The Philippines has a growing and important business process

management and health information technology industry. Total

IT spending reached $4.4 billion in 2016, and the sector is
expected to more than double by 2020. Filipinos are heavy
social media users, 42.1 million are on Facebook, 13 million on
Twitter, and 3.5 million are LinkedIn users. The country is also in
the process of enabling free public Wi-Fi. In the context of the
rapid growth of the digital economy and increasing
international trade of data, the Philippines has strengthened its
privacy and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012,

comprehensive and strict privacy legislation “to protect the
fundamental human right of privacy, of communication while
ensuring free flow of information to promote innovation and
growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2). This
comprehensive privacy law also established a National Privacy
Commission that enforces and oversees it and is endowed with
rulemaking power. On September 9, 2016, the final
implementing rules and regulations came into force, adding
specificity to the Privacy Act.

Scope and Application

The Data Privacy Act is broadly applicable to individuals and
legal entities that process personal information, with some
exceptions. The law has extraterritorial application, applying
not only to businesses with offices in the Philippines, but when
equipment based in the Philippines is used for processing. The
act further applies to the processing of the personal information
of Philippines citizens regardless of where they reside.

One exception in the act provides that the law does not apply
to the processing of personal information in the Philippines that
was lawfully collected from residents of foreign jurisdictions —
an exception helpful for Philippines companies that offer cloud
services.

Approach
The Philippines law takes the approach that “The processing of
personal data shall be allowed subject to adherence to the
principles of transparency, legitimate purpose, and
proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a
declared, specified, and legitimate purpose” and further
provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent,
the data subject be informed about the extent and purpose of
processing, and it specifically mentions the “automated
processing of his or her personal data for profiling, or processing
for direct marketing, and data sharing.” Consent is further
required for sharing information with affiliates or even mother
companies.

Consent must be “freely given, specific, informed,” and the

definition further requires that consent to collection and
processing be evidenced by recorded means. However,
processing does not always require consent.
Consent is not required for processing where the data subject is
party to a contractual agreement, for purposes of fulfilling that
contract. The exceptions of compliance with a legal obligation
upon the data controller, protection of the vital interests of the
data subject, and response to a national emergency are also
available.

An exception to consent is allowed where processing is

necessary to pursue the legitimate interests of the data
controller, except where overridden by the fundamental rights
and freedoms of the data subject.

Required agreements
The law requires that when sharing data, the sharing be
covered by an agreement that provides adequate safeguards
for the rights of data subjects, and that these agreements are
subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:
  About an individual’s race, ethnic origin, marital status,
age, color, and religious, philosophical or political
affiliations;
 About an individual’s health, education, genetic or sexual
life of a person, or to any proceeding or any offense
committed or alleged to have committed;
 Issued by government agencies “peculiar” (unique) to an
individual, such as social security number;
 Marked as classified by executive order or act of
Congress.

All processing of sensitive and personal information is prohibited
except in certain circumstances. The exceptions are:

 Consent of the data subject;

 Pursuant to law that does not require consent;
 Necessity to protect life and health of a person;
 Necessity for medical treatment;
 Necessity to protect the lawful rights of data subjects in
court proceedings, legal proceedings, or regulation.

Surveillance

Interestingly, the Philippines law states that the country’s Human

Security Act of 2007 (a major anti-terrorism law that enables
surveillance) must comply with the Privacy Act.

Privacy program required

The law requires that any entity involved in data processing
and subject to the act must develop, implement and review
procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access
management, providing recourse to data subjects, and
appropriate data retention policies. These requirements
necessitate the creation of a privacy program. Requirements
for technical security safeguards in the act also mandate that
an entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy

professionals as related to the principles of notice, choice,
access, accuracy and integrity of data.
The Philippines law appears to contain a “right to be forgotten”
in the form of a right to erasure or blocking, where the data
subject may order the removal of his or her personal data from
the filing system of the data controller. Exercising this right
requires “substantial proof,” the burden of producing which is
placed on the data subject. This right is expressly limited by the
fact that continued publication may be justified by
constitutional rights to freedom of speech, expression and other
rights.

Notably, the law provides a private right of action for damages

for inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal data.
A right to data portability is also provided.

