Your choice regarding cookies on this site

We use cookies to optimize site functionality and give you the best possible experience. Learn
more.
Accept

Cookie Preferences

 LANGUAGE ENGLISH (EN)

 ABOUT THE IAPP

 ENTERPRISE SERVICES
 CONTACT
 MYIAPP
 search

 News
 Connect
 Train
 Certify
 Resources
 Conferences
 Join
 STORE
person_outline

Privacy Tracker|Summary: Philippines

Data Privacy Act and implementing
regulationsRelated reading: Breaking down
the EDPB's post-'Schrems II' data transfer
guidance

rss_feed

Summary: Philippines Data Privacy Act

and implementing regulations

scheduleApr 27, 2017
 queueSave This



 print

Alex Wall, CIPP/E, CIPP/US, CIPM, FIP, PLSIAPP Member

Contributor

The Philippines has a growing and important business process management and health
information technology industry. Total IT spending reached $4.4 billion in 2016, and the
sector is expected to more than double by 2020. Filipinos are heavy social media users, 42.1
million are on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn users. The
country is also in the process of enabling free public Wi-Fi. In the context of the rapid
growth of the digital economy and increasing international trade of data, the Philippines has
strengthened its privacy and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict privacy
legislation “to protect the fundamental human right of privacy, of communication while
ensuring free flow of information to promote innovation and growth.” (Republic Act. No.
10173, Ch. 1, Sec. 2). This comprehensive privacy law also established a National Privacy
Commission that enforces and oversees it and is endowed with rulemaking power. On
September 9, 2016, the final implementing rules and regulations came into force, adding
specificity to the Privacy Act.

Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application,
applying not only to businesses with offices in the Philippines, but when equipment based in
the Philippines is used for processing. The act further applies to the processing of the
personal information of Philippines citizens regardless of where they reside.

One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign
jurisdictions — an exception helpful for Philippines companies that offer cloud services.

Approach

The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent, the data subject be informed
about the extent and purpose of processing, and it specifically mentions the “automated
processing of his or her personal data for profiling, or processing for direct marketing, and
data sharing.” Consent is further required for sharing information with affiliates or even
mother companies.

Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However, processing
does not always require consent.

Consent is not required for processing where the data subject is party to a contractual
agreement, for purposes of fulfilling that contract. The exceptions of compliance with a legal
obligation upon the data controller, protection of the vital interests of the data subject, and
response to a national emergency are also available.
An exception to consent is allowed where processing is necessary to pursue the legitimate
interests of the data controller, except where overridden by the fundamental rights and
freedoms of the data subject.

Required agreements

The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements are
subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

 About an individual’s health, education, genetic or sexual life of a person, or to any

proceeding or any offense committed or alleged to have committed;

 Issued by government agencies “peculiar” (unique) to an individual, such as social

security number;

 Marked as classified by executive order or act of Congress.

All processing of sensitive and personal information is prohibited except in certain

circumstances. The exceptions are:

 Consent of the data subject;

  Pursuant to law that does not require consent;

 Necessity to protect life and health of a person;

 Necessity for medical treatment;

 Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a
major anti-terrorism law that enables surveillance) must comply with the Privacy Act.

Privacy program required

The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access management, providing recourse to
data subjects, and appropriate data retention policies. These requirements necessitate the
creation of a privacy program. Requirements for technical security safeguards in the act also
mandate that an entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the
principles of notice, choice, access, accuracy and integrity of data.

The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her personal
data from the filing system of the data controller. Exercising this right requires “substantial
proof,” the burden of producing which is placed on the data subject. This right is expressly
limited by the fact that continued publication may be justified by constitutional rights to
freedom of speech, expression and other rights.

Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.
A right to data portability is also provided.

Mandatory personal information breach notification

The law defines “security incident” and “personal data breach” ensuring that the two are not
confused. A “security incident” is an event or occurrence that affects or tends to affect data
protection, or may compromise availability, integrity or confidentiality. This definition
includes incidents that would result in a personal breach, if not for safeguards that have
been put in place.

A “personal data breach,” on the other hand, is a subset of a security breach that actually
leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise processed.

Requirement to notify 

The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority.
Section 38 of the IRRs provides the requirements of breach notification:

 The breached information must be sensitive personal information, or information

that could be used for identity fraud, and

 There is a reasonable belief that unauthorized acquisition has occurred, and

 The risk to the data subject is real, and

 The potential harm is serious.

The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy Commission as well as
affected data subjects within 72 hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.

It is unclear at present whether the commission would allow a delay in notification of data
subjects to allow the commission to determine whether a notification is unwarranted. By the
law, this would appear to be a gamble.

Notification contents

The contents of the notification must at least:

 Describe the nature of the breach; 

 The personal data possibly involved;

 The measures taken by the entity to address the breach;

 The measures take to reduce the harm or negative consequence of the breach;

 The representatives of the personal information controller, including their contact

details;

 Any assistance to be provided to the affected data subjects.

Penalties

The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.

Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately $20,000 to $100,000.

Notably, there is also the previously mentioned private right of action for damages, which
would apply.
 Penalties for failure to notify

Persons having knowledge of a security breach involving sensitive personal information and
of the obligation to notify the commission of same, and who fail to do so, may be subject to
penalty for concealment, including imprisonment for 1 1/2 to five years of imprisonment,
and a fine of approximately $10,000 - $20,000.

