Philippines - Final Rules and Regulations Implementing the Data Privacy Act Released, Taking Effect on 9 September 2016
Legal News & Analysis - Asia Pacific - Philippines - Regulatory & Compliance
16 September, 2016
On 25 August 2016, The National Privacy Commission ("NPC"), the agency tasked to implement and enforce the Data Privacy Act of 2012 (Republic Act No. 10173)[i], issued the implementing rules and regulations ("Rules") of said law. The Rules are a result of a series of public consultations held by the NPC beginning in June 2016 and of comments on the draft rules and position papers submitted to the NPC by various stakeholders such as representatives from banks, retail, education, research, health informatics, civil society, business process management, the migrant sector and government organizations.[ii] The Rules, which will take effect fifteen (15) days after publication or on 9 September 2016, are currently available at the NPC's website.[iii]
Scope and Application
The Rules reiterate, clarify, and enforce the general policy of the Data Privacy Act to protect the fundamental right of individuals to data privacy while at the same time, ensuring the free flow of information for national development.[iv] The Rules promote the general principles of transparency, legitimacy of purpose, and proportionality in processing personal information, by particularizing the requirements of the Data Privacy Act imposed on both personal information controllers and personal information processors who: (1) process personal information belong to Philippine citizens or residents; (2) established or located in the Philippines; or (3) has commercial links to the Philippines by contract or business
presence. Subject to the burden on an entity to prove the inapplicability of the Data Privacy Act to its processing activities, the processing of personal information originally collected from residents of foreign jurisdictions in accordance with the laws of the latter are exempt from the scope of the Rules. However, it appears that the exemption from the Data Privacy Act only refers to the collection of personal information belonging to foreign residents, while its further processing within the Philippines shall still be subject to the security requirements of the DPA and consequently, the Rules.
Registration and Compliance Requirements
In addition to the more general requirements of the DPA on the processing of personal information, the Rules impose several registration and compliance obligations on covered controllers and processors. The more important of these obligations are as follows:
Registration of Personal Data Processing Systems. Personal data processing systems operating in the Philippines that involve the processing of personal information belonging to at least 1,000 individuals shall be registered with the NPC.[v] Controllers or processors that employ less than 250 persons are generally exempt from the registration requirement, subject to certain conditions.[vi]
Reportorial Requirements. Personal information controllers are required to notify the NPC and affected data subjects of a data breach within 72 hours from the discovery thereof.[vii] In addition, covered entities shall also report to the NPC a summary of documented security incidents and data breaches on an annual basis,[viii] and also notify the commission when automated processing becomes the sole basis of making decisions about a data subject.[ix]
Nature of Consent of Data Subjects. The Rules clarify that in cases not exempt from the consent requirement, the data subject's consent to the personal information processing is time-bound in relation to the purpose of the of the processing.[x]
Minimum Security Requirements; Contents of Data Transfer Agreements between Controllers and Processors. The Rules enumerate the specific minimum organizational, physical, and technical requirements which controllers and processors are required to implement while processing personal information.[xi] These security standards are subject to periodic evaluation and updating by the NPC via subsequent issuances. The Rules also contain the minimum requirements as to the compliance provisions to be included in any data processing agreement between personal information controllers and its processors.[xii]
Failure to comply with the foregoing registration and compliance requirements, as well as the commission of any of the offenses punishable under the Data Privacy Act and the Rules, shall be meted out with penalties of imprisonment of up to six (6) years and/or fines of up to PhP5,000,000 (approximately US$107k). The NPC is also vested with quasi-judicial powers to adjudicate privacy complaints and award civil damages to private complainants, and with regulatory powers to impose on erring covered entities compliance and enforcement orders, cease and desist orders, ban on personal information processing, or payment of administrative fines.[xiii]
Actions to Consider
Clients are advised to evaluate the applicability and impact of the Rules to their respective organizations, and upon confirmation thereof, commence efforts in complying with the Data Privacy Act, specifically with regard to the Rules' registration and compliance requirements. Covered entities should also assess their respective current security measures vis-à-vis the minimum security standards of the Rules, including but not limited to educating personnel on data privacy legal requirements and best practices, with the ultimate objective of seamlessly complying with the Data Privacy Act and the Rules.
Covered entities are given a period of one (1) year from the effectivity of the Rules, or until 9 September 2017, within which to meet the registration requirement or request the NPC for an extension thereof. The NPC shall, by subsequent issuances, provide for the deadline for covered entities to comply with the minimum security measures enumerated under the Rules.[xiv]
[i] REPUBLIC ACT NO. 10173. AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES.
[ii] Privacy Act II Released - NPC to Educate Publci About Privacy, http://privacy.gov.ph/privacy-act-irr-released-npc-to-educate-public-about-privacy/, last accessed on 5 September 2016.
[iii] Implementing Rules and Regulations of Republic Act No. 10173, known as the " Data Privacy Act of 2012", http://privacy.gov.ph/wp- content/uploads/2016/08/10173-IRR-25-Aug-2016.pdf.
[iv] Section 2, Rule 1, Final Rules.
[v] Section 46 (a), Rule XI, Final Rules.
[vi] Section 47, Rule XI, Final Rules.
[vii] Section 38, Rule IX, Final Rules. [viii] Section 41, Rule IX, Final Rules. [ix] Section 48, Rule XI, Final Rules.
[x] Section 19, Rule IV, Final Rules.
[xi] Sections 25-29, Rule VI, Final Rules. [xii] Sections 26 (f), Rule VI, Final Rules. [xiii] Section 65, Rule XIII, Final Rules. [xiv] Section 67, Rule XIV, Final Rules.
For further information, please contact:
Bienvenido Marquez, Partner, Quisumbing Torres