prudent for businesses to pay close attention to the future development of the PDPA amendments.

Security measures

Both the PDPA and the MODA regulations lay out detailed sets of rules for a private entity’s obligations to ensure the security of personal data, collected or stored by this entity. Under the PDPA, a private entity shall maintain a set of data security measures, including:

1. 1. Management personnel;
   2. Specifying the scope of personal data;
   3. Adopting a mechanism to evaluate and manage risks,
   4. Adopting internal rules to prevent a data breach, report breach events and take immediate action;
   5. Adopt internal SOPs on collection, processing and use;
   6. Appoint/retain information security personnel;
   7. Offer training sessions to employees;
   8. Adopt a mechanism that ensures the security of information service equipment;
   9. Audit information security;
   10. Preserve records of use, track and evidence; and
   11. Adopt plans that improve data protection practices.

Under the MODA regulations, an entity in the digital economic industries should take the following management activities for its employees:

1. 1. Enter into an NDA with its employee;
   2. Identify employees who will handle matters in relation to collection, processing or use of personal data;
   3. Determine each employee’s authority to access personal data in accordance with necessity and review said authority regularly; and
   4. Request that departing employees return devices storing personal data and delete personal data they possessed during the course of performing their duties.

Furthermore, under the MODA regulations, the following records shall be kept for at least five years:

1. 1. Records of collection, processing or use;
   2. Tracking information of automatic equipment; and
   3. Evidence supporting compliance of the entity’s data security plan.

Data breach notification

Under the current PDPA, when a data breach event occurs, a private entity shall notify the data subject after obtaining a clear understanding of the event.

The notification could be made to the data subject via oral/written statement, phone conversation, message, email, fax or other proper manners. The PDPA does not set a particular deadline for the notification.

On the other hand, the MODA regulations require an entity in the digital economy industries to report a data breach event to the authorities concerned within 72 hours after the event occurred.

Under the PDPA amendments, a private entity shall report to authorities and notify data subjects of a data breach when becoming aware of the event, and when it would severely damage the data subjects’ rights and interests. It will be prudent for businesses to pay close attention to the future development of the PDPA amendments.

Marketing uses

Under the PDPA, a private entity shall immediately cease using a data subject’s personal data for marketing purposes if the subject declines to accept any communications made for marketing purposes.

From the first time a private entity reaches out to a data subject for marketing purposes, channels should be provided for opt-outing. “Marketing” is construed broadly to include virtually all kinds of activities that promote products or services, including eDMs, personalised services or recommendations.

Cross-border transmission

Under the PDPA, a government authority may restrict a private entity from transmitting personal data to anyone outside the territory of Taiwan, if:

1. 1. Substantial national interests are involved;
   2. It is in accordance with international agreements or treaties;
   3. The receiving country does not offer proper protection over personal data; and
   4. Transmission is made to circumvent requirements set out in the PDPA.

Foreign entities are subject to the same obligations. Under the MODA regulations, before transmitting personal data overseas, an entity in digital economy industries shall confirm whether the transmission is subject to any restrictions imposed by the MODA. In addition, the entity shall notify data subjects of the regions to which their personal data will be transferred and supervise the receiving entity’s subsequent use of said personal data.

FORMOSA TRANSNATIONAL
Taipei 13th Fl, 136, Sec 3, Jen-Ai Road
Taipei 106 Taipei Taiwan
Tel: 886 2 2755 7366
Email: brian.hsieh@taiwanlaw.com

Back to top