The Philippines Data Privacy Act of 2012

The Philippines Data Privacy Act of 2012

The Philippines Data Privacy Act of 2012 was passed in response to growth in the Philippines in relation to their health information technology and business process management industries. For context, total information technology spending within the Philippines reached a total of $4.4 billion by the end of 2016. To this end, the country boasts millions of social media users alone, including 42.1 million Facebook users, 3.5 million Linkedin users, and 13 million Twitter users. As is the case with many other countries around the world due to the rise of online usage and activity, the protection of data privacy rights within the country has become a top priority.

The scope and application

The Philippines Data Privacy Act has a somewhat broad scope that applies to both individuals as well as business entities, with very few exceptions. What’s more, the law also contains an exterritorial application, as all equipment within the country that is used for the processing of personal data or information must all adhere to the law. Furthermore, the Philippines Data Privacy Act of 2012 protects the personal data of Filipino citizens, regardless of where these citizens reside. To end, the law was written with the approach that “The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”

The definition of the sensitive personal information

The Philippines Data Privacy Act of 2012 defines sensitive personal information to include any of the following categories:

Alternatively, the law also contains several exceptions to the processing of sensitive personal information. These exceptions include the following:

The rights of citizens

The Philippines Data Privacy Act of 2012 grants Filipino citizens various rights in respect of their personal data and information. These rights include:

The requirements of business entities and individuals

Under the Philippines Data Privacy Act of 2012, individuals, business entities, and organizations
who process the personal information of Filipino citizens must adhere to a variety of requirements. The law mandates that any organization or entity that is involved in data processing and subject to the law must develop, implement, and review specific procedures for the collection of personal data, obtaining consent from data subjects, limiting data processing to specific specifically defined purposes, access management of personal data, providing an avenue of recourse of data subjects, as well as data retention policies.

As such, these various requirements necessitate that entities that handle the personal data of Filipino citizens develop and maintain a data privacy program. Furthermore, the law also states that entities that handle the personal data of Filipino citizens also develop technical security safeguards in the form of a security program. Notably, the Philippines law also mandates that country’s Human Security Act of 2007, a major anti-terrorism law that allows for video and audio surveillance, also be in compliance with the Philippines Data Privacy Act of 2012.

On the other end of the spectrum, the law also contains provisions regarding data breaches. Under the law, the terms “security incident” and “personal data breach” are given two different definitions, in order to avoid any confusion between the two. Under the law, a “security incident” is defined as “an event or occurrence that affects or tends to affect data protection, or may compromise availability, integrity or confidentiality”. Conversely, a “persona data breach” is considered a subset of a security breach under the law, and is defined as an “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”.

The law further states that all instances of personal data breaches require notification to all parties involved, and the law provides the specific requirements for these notifications. These requirements include:

The penalties for violating the act

The Philippines Data Privacy Act of 2012 provides separate legal penalties for various violations, which can include both monetary fines as well as jail time. For example, separate counts exist under the law for the unauthorized processing, processing for unauthorized purposes, improper disposal, negligent access, intentional breaches, the concealment of a data breach involving sensitive personal information, malicious disclosure, and unauthorized disclosure in relation to personal data. Any combination of the actions listed above can result in a prison term ranging from 3 to 6 years, as well as a monetary fine ranging from $20,000 to $100,000. Moreover, as stated above, the law also granted Filipino citizens the right to private action in regard to the law.

As online commerce and in turn, communication continues to become a pivotal factor in the lives of citizens around the world, the Philippines Data Privacy Act is another iteration of the comprehensive data privacy laws that have been passed in recent years. Due to the expansion of various business sectors within the country in the last decade, such legislation is undoubtedly needed. With the law, Filipino citizens can rest assured that they have the right to protect the personal information that they share with individuals and business entities.

Related Reads