The Philippines Data Privacy Act of 2012

The Philippines Data Privacy Act of 2012

The Philippines Data Privacy Act of 2012 was passed in response to growth in the Philippines in relation to their health information technology and business process management industries. For context, total information technology spending within the Philippines reached a total of $4.4 billion by the end of 2016. To this end, the country boasts millions of social media users alone, including 42.1 million Facebook users, 3.5 million Linkedin users, and 13 million Twitter users. As is the case with many other countries around the world due to the rise of online usage and activity, the protection of data privacy rights within the country has become a top priority.

The scope and application

The Philippines Data Privacy Act has a somewhat broad scope that applies to both individuals as well as business entities, with very few exceptions. What’s more, the law also contains exterritorial application, as all equipment within the country that is used for the processing of personal data or information must all adhere to the law. Furthermore, the Philippines Data Privacy Act of 2012 protects the personal data of Filipino citizens, regardless of where these citizens reside. To end, the law was written with the approach that “The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”

The definition of the sensitive personal information

The Philippines Data Privacy Act of 2012 defines sensitive personal information to include any of the following categories:

  • Information or data concerning an individual’s race, ethnic origin, marital status, color, age, and religious, philosophical, or political affiliations.
  • Information or data concerning an individual’s education, genetic or sexual life, health, or any legal proceedings or alleged criminal allegations that an individual may be involved in.
  • Information or data that is issued by a government agency that is “peculiar” or unique to an individual, such as a social security number.
  • Information or data that is marked as classified by an executive order or act of Congress.

Alternatively, the law also contains several exceptions to the processing of sensitive personal information. These exceptions include the following:

  • Data that is processed with the consent of a data subject.
  • Data processing that is pursuant to other Filipinos laws and as such does not require consent.
  • Data processing that is necessary to protect the life or health of an individual.
  • Data processing that is necessary to provide medical treatment for an individual.
  • Data processing that is necessary to protect the lawful rights of a data subject in relation to regulation, court proceedings, or legal proceedings.

The rights of citizens

The Philippines Data Privacy Act of 2012 grants Filipino citizens various rights in respect of their personal data and information. These rights include:

  • The right for an individual’s information “to be forgotten” in the form of blocking or erasure, where a data subject may request the removal of their personal information from the data filing system of a particular data controller. Exercising this right is based upon the data subject providing “substantial proof”. Additionally, this right to be forgotten is limited by the fact that the publication of an individual’s personal information may also be justified in the context of freedom of speech, expression, and other legal rights.
  • The right to private right of action to pursue damages in relation to outdated, false, inaccurate, incomplete, unlawfully obtained, or the unauthorized use of personal data.
  • The right to data portability.

The requirements of business entities and individuals

Under the Philippines Data Privacy Act of 2012, individuals, business entities, and organizations
who process the personal information of Filipino citizens must adhere to a variety of requirements. The law mandates that any organization or entity that is involved in data processing and subject to the law must develop, implement, and review specific procedures for the collection of personal data, obtaining consent from data subjects, limiting data processing to specific specifically defined purposes, access management of personal data, providing avenue of recourse of data subjects, as well as data retention policies.

As such, these various requirements necessitate that entities who handle the personal data of Filipino citizens develop and maintain a data privacy program. Furthermore, the law also states that entities who handle the personal data of Filipino citizens also develop technical security safeguards in the form of a security program. Notably, the Philippines law also mandates that country’s Human Security Act of 2007, a major anti-terroism law that allows for video and audio surveillance, also be in compliance with the Philippines Data Privacy Act of 2012.

On the other end of the spectrum, the law also contains provisions regarding data breaches. Under the law, the terms “security incident” and “personal data breach” are given two different definitions, in order to avoid any confusion with the two. Under the law, a “security incident” is defined as “an event or occurrence that affects or tends to affect data protection, or may compromise availability, integrity or confidentiality”. Conversely, a “persona data breach” is considered a subset of a security breach under the law, and is defined as an “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed”.

The law further states that all instances of personal data breaches require notification to all parties involved, and the law provides the specific requirements for these notifications. These requirements include:

  • The information contained in the data breach must be “sensitive” personal information, as defined under the law, or information that could otherwise be for the purposes of identity fraud.
  • There is reasonable belief that unauthorized access or acquisition of sensitive personal information has occurred.
  • There is real risk to the data subjects involved in the data breach.
  • The potential harm to data subjects is deemed serious.
  • The scope and nature of said breach.
  • The personal data that was possibly involved in said breach.
  • The measures that were taken by the entity who experienced the data breach to address said data breach.
  • The measures that have been taken to reduce the impact and harm of said data breach.
  • The representative of the personal information controller involved in the data breach, including their contact information or details.
  • Any remedies or assistance that data subjects will be provided relating to a data breach.

The penalties for violating the act

The Philippines Data Privacy Act of 2012 provides separate legal penalties for various violations, which can include both monetary fines as well as jail time. For example, separate counts exist under the law for the unauthorized processing, processing for unauthorized purposes, improper disposal, negligent access, intentional breaches, the concealment of a data breach involving sensitive personal information, malicious disclosure, and unauthorized disclosure in relation to personal data. Any combination of the actions listed above can result in a prison term ranging from 3 to 6 years, as well as a monetary fine ranging from $20,000 to $100,000. Moreover, as stated above, the law also granted Filipino citizens the right to private action in regards to the law.

As online commerce and in turn communication continues to become a pivotal factor in the lives of citizens around the world, the Philippines Data Privacy Act is another iteration of the comprehensive data privacy laws that have been passed in recent years. Due to the expansion of various business sectors within the country in the last decade, such legislation is undoubtedly needed. With the law, Filipino citizens can rest assured that they have the right to protect the personal information that they share with individuals and business entities.