This is the first in a two-part series on privacy laws in Asia. Stay tuned for part two on Japan’s recent amendment to its most notable privacy law, the APPI, coming very soon.
While the GDPR may be the most extensive and revolutionary privacy law the world has seen thus far, the EU is not the only one implementing stricter data privacy requirements. More and more countries around the globe are also enacting regulations to protect the personal information of their citizens. Today, we want to look specifically at the Philippines and its Data Privacy Act of 2012 (DPA).
The purpose of the Act is “to protect the fundamental human right to privacy of communication while ensuring the free flow of information to promote innovation and growth.” In conjunction with the passing of this Act, the Philippine government also established the National Privacy Commission (NPC) to monitor and enforce the law. In September of 2016, the NPC released the final rules and regulations for DPA implementation, mandating companies to register as a personal data processing system by September 9, 2017.
In the next few sections of this post, we’ll answer some key questions about this important regulation. But if you want to learn more, download our new white paper to see how it aligns with the EU’s GDPR and other global privacy laws.
Who does the DPA apply to?
The DPA applies to both individuals and legal entities (or both data controllers and data processors, as defined by the GDPR). Like the GDPR, organizations outside of Philippines who process the personal data of Philippines citizens or residents must also comply with the DPA. The DPA covers businesses within the Republic of the Philippines and organizations with offices in the Philippines. But unlike the GDPR, it also includes those who use equipment located in the Philippines.
What does the DPA consider to be personal information?
This Act protects individuals from the unauthorized processing of their personal information (i.e., data that is not publicly available and personally identifiable information (PII)). The DPA defines sensitive personal information as any data concerning:
- An individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- An individual’s health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Information issued by government agencies particular to an individual, which includes social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Information specifically established by an executive order or an act of Congress to be kept classified.
What are the lawful bases for processing under the DPA?
The Act requires organizations to have a specific and legitimate purpose for the processing of every category of data, just like the GDPR. Consent is another vital part of the legal collection of data, and customers must be fully aware of how and why their data will be used when asked for consent. However, consent is not always required for processing; some of these scenarios include the enforcement of a contract, the protection of vital interests, and the response to a national emergency.
What individual rights are given to Philippines’ citizens and residents?
The law provides data subjects rights concerning their personal information, such as notice, access, accuracy, and transparency. These include the Right to Dispute, the Right to Erasure, and the Right to Data Portability, which sound very similar to some individual rights found in the GDPR (check out our white paper to see how they align).
- The Right to Dispute. This right provides data subjects with the ability to contest inaccurate data with the data controller and to request for the information to be corrected.
- The Right to Erasure or Blocking. According to the regulation, data subjects can “suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller.” To exercise this right, the data subject must have substantial proof that the data is incomplete, outdated, or false, or was unlawfully obtained. This right also states that data subjects will be compensated for any resulting damages.
- The Right to Data Portability. Data subjects have the right to request their personal information from the data controller as long as the data was processed electronically.
What are the penalties for non-compliance with the DPA?
The DPA includes various penalties for individuals and organizations that are found non-compliant, many of which include imprisonment. Data controllers are held accountable for the following: processing unauthorized data, negligent access, illegal disposal, concealment of breaches or intentional breaches, and the unauthorized or malicious disclosure of data.
The repercussions of these violations (or a combination of them) can range from an imprisonment sentence of three to six years as well as a monetary fine of $20,000-$100,000 (one million Filipino pesos to five million Filipino pesos). The maximum fine is imposed when data breaches involve the information of 100 or more individuals.
What should our next steps be to align with the DPA?
Organizations conducting businesses in the Philippines or who process that data of Philippines citizens and residents should take the following steps to meet DPA requirements:
- Conduct a Privacy Impact Assessment (PIA), a full review of your organization’s data, collection procedures, processing activities, and data centers.
- Appoint a Data Protection Officer (DPO), the person responsible for ensuring data processing remains in accordance with the regulation.
- Register with the NPC. The following documentation is necessary for the registration of private entities: a certificate of the appointment of a DPO and a certified copy of any of the following documents: certificate of registration or license to operate.
- Create a Privacy Management Program Manual to inform all departments and employees of the requirements of the DPA and the directives of the NPC.
- Implement privacy and data protection measures and ensure that breach notification procedures are routinely tested.
As more and more countries adopt stronger privacy regulations, compliance with them is becoming a basic requirement for U.S. companies doing business around the world. However, after a quick look at the requirements of the DPA, you may have noticed some similarities between the DPA and the EU’s GDPR. While compliance with these regulations is certainly not an easy feat, their alignment in certain areas makes compliance with both regulations simpler.
Download our new white paper, which lines these two regulations up side-by-side, and see where they overlap and where they differ. Having a better understanding of their alignment is a good first step to compliance.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Want more data privacy insights like this?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.