Depending upon the circumstances additional violations might apply.

photo credit: Storm Crypt For the 12th of June via photopin (license)

Author

Alex Wall, CIPP/E, CIPP/US, CIPM, FIP, PLSIAPP Member

Contributor

Tags

Asia-Pacific

Privacy Law

8 Comments

If you want to comment on this post, you need to login.

 comment Jeeae Kim • May 2, 2017

Thank you for giving me good information regarding Philippines Data Privacy Act. I would like to
ask a question about penality. That's because I don't understand the meaning of 11/2 in the final
 paragraph. I don't know how long it is. 5 years and 5 months? It would be helpful for me if you let
me know how long it is.

 comment Karis Williams • Dec 13, 2017

Thank you for your information, but I have a question concerning your statement on the DPA right to
erasure as a data subject rights. I have read the DPA regulation and the IRR by the NPA and I have
not read anything about the right to erasure or the right to be forgotten. From what documents did
you conclude that the DPA also have a right to erasure?

 comment Maria Cecilia Soria • Mar 5, 2018

@Jeeae Kim, the penalty for concealment of security breaches involving personal information is one
year and six months to five years.

 comment Maria Cecilia Soria • Mar 5, 2018

@Karis Williams, the right to erasure is provided under Rule VIII, Section 34, paragraph e of the
Implementing Rules and Regulations of the Data Privacy Act (Republic Act No. 10173).

 comment Christopher Tano • Apr 17, 2018

How can I get RegEx of Philippine Government ID (like SSS)? This regex will input in our DPA
system to check if the numbers were part of personal info.

 comment Chelin Bello-Macalanda • Apr 22, 2019

Now that the IRR of the Republic Act 11165, also known as “An Act Institutionalizing
Telecommuting as an Alternative Work Arrangement for Employees in the Private Sector", is in
place, are there additional and specific actions or requirements we need to implement other than the
Data privacy notice and trainings?

 comment Harris Co • Aug 30, 2019

The law is still in its infancy, response to violation reports are non existent. Case in point, I
discovered a massive violation by an online payment channel where sensitive data like email, name,
address, phone number, policy amount, etc are out in the open. Possibly millions are affected. I
contacted the commission via email (they do not have toll free numbers) and got a response after a
week telling me to submit a notarized complaint for them to proceed. Despite sending them all the
details, including how to duplicate/simulate the steps, so they themselves can validate. No wonder
companies continue to violate laws. As any government agency in the Philippines, red tape is
prevalent and most laws are for show only. By having these laws in paper somehow elevates the
country to higher level in the international stage, or so they thought.
 comment Gayle Gestiada • Sep 2, 2019
I applied for a position in a company and was scheduled for an interview. I sent them an email
requesting if the interview can be rescheduled- but did not get any response. One of my former
colleagues messaged me and advised that the interviewer disclosed that I was one of the applicants
for the job. Does this constitute breach of privacy and data? Please advise. You may also get in touch
with me at [email protected] thank you.

Related Stories

Breaking down the EDPB's post-'Schrems II' data transfer guidance

The European Data Protection Board handed companies around the globe a new map to
guide global data flows Wednesday with its anxiously awaited recommendations on
supplementary measures alongside a second document on EU essential guarantees. Taken
together, these two documents outline an assessment p...

READ MOREQUEUE SAVE THIS

A break down of EDPB's recommendations for data transfers post-'Schrems II'

On Nov. 11, the European Data Protection Board handed companies around the globe a new
map to guide global data flows. The EDPB published their anxiously-awaited
recommendations on supplementary measures alongside a second document on EU
essential guarantees. Taken together these two documents outli...

READ MOREQUEUE SAVE THIS

Data breach suit against Macy's dismissed

The U.S. District Court of Massachusetts has thrown out a class-action lawsuit against
Macy's related to a 2019 data breach, Law Street Media reports. Following Macy's motion
for dismissal in May, the court found that arguments of the harm brought to customers by
the breach were unproven given there...

READ MOREQUEUE SAVE THIS

LIBE issues draft opinion on EU data strategy

European Parliament's Committee on Civil Liberties, Justice and Home Affairs published its
suggestions regarding the EU data strategy. Above all, the committee urges that the strategy
should carry an "absolute respect" of citizens' fundamental right to privacy and data
protection. With respect to da...

READ MOREQUEUE SAVE THIS

CJEU rules against pre-ticked box consent

The Court of Justice of the European Union ruled pre-ticked boxes are not a valid form of
consent as telecommunications providers seek to collect or store customer data. The ruling
 stems from Romanian-based telecom Orange România's consent practices within contracts,
which led to a fine by Romania's...

READ MOREQUEUE SAVE THIS

Related Stories

 library_booksBreaking down the EDPB's post-'Schrems II' data transfer

guidance
 library_booksA break down of EDPB's recommendations for data transfers
post-'Schrems II'
 library_booksData breach suit against Macy's dismissed
 library_booksLIBE issues draft opinion on EU data strategy
 library_booksCJEU rules against pre-ticked box consent

Tags

Asia-Pacific

Privacy Law

Recent Comments

 commentTop-5 operational impacts of Brazil's LGPD: Part 1 — Processing, rights

and DSARs3
 commentProp 24 passes in Calif., paving way for CPRA1
 commentBCRs after ‘Schrems II’ decision: A first analysis1
 commentAfrica to coordinate data protection laws0







About

The IAPP is the largest and most comprehensive global information privacy community and
resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define,
promote and improve the privacy profession globally.

 What is Privacy
 Corporate Members
 Board of Directors

 Advisory Boards
 IAPP Staff
 Locations

Become a member

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and
experts to help you navigate the complex landscape of today’s data-driven world. We offer
individual, corporate and group memberships, and all members have access to an extensive
array of benefits.

SIGN UP TODAY

© 2020 International Association of Privacy Professionals.

All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200

 Contact Us
 Press
 Advertise
 Privacy Notice
 Cookie Notice
 Conditions of Use
 Refund Policy

 LANGUAGE ENGLISH (EN)