While the GDPR may be the most extensive and revolutionary privacy law the world has seen thus far, the EU is not the only one implementing stricter data privacy requirements. More and more countries around the globe are also enacting regulations to protect the personal information of their citizens. Today, we want to look specifically at the Philippines and its Data Privacy Act of 2012 (DPA).
The purpose of the Act is “to protect the fundamental human right to privacy of communication while ensuring the free flow of information to promote innovation and growth.” In conjunction with the passing of this Act, the Philippine government also established the National Privacy Commission (NPC) to monitor and enforce the law. In September of 2016, the NPC released the final rules and regulations for DPA implementation, mandating companies to register as a personal data processing system by September 9, 2017.
Who does the DPA apply to?
The DPA applies to both individuals and legal entities (or both data controllers and data processors, as defined by the GDPR). Like the GDPR, organisations outside of Philippines who process the personal data of Philippines citizens or residents must also comply with the DPA. The DPA covers businesses within the Republic of the Philippines and organisations with offices in the Philippines. But unlike the GDPR, it also includes those who use equipment located in the Philippines.
What does the DPA consider to be personal information?
This Act protects individuals from the unauthorised processing of their personal information (i.e., data that is not publicly available and personally identifiable information (PII)). The DPA defines sensitive personal information as any data concerning:
- An individual’s race, ethnic origin, marital status, age, colour, and religious, philosophical or political affiliations;
- An individual’s health, education, genetic or sexual life, or any proceeding for any offence committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Information issued by government agencies particular to an individual, which includes social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Information specifically established by an executive order or an act of Congress to be kept classified.
What are the lawful bases for processing under the DPA?
The Act requires organisations to have a specific and legitimate purpose for the processing of every category of data, just like the GDPR. Consent is another vital part of the legal collection of data, and customers must be fully aware of how and why their data will be used when asked for consent. However, consent is not always required for processing; some of these scenarios include the enforcement of a contract, the protection of vital interests, and the response to a national emergency.
What individual rights are given to Philippines’ citizens and residents?
The law provides data subjects rights concerning their personal information, such as notice, access, accuracy, and transparency. These include the Right to Dispute, the Right to Erasure, and the Right to Data Portability, which sound very similar to some individual rights found in the GDPR (check out our white paper to see how they align).
- The Right to Dispute. This right provides data subjects with the ability to contest inaccurate data with the data controller and to request for the information to be corrected.
- The Right to Erasure or Blocking. According to the regulation, data subjects can “suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller.” To exercise this right, the data subject must have substantial proof that the data is incomplete, outdated, or false, or was unlawfully obtained. This right also states that data subjects will be compensated for any resulting damages.
- The Right to Data Portability. Data subjects have the right to request their personal information from the data controller as long as the data was processed electronically.
What are the penalties for non-compliance with the DPA?
The DPA includes various penalties for individuals and organisations that are found non-compliant, many of which include imprisonment. Data controllers are held accountable for the following: processing unauthorised data, negligent access, illegal disposal, concealment of breaches or intentional breaches, and the unauthorised or malicious disclosure of data.
The repercussions of these violations (or a combination of them) can range from an imprisonment sentence of three to six years as well as a monetary fine of $20,000-$100,000 (one million Filipino pesos to five million Filipino pesos). The maximum fine is imposed when data breaches involve the information of 100 or more individuals.
How can Philippine businesses comply with the GDPR?
Organizations that already comply with the Data Privacy Act (DPA) will find it easier to abide by the GDPR due to the similarity in statutes between the two. The data protection officers of Philippine companies complying with the DPA already have the tools they need to perform GDPR compliant roles efficiently.
The GDPR, much like the DPA, puts a high value on requiring the consent of users regarding the gathering of their information. The following guidelines have been set under the GDPR for the acquisition of user data:
- Give concise, transparent, intelligible, and easily accessible forms when asking users to agree to privacy terms and conditions or data collection and processing
- Must disclose the purpose or legal grounds for data processing, the categories of personal data collected, possible recipients of the data, and how long the data will be restored
- Have an age-verification process to identify users under the age of 16 and then obtaining the consent of their parents before processing the minor’s personal information
An easy way for organisations to meet the terms of these guidelines is by having cookie banners, consent management, and internal privacy tools on their respective websites and/or web forms.
The GDPR also has provisions stating that users can opt out of automated processing which includes profiling. Similar to the DPA, companies are required by the GDPR to have someone review data handling procedures.
Moreover, under the GDPR when there is a data breach or knowledge of a data breach, the organization is required to report this within 72 hours to the appropriate agencies.
What are the consequences for failing to comply with the GDPR?
Companies that fail to comply with the GDPR’s guidelines could be fined between €10 million (US$11.74 million) and €20 million (US$23.48 million) The severity of the fines will depend on the seriousness of the breach, if a breach was committed, as well as on how seriously the company has been complying with the GDPR.
What should our next steps be to align with the DPA?
Organizations conducting businesses in the Philippines or who process that data of Philippines citizens and residents should take the following steps to meet DPA requirements:
- Conduct a Data Privacy Impact Assessment (DPIA), a full review of your organisation’s data, collection procedures, processing activities, and data centres.
- Appoint a Data Protection Officer (DPO), the person responsible for ensuring data processing remains in accordance with the regulation.
- Register with the NPC. The following documentation is necessary for the registration of private entities: a certificate of the appointment of a DPO and a certified copy of any of the following documents: certificate of registration or license to operate.
- Create a Privacy Management Program Manual to inform all departments and employees of the requirements of the DPA and the directives of the NPC.
- Implement privacy and data protection measures and ensure that breach notification procedures are routinely tested.
As more and more countries adopt stronger privacy regulations, compliance with them is becoming a basic requirement for U.S. companies doing business around the world. However, after a quick look at the requirements of the DPA, you may have noticed some similarities between the DPA and the EU’s GDPR. While compliance with these regulations is certainly not an easy feat, their alignment in certain areas makes compliance with both regulations simpler.
Relentless Privacy and Compliance Cover all Data privacy regulations in the Asia Region and in particular GDPR for Philippines outsourced service providers processing EU Data Subjects data