Republic Act No. 10173 (RA10173), or the Philippine Data Privacy Act (DPA) of 2012, is the comprehensive law governing personal data privacy protection in the Philippines. The National Privacy Commission (NPC) oversees the law under its implementing rules and regulations.
With the Philippines being a global leader in business outsourcing processing services, RA10173 was promulgated in response to a freer exchange of personal data on the global stage and the setting of international standards for data protection.
Prior to enactment of RA10173 – when there was no centralised regulatory oversight for personal data processing or comprehensive protective measures for data subjects – the wealth of personal data at that time was subject to abuse and misuse.
Partner
ACCRALAW
Manila
Tel: (632) 8830-8000
Email: jmgaba@accralaw.com
This ranged from unmitigated use and sharing of contact details for purposes beyond those initially contemplated to identity theft and security breaches to the detriment of data subjects’ constitutionally guaranteed right to privacy.
In fact, RA10173’s origins date back as early as 2006, when the Department of Trade & Industry (DTI) issued its Guidelines on the Protection of Personal Data.
This was patterned after the EU’s then Data Protection Directive of 1995 – predecessor of the current General Data Protection Regulation (GDPR).
Hence, the Philippine DPA is deeply rooted in the standards and principles espoused by the GDPR.
Application of law
RA10173 applies to the processing of all types of personal information and to any natural or juridical person involved in personal information processing, both in the private and government sectors.
It covers data controllers and processors not located in the Philippines, but either:
-
- using equipment that is located in the Philippines; or
- maintaining an office, branch or agency in the Philippines.
Apart from this test in determining applicability of RA10173, the law also applies to instances where personal data being processed pertains to either a Philippine citizen or resident, regardless of location of the data subject, and wherever the “processing” takes place.
For example, it applies to personal data of Overseas Filipino Workers (OFWs) working abroad with details processed by a local Philippine bank. The privacy law also applies to OFW personal data processed by a foreign bank outside the Philippines, although how the NPC can enforce that law is a totally different matter.
“Processing” is defined under RA10173 as any operation or set of operations performed on personal information, such as collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure and destruction.
“Personal information controller” refers to any person or organisation controlling the collection, holding, processing or use of personal information, except those instructed by another person or organisation, or acting in connection with personal, family or household affairs.
Meanwhile, “personal information processor” is any natural or juridical person outsourced by a personal information controller to process personal data. However, some information is exempt from RA10173.
This includes:
-
- Information on any current or previous government servant relating to their position or functions;
- Information relating to services performed by an individual under government contract;
- Information relating to discretionary financial benefit given by the government to an individual;
- Personal information processed for journalistic, artistic, literary or research purposes;
- Information necessary to carry out functions of public authority;
- Information necessary for banks and financial institutions to comply with the Anti-Money Laundering Act; and
- Personal information collected from residents of foreign jurisdictions in accordance with their laws.
Personal and sensitive
RA10173 distinguishes “personal information” and “sensitive personal information”, prescribing different requirements for lawful processing. “Personal information” refers to information from which the identity of an individual is apparent or reasonably identifiable and directly ascertained when put together with other information.
“Sensitive personal information” refers to race, marital status, age and ethnicity, as well as religious, philosophical or political affiliations, health records, education, court proceedings, social security numbers, licences, tax returns, copies of government-issued IDs and/or their numbers), and detail specifically declared as classified by law or regulation.
The law and its implementing rules and regulations generally require consent from data subjects before processing their personal data, unless this is covered by any expressly outlined conditions.
Note that the law only recognises valid express consent – defined as “freely given, specific, informed indication of will … evidenced by written, electronic or recorded means” – and frowns on implied consent.
Recognised rights
RA10173 extensively outlines the rights of data subjects with respect to personal information, which are similar to rights recognised under the EU’s GDPR.
These include the:
-
- right to be informed;
- right to access;
- right to object;
- right to erasure and blocking;
- right to rectify;
- right to file a complaint;
- right to damages; and
- right to data portability.
These rights must be observed and respected by data controllers and processors. The only exceptions are when used for scientific and statistical research, and no activities are carried out and no decisions taken regarding the data subject, or when gathered for the purpose of any criminal, administrative or tax investigations of a data subject.
Oversight
As well as general principles on security of personal information, the law outlines accountability with respect to the transfer of personal information.
Specific provisions are laid down concerning the security of sensitive personal information in the government, as well as provisions on data breaches and basic guidelines for reporting instances of a data breach.
Similar to the regime implemented under the GDPR, the privacy law and regulations impose breach notification obligations on the personal information controller in case of a “personal data breach”. Such a breach notification must be served on the affected data subjects and reported to the NPC.
A breach notification must be submitted to the NPC within 72 hours “upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred”.
Privacy regulations also require the designation/appointment of a Data Privacy Officer (DPO). However, not all DPOs are required to register with the NPC.
DPO registration with the NPC is mandatory only:
-
- if the entity employs 250 persons or more; or
- if the entity “processes” records containing sensitive personal information of at least 1,000 individuals; or
- if “processing personal information” of the entity is either “likely to pose a risk to the rights and freedoms of data subjects” or deemed “not occasional”.
As regards the last criteria, the NPC issued guidelines enumerating the sectors that it considers covered by the mandatory registration requirement regardless of the number/volume of data subjects or personal information being processed.
These sectors, considered as “critical”, are:
-
- government agencies;
- banks and non-banking financial institutions;
- telecoms and internet service providers;
- BPO companies;
- universities, colleges and all other schools and training institutions;
- hospitals, clinics and other healthcare facilities;
- insurance companies and insurance brokers;
- those involved in direct marketing, networking, and other companies providing reward cards and loyalty programmes;
- pharmaceutical companies engaged in research; and
- personal information processors of personal data for a personal information controller included in any of these “critical” sectors.
Apart from the DPO, the implementing rules and regulations specifically provide that certain forms of data processing systems (DPS) must be registered with the NPC. With the NPC’s launch of its new registration portal, compliance with the submission of both the DPO and DPS details are required in order to complete the NPC registration requirements.
Penalties
Violations of RA10173 are meted out by mandatory imprisonment and or a fine – one of the very few data privacy legislations that can impose imprisonment as a penalty.
A higher range of penalties applies in cases when sensitive personal information is involved.
Maximum penalties are imposed when the personal information of at least 100 people are affected, regarded as “large scale”.
Although there is a move initiated by the NPC and other concerned sectors to propose an amendment of RA10173 to include removal of the penalty of imprisonment, this initiative has been put on hold due to the immediately preceding pandemic.
ACCRALAW
22nd to 26th Floors, ACCRALAW Tower
Second Avenue corner 30th Street,
Crescent Park West, Bonifacio Global City,
Taguig 1635, Metro Manila, Philippines
Tel: (632) 8830-8000
Fax: (632) 8403-7007 / (632) 8403-7009
Email: jmgaba@accralaw.com | ipd@accralaw.com
