On August 23, 2012, it was announced that President Benigno Aquino III of the Philippines signed the Data Privacy Act of 2012 into law, thus adding the Philippines to the growing ranks of countries with a comprehensive data privacy regime. The Act was passed by the Filipino legislature in March of 2012.
The Act contains many provisions that have become familiar in such comprehensive data privacy legislation.
The Act begins by declaring privacy to be a fundamental human right (Section 2).
The definition of personal information in the Act is fairly broad (“any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained”), and there is also a definition for sensitive personal information, which is deemed to include the standard repertoire of higher-level personal information (race, health, religion, political affiliation, etc.) (Section 3).
The scope of the Act is extra-jurisdictional in some important respects. The Act applies to any data controller or processor that is located in the Philippines, or that uses “equipment that are located in the Philippines.” This provision seems to be referring to data housing or cloud services that are maintained in the Philippines. Further, the Act specifically affirms its extra-jurisdictional scope by providing that any entity outside of the Philippines is subject to it when that entity has engaged in an act or practice that relates to the personal information of a citizen or resident of the Philippines. Importantly, the Act does not apply to personal information “originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines” (Section 4-6).
The Act sets up a National Privacy Commission. This independent body will have broad authority to administer the Act by, among other activities, handling complaints, providing guidance on the Act’s applicability, and recommending to the Filipino Department of Justice that it take action against persons who violate the act (Section 7).
A list of data processing principles is provided for by the Act. Similar to the processing principles of other data privacy regimes, such as the European Directive, the processing must be lawful, reasonable, for a specific purpose, and the information may be retained only so long as it is needed for such purpose. There are also rules about the prohibition of processing of sensitive personal information, along with a list of exemptions and caveats: where consent has been given, for medical reasons, for legal reasons, for public administration and other explicitly lawful purposes, and in the case of incapacity on the part of the data subject (Sections 11-15).
The data subject possesses a set of rights under the Act. The data subject has the right to know of the processing of his/her personal information, to know the purpose and scope of the processing, the recipients of his/her personal information, the time period for the retention of the personal information, and the contact information for the controller or processor, among other things. Further, the data subject, as in similar data privacy laws, has the right to inquire into the above questions and receive an answer within a reasonable time period. A general exemption exists under the Act with respect to personal information processed for “scientific or statistical” research (Sections 16-19).
The data controller or processor is required to maintain a security system that is “reasonable and appropriate,” and must notify the Commission and affected data subjects in the event of a security breach. The notification may only be delayed in order to fully understand the scope of the breach, prevent further disclosures, or restore integrity to the system; thus, for all intents and purposes, notification must take place as immediately as is practicable (Section 20).
The Act definitely has some significant teeth. Up to 6-year prison terms and hundred thousand dollar fines “shall” be imposed for breaking the provisions of the Act. The Act specifies that if the offender is a legal person, its officers may be liable for the offense (Sections 25-37).
An important impetus for the Act is to bolster the data security environment in the Philippines in order to encourage further growth in the BPO sector. The Philippines is already seen by leading firms to be a new hot spot in BPO services, as this article by the Oxford Business Group reports. Foreign firms that use Philippine-based BPO services will want to ensure they are on the same page with their service providers as regards the compliance with the Act.
As the APEC CBPR System moves forward, it will be interesting to observe the manner of Filipino participation. The Act does not provide very much detail on cross border data transfer, and the portions that do address this question, including Section 21, seem to provide a basis for interoperability between the Act and the principles of the CBPR System. So it is possible that there could be quite a bit of synergy between the two programs.
The Act gives the Commission 90 days to create Implementing Rules and Regulations (“IRR”). And covered entities will have one year from the creation of the IRR, or such time as the Commission determines, to come into compliance with the Act. It will be important to monitor the manner in which the Commission implements the Act. Specifically, close attention should be given to the IRR when they are released later this year.