Philippines

Since 2012, the Philippines has had a comprehensive law governing personal data privacy. However, full implementation of Republic Act No. 10173, or the Philippine Data Privacy Act of 2012 (RA10173), was not realised until the National Privacy Commission (NPC) was officially constituted in the early part of this year and the Implementing Rules & Regulations (IRR) of RA10173 was promulgated last August 24, 2016. This is the comprehensive law that governs data privacy protection in the Philippines. With the release of the IRR and the creation of the NPC — the primary agency tasked to oversee the administration of RA10173 — implementation of the personal data privacy protection in the Philippines comes to a full swing.

Under the IRR, compliance with the following registration requirements must be done within a period of one year counted from the date of effectivity of the IRR (ie, September 9, 2016):

  • Registration of personal data processing systems (whether automated or non-automated) that involve accessing or requiring sensitive personal information of at least 1,000 individuals; and

  • Registration of automated processing operations subject to notification, where the automated processing becomes the sole basis of making decisions that would significantly affect the data subject.

RA10173 and the IRR defines “sensitive personal information” as personal information about one’s race, marital status, age, colour, and religious, philosophical or political affiliations; health, education; any court proceedings; issued by government agencies peculiar to an individual (eg, social security numbers, health records, licenses, tax returns); and those specifically declared as classified by law or regulation.

The period to comply with the foregoing may be extended by the NPC upon request for good cause shown. Additional registration requirements may be imposed by the NPC through issuances and circulars, including guidelines that will provide for procedures in complying with the current registration requirements mentioned above.

The IRR also fleshes out RA10173’s provisions on data breach. It is required that notification must be given by the personal information controller to the NPC and the affected data subjects within seventy-two (72) hours upon knowledge of, or when there is reasonable belief that –

  • Sensitive personal information; or

  • Any other information that may, under the circumstances, be used to enable identity fraud –

– have been acquired by an unauthorised person, and that such an unauthorised acquisition is likely to give rise to a real risk of serious harm to any affected data subject. Notification can be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. Failure to comply with this duty of providing data breach notification, if determined to be unjustified, may constitute concealment of security incident/data breach sanctioned under RA10173 (subjected to mandatory fine and imprisonment).

The IRR also regulates outsourcing and subcontracting agreements between personal information controllers and personal information processors. It provides for stipulations that must appear in any outsourcing and subcontracting agreements that involve processing of personal data. Moreover, the IRR defines the term “data sharing” to mean as any disclosure or transfer to a third party of personal data under the custody of a personal information controller or processor. Generally, data sharing must require the consent of the data subject, even if the data is to be shared between related companies, affiliates, and other similar relationships. If data sharing will be for commercial purposes (eg, direct marketing), it must be covered by a data sharing agreement.

The NPC promises to be open to comments/suggestions from industry stakeholders, and responsive to their needs and concerns. Although the NPC will be releasing several official circulars, rules, and issuances that will serve as guidelines for proper compliance, it is hoped that the initial stages of implementing RA10173 will be a “learning” experience as well as an “adjustment” stage among the relevant sectors in the Philippines.

–––––––––––––––––
ACCRALAW Tower, 2nd Ave. Cor. 30th St., Bonifacio Global City
Taguig City, Metro Manila, Philippines
Tel: (632) 8308000 / Fax (632) 4037007 or (632) 4037008
E: jmgaba@accralaw.com
W: www.accralaw.com

