Data Privacy Act of the Philippines
Republic Act No. 10173, otherwise known as the Data Privacy Act of the Philippines, was passed by the Philippine Congress in 2012. The law sought to breathe life to the policy of the State to protect the fundamental human right of privacy, while nonetheless ensuring free flow of information to promote innovation and growth.
On 24 August 2016, the Implementing Rules and Regulations (“IRR”) of the Data Privacy Act was promulgated to clarify and add further detail to the provisions of the Data Privacy Act.
Among the salient features of the said law and its IRR, which are likewise focal points for the regulators, are as follows:
Scope of Data Privacy
The Data Privacy Act applies to any natural and juridical person involved in personal information processing, including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines or those who maintain an office, branch, or agency in the Philippines.[1]
The nationality and/or residence of the data subjects likewise become immaterial,[2] considering the provision of the IRR, which states that the law shall likewise apply to an act done or practice engaged in outside of the Philippines if:
1. The natural or juridical person involved in the processing of personal data is found or established in the Philippines;
2. The act, practice or processing relates to personal data about a Philippine citizen or Philippine resident;
3. The processing of personal data is being done in the Philippines; or
4. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following:
a. Use of equipment located in the country, or maintains an office, branch, or agency in the Philippines for processing of personal data;
b. A contract is entered in the Philippines;
c. A juridical entity unincorporated in the Philippines but has central management and control in the country;
d. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal data;
e. An entity that carries on business in the Philippines;
f. An entity that collects or holds personal data in the Philippines.[3]
Personal Data Defined under the Data Privacy Act and Regulations
The Data Privacy Act covers the processing of personal data of data subjects. The IRR defines “personal data” as all types of personal information.[4] The Data Privacy Commission clarified that this term encompasses personal information, sensitive personal information, and privileged communication.[5]
Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.[6]
On the other hand, sensitive personal information refers to personal information about:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.[7]
Finally, privileged information is defined as any and all forms of data which, under the Rules of Court and other pertinent laws, constitute privileged communication.[8]
Consent of the Data Subject
As a general rule, the consent of the data subject must be secured before his/her personal data may be processed. According to the law, the consent of the data subject must be a freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or in relation to him or her. The law further provides that the consent given shall be evidenced by written, electronic, or recorded means, and that it may be given on behalf of the data subject by an agent specifically authorized by him/her to do so.[9]
Considering that the foregoing provision makes mention of written, electronic, or recorded pieces of evidence to prove the data subject’s consent, it is readily apparent that implied, implicit, or negative consent is not recognized under the law.[10] As such, a policy that states the entry of the required personal information would be tantamount to consent or a waiver of his or her data privacy rights, for example, is not a valid form of consent.[11]
The Data Privacy Commission, in its Advisory Opinion No. 2017-007, likewise referred to Recital 32 of the European Union Regulation 2016/679 or the General Data Protection Regulation (“GDPR”) in determining the validity of implied consent, viz:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked
boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” (Emphasis supplied)
With regard to consent being given through recorded means, the Data Privacy Commission, in the same Advisory Opinion, also added that the personal information controller is allowed to present other types of evidence – such as object, documentary, and electronic – that may prove the existence and content of the said recording. In such circumstances, the Revised Rules on Evidence and the Rules on Electronic Evidence apply suppletorily.
However, it is noteworthy that, in certain circumstances outlined in the Data Privacy Act, the consent of the data subject is no longer required, such as the scenarios enumerated under sub-paragraphs (b) to (c) and (e) to (f), involving sensitive personal information.
Principles of Data Privacy
The processing of personal data should adhere to the principles of transparency, legitimate purpose, and proportionality.[12] Under the principle of transparency, the data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data. Likewise, any information relating to the same should be easily understandable, accessible, and use clear and plain language. [13]
The processing of information should also be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy.[14]
Finally, it must satisfy the test of proportionality, which means that the processing must be adequate, relevant, suitable, necessary, not excessive in relation to the declared and specified purpose, and the purpose of the processing could not be reasonably fulfilled by other means.[15]
Interpretation
Section 38 of the Data Privacy Act provides that any doubt in the interpretation of any provision in the law shall be liberally interpreted in a manner mindful of the rights and interests of the individual about whom personal information is processed.
Data Sharing
There are restrictions on the transfer of sensitive personal information to third parties.
Data sharing is defined as the “disclosure or transfer to a third party of personal data under the custody of a personal information controller or a personal information processor”.[16] Personal data is defined as “all types of personal information”,[17] be it personal information, sensitive personal information, or privileged communication.[18]
Data sharing differs from an outsourcing or a subcontracting agreement, which pertains to the disclosure or transfer of personal data by a personal information controller to a personal information processor for the latter to perform the particular activities outsourced by the former.[19]
Under the IRR, data sharing is allowed only when expressly authorized by law and provided that the processing adheres to the principle of transparency, legitimate purpose, and proportionality.[20]
Under Section 20(b) of the Implementing Rules and Regulations of the Data Privacy Act, data sharing shall be allowed in the private sector only if the following conditions are complied with:
1. The data subject must consent to the data sharing;
2. Consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships;
3. Data sharing for commercial purposes, including direct marketing, shall be covered by a data sharing agreement.
a. The data sharing agreement shall establish adequate safeguards for data privacy and security, and uphold rights of data subjects.
b. The data sharing agreement shall be subject to review by the Commission, on its own initiative or upon complaint of data subject;
4. The data subject shall be provided with the following information prior to collection or before data is shared:
a. Identity of the personal information controllers or personal information processors that will be given access to the personal data;
b. Purpose of data sharing;
c. Categories of personal data concerned;
d. Intended recipients or categories of recipients of the personal data;
e. Existence of the rights of data subjects, including the right to access and correction, and the right to object; and
f. Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
5. Further processing of shared data shall adhere to the data privacy principles laid down in the Act, these Rules, and other issuances of the Commission.
Hence, for companies wanting to contract out data collection, or to transfer them to locations other than their own data centers, these requirements must be complied with in order to validly transfer personal data of whatever kind to a third party.
About Nicolas and De Vega Law Offices
If you have issues on data privacy or information technology law or corporate law, commercial law, corporate or commercial litigation, or civil or other criminal law-related issues, we can help you. Nicolas and de Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.
[1] Data Privacy Act, §4.
[2] National Privacy Commission, ADVISORY OPINION No. 2018-022 (30 April 2018).
[3] Implementing Rules and Regulations (“IRR”), §4.
[4] Data Privacy Act, §3(j).
[5] National Privacy Commission, ADVISORY OPINION No. 2017-010 (16 January 2017); National Privacy Commission, ADVISORY OPINION No. 2017-018 (21 April 2017).
[6] Data Privacy Act, §3(g).
[7] Data Privacy Act, §3(l).
[8] Data Privacy Act, §3(k).
[9] Data Privacy Act, §3(b).
[10] National Privacy Commission, ADVISORY OPINION No. 2017-007 (09 January 2017); National Privacy Commission, ADVISORY OPINION No. 2017-018 (21 April 2017); National Privacy Commission, ADVISORY OPINION No. 2017-042 (14 August 2017).
[11] Advisory Opinion No. 2017-007 (09 January 2017).
[12] Data Privacy Act, §11.
[13] IRR, §18, Rule IV.
[14] Ibid.
[15] Id.
[16] IRR, §3(f).
[17] IRR, §3(j).
[18] National Privacy Commission, ADVISORY OPINION No. 2017-010 (16 January 2017); National Privacy Commission, ADVISORY OPINION No. 2017-018 (21 April 2017).
[19] Id., note 17.
[20] IRR, §20(a).
