The Philippines recently joined the club of over 80 countries around the world with comprehensive data privacy laws. The Data Privacy Act of 2012 (REPUBLIC ACT NO. 10173) was signed into law on August 15, 2012 and will take effect 15 days after its publication in a newspaper of general circulation. The Act is expected to boost investor confidence in the Philippines, especially in the business process outsourcing space where the confidentiality and security of data and information are top concerns; yet the Act does not impose any direct obligations on service providers.
The Act seeks to “protect the fundamental human right of privacy of communication while ensuring the free flow of information to promote innovation and growth” and borrows from two statutory models, namely (i) the “European Union Directive on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data”; and (ii) the APEC Data Privacy Framework. In doing so, it adopts the fair information principles on which most countries’ data privacy laws are based.
Highlights of the Act
Application: The Act applies to the processing of “personal information” [of citizens and residents] in the Philippines by any entity. It does not however apply to the title, business address and office telephone number of an individual, nor does it apply to personal information originally collected from residents of foreign jurisdictions e.g. (information about a US resident collected or otherwise processed in the Philippines). The Act however does apply to foreign entities that collect or otherwise process personal information about a citizen or resident of the Philippines.
Personal Information and Sensitive Personal Information: Personal information is defined in the Act as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained. A further category “sensitive personal information” refers to personal information: (i) about an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations; (ii) about an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by a person, including the disposal of and sentence in such proceedings; (iii) issued by government agencies peculiar to an individual, including social security numbers, previous or current health records, licenses and tax returns; and (iv) specifically established by an executive order or law to be classified.
Lawful Processing of Personal Information: Processing of personal information is permitted when at least one of the following conditions exist: (i) the data subject has given consent; (ii) the processing is necessary and is related to the fulfillment of a contract with the data subject; (iii) the processing in necessary to comply with a legal obligation; (iv) the processing is necessary to protect vitally important interests of the data subject, including life and health; (v) the processing is necessary to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority; or (vi) the processing is necessary for purposes of legitimate interests pursued by the personal information controller.
Processing of Sensitive Personal Information: Processing of sensitive personal information is prohibited, except in the following cases: (i) the data subject has given consent specific to the purpose prior to processing;; (ii) the processing is provided for by existing laws and regulations which guarantee the protection of sensitive personal information and which do not require the consent of the data subject; (iii) the processing is necessary to protect the life and health of the data subject who is not able to legally or physically express his consent; (iv) the processing is necessary to achieve the lawful and non-commercial objectives of public organizations, provided the processing is confined and related to the members of such organization whose consents are obtained prior to processing; (v) the processing is necessary for purposes of medical treatment and is carried out by a medical practitioner or medical institution; or (vi) the processing is necessary for the protection of lawful rights or interests of natural or legal persons in court proceedings, or in the exercise or defense of legal claims, or when provided to government or public authority.
Consent: The Act requires that consent be evidenced by written, electronic or recorded means.
National Privacy Commission: The Act mandates the creation of a National Privacy Commission tasked to administer and enforce compliance with the requirements under the Act. The Commission is given authority to receive complaints, institute investigations and even issue cease and desist orders upon finding of unlawful processing of personal information.
Responsibilities of a Personal Information Controller: A personal information controller refers to a person or organization that controls the collection, holding or processing of personal information (as opposed to a service provider, referred to in the Act as a “personal information processor”). Personal information controllers are required to implement the fair information principles. Personal information controllers are further required to notify the Commission and affected data subjects upon reasonable belief that personal information which may be used to enable identity fraud have been acquired by an unauthorized person.
Sub-Contract of Personal Information: A personal information controller is allowed to sub-contract the processing of personal information under its control.
Cross Border Data Flows: There are no restrictions on cross-border data flows. However, the personal information controller is responsible for ensuring that an adequate level of protection is afforded to personal information when it is sent across borders.
Penal Provisions: The most controversial parts of the new Act are the harsh penalty provisions which impose both imprisonment of up to 6 years and fines of up to US$100,000 for violations of the Act, including unauthorized processing, access and disclosures through negligence. If the offender is a corporation, the penalties will be imposed on the responsible officers who participated in, or by their gross negligence allowed, the commission of the crime. In addition, offending corporations may also be stripped of their license to do business in the Philippines.
Transitory Provision: Corporations and organizations are given a transitory period of 1 year from the effective date of the Implementing Rules and Regulations (still not promulgated till Nov 20, 2012) to comply with the provisions of the Act.
Source reference – Official Act document – Click Here