[sharethis]
Related Articles by Firm
Protection of women employees in the Philippines
According to the World Economic Forum’s Global Gender Gap (GGG) Report conducted in 2016, the Philippines is the most gender-equal country in the Asia-Pacific region, having closed nearly 79 percent of its gender gap ...
Anti-Trust & Competition: Philippines - Towards robust yet balanced competition in the Philippines
The state of Philippine competition regulation has been slowly taking shape barely over two years after the passage of the Philippine Competition Act (RA 10667) ...
PHILIPPINES: The internet and doing business in the Philippines
Earlier this year, the Philippines Securities and Exchange Commission (SEC) issued an opinion stating that an online gaming system with absolutely no physical presence in the Philippines shall be considered as “doing business” in the Philippines and was thus required ...
Philippines: Psychological disorders in the workplace
The problem of mental health presents a particular conundrum under labour relations and standards ...
Clarifying the role of contractors and subcontractors
Recent changes to labour laws in the Philippines attempt to clarify the status of contractors and subcontractors in certain industries ...
Fake news and its web of legal issues in the post-truth era
Oxford Dictionaries’ Word of the Year for 2016 is “post-truth” — an adjective defined as “relating to or denoting circumstances in which objective facts are less influential in shaping public opinion than appeals to emotion and personal belief”. ...
Dollar-denominated securities in relation to Corporation Code’s provisions on capital
The Philippines Stock Exchange (PSE) issued rules on December 2, 2016 governing the listing, trading and settlement of US dollar-denominated securities (DDS)....
Cyber bullying in the Philippines
The pen is mightier than the sword or so the adage goes. When this was once said, it was to highlight the power of thoughts and ideas over brute force and violence as a way to effect change. Today, the ...
Uber/GrabCar drivers: Independent contractors or employees?
The buzz about the legality of Uber and GrabCar operating in the Philippines might have died down, but now there is another legal issue surrounding them: whether their drivers are employees or ...
Price fixing in the context of the Philippine Competition Act
In light of the enactment of the Philippine Competition Act (PCA) in 2015, competitors, manufacturers, retailers and sellers or suppliers, in general, should be ...
Taxability of service fees received by non-resident foreign companies from online advertising in the Philippines
The use of the internet for the promotion of goods and services, particularly social media (Facebook, Twitter and ...
Levelling the playing field in the Philippines
Before the enactment of the Philippine Competition Act in 2015, the Philippines was the only founding member of Asean that did not have a comprehensive competition law in place. Francisco Ed Lim, Patricia-Ann T Prodigalidad, Eric R Recalde of <...
Age discrimination in the workplace
Republic Act No. 10911 (also known as the ‘Anti-Age Discrimination in Employment Act’) lapsed into law on 21 July ...
Green jobs: greening the Philippine labour sector
With the threat of climate change, the international community created the Paris Agreement which aims to stop global warming and preserve ...
Interplay of domestic law on compulsory licensing and international agreements on medicine prices
The price of pharmaceutical products in the Philippines appears to be on the high side compared to that in other Asian ...
Restrictive covenants in employment contracts
One of the means of keeping afloat in today’s competitive market is to hire employees who are ‘fit’ for a particular job. However, before employers ...
Make our system work: litigation practice expedited
The perception that litigation is a slow and arduous process has drawn many of us closer to the idea of alternative modes of dispute resolution. ...
Department of Labor and Employment (DOLE) Department Order No. 18-A: The Rules and Regulations on Contracting
On December 4, 2011, Department of Labor and Employment (DOLE) Department Order No. 18-A (D.O. 18-A), the new Rules Implementing Articles 106 to 109 ...
An overview of Philippine Data Privacy Law
Republic Act No. 10173, or the Philippine Data Privacy Act of 2012 (RA10173), was signed into law on August 15, 2012. This is the ...
New competition law for the Philippines
The Philippine Competition Act (PCA) went into effect on August 5, 2015. The law applies not only to acts committed in the Philippines but ...
Related Articles
Crime vs. Ethics: Changing corporate culture to reduce modern slavery
The second of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
The Assistant Registrar’s Role in the Judicial Hierarchy
The decision in Peter Low LLC provides the latest judicial pronouncement on the role and position of an Assistant Registrar in the judicial hierarchy ...
Reducing and removing involvement in modern slavery
The first of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues ...
Related Articles by Jurisdiction
Department of Labor and Employment (DOLE) Department Order No. 18-A: The Rules and Regulations on Contracting
On December 4, 2011, Department of Labor and Employment (DOLE) Department Order No. 18-A (D.O. 18-A), the new Rules Implementing Articles 106 to 109 ...
Green jobs: greening the Philippine labour sector
With the threat of climate change, the international community created the Paris Agreement which aims to stop global warming and preserve ...
Uber/GrabCar drivers: Independent contractors or employees?
The buzz about the legality of Uber and GrabCar operating in the Philippines might have died down, but now there is another legal issue surrounding them: whether their drivers are employees or ...
Latest Articles
ZICO celebrates 30 years with charitable donation
Yokuk provides therapy and welfare services as well as educational support for children and adults suffering from various disabilities ...
Crime vs. Ethics: Changing corporate culture to reduce modern slavery
The second of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
The Assistant Registrar’s Role in the Judicial Hierarchy
The decision in Peter Low LLC provides the latest judicial pronouncement on the role and position of an Assistant Registrar in the judicial hierarchy ...