Government policies in the Philippines and decisions of the Supreme Court tilt heavily toward the protection of an individual’s right to privacy of communications. However, the Philippines also recognizes that the free flow of information is vital to promote innovation and growth. Thus, the recent trend in cases of conflict is to balance the interests of the business sector and that of an individual’s right to privacy.
The Philippines also enacted a Data Privacy Act (DPA) which became effective on September 8, 2012. The DPA modeled after the European Union General Data Protection Regulation and the Asia-Pacific Economic Cooperation Privacy Framework. The National Privacy Commission (NPC) enforces the DPA and has issued the law’s Implementing Rules and Regulations which took effect on 9 September 2016.
RIGHT TO PRIVACY
Privacy of communications is a recognized right in the Philippines under Article III, Section 3 of the Philippine Constitution which upholds the privacy of communications and correspondence.
Other provisions on privacy of communications can be found in the Civil Code of the Philippines (Civil Code), and Republic Act No. 4200 (RA No. 4200) or the Anti-Wire Tapping Act which makes it unlawful for any person to record any private communication without the consent of all the parties involved in a communication. Private communication has been interpreted by the Supreme Court to mean one that is made between a person and another as opposed to a speaker and the public, and to cover communications of all types such as telephone conversations and electronic messages.
Rights to privacy of communications, however, may be waived so long as the waiver is not against the law, public order, public policy, morals, or good customs, or prejudicial to a third person with a right recognized by law.
Republic Act No. 10173, or the DPA of 2012, applies to the processing of all types of personal information and to any natural and/or juridical person involved in personal information processing, including those personal information controllers and processors who, although not found or established in the Philippines, (1) use equipment that are located in the Philippines, or maintain an office, branch, or agency in the Philippines, and (2) process personal information pertaining to a Philippine citizen or resident, and maintain commercial links to the Philippines.
“Personal Information” is defined as any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or that, when put together with other information, would directly and certainly identify an individual.
“Sensitive personal information,” on the other hand, is defined as personal information: (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) specifically established by an executive order or an act of Philippine Congress to be kept classified.
In general, the DPA prohibits the processing of personal information without the express and recorded consent of the data subject. The law also enumerates the rights of data subjects (i.e., notice, access, control, data portability, and the right to be indemnified by personal information controllers for damages arising from the unlawful processing of personal information), and the obligations of personal information controllers and processors to ensure the privacy, security, and integrity of personal information (including but not limited to a breach notification requirement). More particularly, the DPA requires personal information controllers to employ reasonable and appropriate organizational, physical, and technical measures to protect the security of personal information. At a minimum, these measures should include: (1) anti-computer hacking safeguards, (2) a security policy, (3) a process for preventing and mitigating security breaches, (4) contractual or other reasonable data protection arrangements with third party contractors, and (5) the appointment of an information security officer who will ensure the entity’s compliance with the DPA.
In addition, the DPA creates the NPC, which is tasked with administering and implementing the provisions of the law, as well as with monitoring and ensuring compliance with international standards for data protection.
The DPA sets forth a detailed schedule of penalties for violations of the Act, e.g., unauthorized processing, accessing due to negligence, improper disposal, processing for unauthorized purposes, unauthorized access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure of personal information and sensitive personal information, which include both imprisonment and fines. In addition, the NPC may also impose administrative penalties which may include compliance orders, cease-and-desist orders, temporary or permanent ban on personal information processing, and/or fines.
On August 25, 2016, the NPC issued the implementing rules and regulations (Rules) of the DPA. In addition to the more general requirements of the DPA on the processing of personal information, the Rules impose several registration and compliance obligations on covered controllers and processors. The most important of these obligations are:
Registration of Personal Data Processing Systems. Personal data processing systems operating in the Philippines that involve the processing of sensitive personal information belonging to at least 1,000 individuals, or those systems which are being operated by a personal information controller or processor which employs at least 250 persons or who belongs to one of the sectors identified by the NPC as subject to the mandatory registration requirement shall be registered with the NPC by 8 March 2018;
Reportorial Requirements. Personal information controllers are required to notify the NPC and affected data subjects of a data breach within 72 hours from the discovery thereof. In addition, covered entities shall also report to the NPC with a summary of documented security incidents and data breaches on an annual basis, and also notify the NPC when automated processing becomes the sole basis of making decisions about a data subject;
Nature of Consent of Data Subjects. The Rules clarify that in cases not exempt from the consent requirement, the data subject’s consent to the personal information processing is time-bound in relation to the purpose of the processing. Data sharing, even between entities belonging to the same corporate organization, should also have the prior consent of the affected data subjects; and
Minimum Security Requirements; Contents of Data Transfer Agreements between Controllers and Processors. The Rules enumerate the specific minimum organizational, physical, and technical requirements which controllers and processors are required to implement while processing personal information. These security standards are subject to periodic evaluation and updating by the NPC via subsequent issuances. The Rules also contain the minimum requirements as to the compliance provisions to be included in any data processing agreement between personal information controllers and its processors.
CONSIDERATIONS FOR MEMBERS OF THE EU
The DPA and its Rules are modelled after the general principles and requirements of the EU General Data Protection Regulation (GDPR). Compliance with the DPA and its Rules will be easy for personal information controllers and processors that are already geared towards fully complying with the GDPR in time for its effectivity on 25 May 2018.