Mandatory personal information breach notification

The law defines “security incident” and “personal data breach”
ensuring that the two are not confused. A “security incident” is
an event or occurrence that affects or tends to affect data
protection, or may compromise availability, integrity or
confidentiality. This definition includes incidents that would
result in a personal breach, if not for safeguards that have
been put in place.
A “personal data breach,” on the other hand, is a subset of a
security breach that actually leads to “accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored, or otherwise
processed.

Requirement to notify
The law further provides that not all “personal data breaches”
require notification., which provides several bases for not
notifying data subjects or the data protection authority. Section
38 of the IRRs provides the requirements of breach notification:
 The breached information must be sensitive personal
information, or information that could be used for identity
fraud, and
  There is a reasonable belief that unauthorized acquisition
has occurred, and
 The risk to the data subject is real, and
 The potential harm is serious.
The law provides that the Commission may determine that
notification to data subjects is unwarranted after taking into
account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National
Privacy Commission as well as affected data subjects within 72
hours of knowledge of, or reasonable belief by the data
controller of, a personal data breach that requires notification.
It is unclear at present whether the commission would allow a
delay in notification of data subjects to allow the commission to
determine whether a notification is unwarranted. By the law,
this would appear to be a gamble.

Notification contents
The contents of the notification must at least:
 Describe the nature of the breach;
 The personal data possibly involved;
 The measures taken by the entity to address the breach;
 The measures take to reduce the harm or negative
consequence of the breach;
 The representatives of the personal information controller,
including their contact details;
 Any assistance to be provided to the affected data
subjects.

Penalties
The law provides separate penalties for various violations, most
of which also include imprisonment. Separate counts exist for
unauthorized processing, processing for unauthorized purposes,
negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive
personal information, unauthorized disclosure, and malicious
disclosure.

Any combination or series of acts may cause the entity to be

subject to imprisonment ranging from three to six years as well
as a fine of approximately $20,000 to $100,000.
Notably, there is also the previously mentioned private right of
action for damages, which would apply.
Penalties for failure to notify
Persons having knowledge of a security breach involving
sensitive personal information and of the obligation to notify the
commission of same, and who fail to do so, may be subject to
penalty for concealment, including imprisonment for 1 1/2 to
five years of imprisonment, and a fine of approximately $10,000
- $20,000.
Depending upon the circumstances additional violations might
apply.

Following a series of public consultations held between June and August

2016, the National Privacy Commission (NPC) promulgated the
Implementing Rules and Regulations (IRR) of Republic Act No. 10173 last
Aug. 24, 2016.

Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), was
principally authored by former Senator Edgardo J. Angara during his
chairmanship of the Senate Committee on Science and Technology, and
passed into law in 2012.
Republic Act No. 10173, the full title of which is “An Act Protecting Individual Personal
Information in Information and Communications Systems in the Government and the Private
Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes,”
declares as State policy the protection of the right to privacy and communication while
ensuring the free flow of information to promote innovation and growth.

The law seeks to protect “personal information” (defined as, “information, whether recorded in
a material form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when put
together with other information would directly and certainly identify an individual”) that
undergoes “processing,” which is defined as, “an operation or a set of operations performed
upon personal information, such as, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure,
or destruction of data.”

The DPA also covers “privileged information” (“data which under the Rules of Court and other
pertinent laws constitute privileged communication,” for example, attorney-client privilege,
physician-patient privilege, etc.), and “sensitive personal information,” which is defined as,
“information:

• About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical, or political affiliation;

• About an individual’s health, education, genetic, or sexual life of a person, or to any

proceeding for any offense committed or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court in such proceedings;

• Issued by government agencies peculiar to an individual which includes, but not limited to,
social security numbers, previous or current health records, licenses or its denials, suspension,
or revocation, and tax returns; and

• Specifically established by an executive order or an act of Congress to be kept classified.”

To administer this law, the NPC was created. It is currently headed by its pioneering set of
Commissioners who were all appointed in March 2016: Privacy Commissioner and Chairman
Raymond Liboro, a former Assistant Secretary at the Department of Science and Technology;
Deputy Privacy Commissioner Ivy Patdu, a practicing lawyer and consultant medico-legal
physician; and Deputy Commissioner Dondi Mapa, who held the position of National
Technology Officer at Microsoft Philippines.

