I. Introduction and Legal Foundation
The Data Privacy Act of 2012 (Republic Act No. 10173) is the comprehensive legal framework governing data protection in the Philippines. It is premised on the state’s policy to protect the fundamental human right to privacy while ensuring the free flow of information for innovation, growth, and national development. The law gives effect to the constitutional right to privacy and aligns the country with international data protection standards, facilitating global commerce.
II. Governing Body and Administrative Issuances
The National Privacy Commission (NPC) is the independent body mandated to administer and implement the Act. Its quasi-legislative power allows it to issue implementing rules, regulations, and advisory opinions. Key issuances include the Implementing Rules and Regulations (IRR), various NPC Circulars and Advisories, and templates for registration and compliance. These administrative rules carry the force of law and are essential for day-to-day compliance.
III. Core Principles of Data Privacy
Processing of personal data must adhere to the following general principles: Transparency, Legitimate Purpose, and Proportionality. These are operationalized through specific obligations: Personal data must be collected for declared, specified, and legitimate purposes; processed fairly and lawfully; be accurate, relevant, and, where necessary, kept up to date; retained only for as long as necessary; and kept in a form which permits identification of data subjects for no longer than necessary.
IV. Key Definitions and Scope of Application
The Act applies to the processing of all types of personal information, sensitive personal information, and privileged information. A “personal information controller” (PIC) decides how personal data is processed, while a “personal information processor” (PIP) processes data on behalf of the PIC. “Processing” encompasses any operation performed on personal data, from collection to destruction. The law applies to entities organized under Philippine laws and those with links to the Philippines, such as those using equipment located in the country or processing data of Philippine citizens/residents.
V. Lawful Criteria for Processing
Processing is lawful only under at least one of the following conditions: consent of the data subject; necessity for fulfillment of a contract; compliance with a legal obligation; protection of vitally important interests of the data subject; necessity for the legitimate interests of the PIC or a third party, except where overridden by the fundamental rights of the data subject. For sensitive personal information and privileged information, stricter requirements apply, generally requiring the data subject’s consent, subject to specific statutory exceptions.
VI. Rights of the Data Subject
The Act enumerates eight rights empowering individuals: (1) Right to be informed; (2) Right to access; (3) Right to object; (4) Right to erasure or blocking; (5) Right to rectify; (6) Right to data portability; (7) Right to file a complaint; and (8) Right to damages. These rights are transmissible to the data subject’s heirs and assigns. A PIC must establish procedures to facilitate the exercise of these rights within mandated timeframes.
VII. Security Measures and Breach Management
PICs and PIPs are obligated to implement reasonable and appropriate organizational, physical, and technical measures to protect personal data. The security measures must be commensurate with the risk. In the event of a personal data breach likely to pose a real risk of serious harm, the PIC is mandated to notify the NPC and the affected data subjects within 72 hours of discovery. A prescribed breach management procedure, including containment, assessment, and documentation, must be followed.
VIII. Accountability and Cross-Border Data Transfer
The principle of accountability requires PICs to be responsible for personal data under their control and to demonstrate compliance. For cross-border transfers, personal information may only be transferred to a foreign country or international organization that ensures an adequate level of protection, subject to exemptions. These include consent of the data subject, necessity for the performance of a contract, or the use of prescribed contractual clauses or binding corporate rules authorized by the NPC.
IX. Practical Remedies
For businesses, primary remedies involve proactive compliance to avoid liability: conduct a privacy impact assessment to map data flows and identify risks; appoint a Data Protection Officer; develop and implement a privacy management program with written policies; maintain a record of data processing activities; implement privacy by design; and conduct regular employee training. In case of a breach, immediate activation of the breach response protocol is critical to mitigate harm and potential penalties. For data subjects, remedies include filing an administrative complaint with the NPC, which can issue compliance or cease-and-desist orders, or initiate criminal prosecution. The data subject may also pursue independent civil action for damages. Criminal penalties under the Act include fines ranging from Php 500,000 to Php 5,000,000 and imprisonment from one year to seven years, with higher penalties for acts affecting sensitive personal information. The NPC also has the authority to impose administrative fines of up to Php 5,000,000 for violations.