Comprised of fourteen (14) rules and seventy-two (72) sections, the IRR, apart from
supplementing the DPA’s provisions, provides for specific rules on the following: Data Privacy
Principles; Data Breach Notification; Outsourcing and Subcontracting Agreements; Registration
and Compliance Requirements; and Rules on Accountability.

The DPA and its IRR cover the processing of personal data by any natural and juridical person
in the government or private sector. They apply to an act done or practice engaged in and
outside of the Philippines if:

• The natural or juridical person involved in the processing of personal data is found or
established in the Philippines;

• The act, practice, or processing relates to personal data about a Philippine citizen or
Philippine resident;

• The processing of personal data is being done in the Philippines; or

• The act, practice, or processing of personal data is done or engaged in by an entity with links
to the Philippines, with due consideration to international law and comity.

The IRR specifies additional definitions of key terms such as “data processing systems,” “data
sharing,” “personal data,” “personal data breach,” and “security incident.” It also clarifies that
“processing” may be performed either through automated means, or manual processing, if the
personal data are contained or are intended to be contained in a filing system.

Substantively, the IRR expounds on the principles of transparency, legitimate purpose, and
proportionality, not only in the processing of personal data per se, but also in the collection
and retention thereof. General principles for data sharing are also laid down.

To concretely carry out these principles, the IRR enumerates specific organizational, physical,
and technical security measures which personal information controllers and processors are
mandated to undertake in relation to the personal data which they process.

The IRR also categorizes the rights of the data subject, as enumerated under the DPA, into the
following: the right to be informed; the right to object; the right to access; the right to
rectification; the right to erasure or blocking; and the right to damages.

Violations of the DPA are sanctioned with both imprisonment and payment of fines as
penalties. Such violations include unauthorized processing, accessing due to negligence,
improper disposal, processing for unauthorized purposes, unauthorized access or intentional
breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure.

The IRR provides that personal information controllers and processors shall register with the
NPC their data processing systems and automated processing operations, subject to
notification, one (1) year after the effectivity of the IRR.

Promulgated last Aug. 24, 2016, the IRR will take effect fifteen (15) days after its publication.
Entities covered by the DPA and its IRR have one (1) year to comply with their provisions from
the date of effectivity of the IRR.

In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known as
the Data Privacy Act (DPA) of 2012. Five years later, the DPA’s Implementing Rules and
Regulations was put in effect on September 9, 2016, thus mandating all companies to
comply.

The act is a necessary and important precaution in a world economy that’s swiftly going
digital. In 2014, it was estimated that 2.5 quintillion — or 2.5 billion billion — bytes of data
were created everyday. This includes unprecedented knowledge about what real individuals
are doing, watching, thinking, and feeling.

Companies must be held accountable not only for what they do with customer data — but
how they protect that data from third parties. The past few years of security breaches, system
errors, and ethical scandals within some of the country’s major banks have reminded us that
there is much work to be done.

So, where to begin for institutions who want to comply with RA 10173 and be proactive
about their consumers’ digital privacy?
What is RA 10173?
RA 10173, or the Data Privacy Act, protects individuals from unauthorized processing of
personal information that is (1) private, not publicly available; and (2) identifiable, where the
identity of the individual is apparent either through direct attribution or when put together
with other available information.

What does this entail?

First, all personal information must be collected for reasons that are specified, legitimate, and
reasonable. In other words, customers must opt in for their data to be used for specific
reasons that are transparent and legal.

Second, personal information must be handled properly. Information must be kept accurate
and relevant, used only for the stated purposes, and retained only for as long as reasonably
needed. Customers must be active in ensuring that other, unauthorized parties do not have
access to their customers’ information.

Third, personal information must be discarded in a way that does not make it visible and
accessible to unauthorized third parties.

Unauthorized processing, negligent handling, or improper disposal of personal information is

punishable with up to six (6) years in prison or up to five million pesos (PHP 5,000,000)
depending on the nature and degree of the violation.

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable information
of of at least 1,000 people are required to register with the National Privacy Commission and
comply with the Data Privacy Act of 2012. Some of these companies are already on their
way to compliance — but many more are unaware that they are even affected by the law.

How do I remain in compliance of the

Data Privacy Act?
The National Privacy Commission, which was created to enforce RA 10173, will check
whether companies are compliant based on a company having 5 elements:
1. Appointing a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure