Privacyrules Country Overview: Privacy and Data Protection in The

Expert name: Rose Marie M. King-Dominguez Expert position: Partner

Expert presentation: Rose Marie M. King-Dominguez specializes in telecommunications, media and technology, investments, M&A, and business law. She regularly advises clients in various industries on privacy and data protection issues as well as on telecommunications, media, and technology matters. She has extensive M&A experience in various industries.

PrivacyRules Country Contact details: Overview: Privacy Email: [email protected] Phone number: +632 8982 3500 and Data Protection Fax: +632 8817 3145 in the Philippines

Expert name: Franco Aristotle G. Larcina Expert position: Partner

Expert presentation

Franco Aristotle G. Larcina specializes in investments, mergers and acquisitions (particularly in industries with FDI and nationality restrictions and in listed and public corporations). He has expertise in competition law, securities regulations, and telecommunications, media, and PrivacyRules Country Overview: Privacy Contact details: and Data Protection Email: [email protected] Phone number: +632 8982 3500 in the Philippines Fax: +632 8817 3145

Q: Are privacy and data protection recognised by the Constitution / Fundamental Rights Bill? A: Yes, privacy and data protection are recognized by the 1987 Philippine Constitution (Article 3, Sections 2 and 3(1)). The Philippines is also a signatory to the Universal Declaration of Human Rights.

Q: Is there primary legislation on privacy, data protection, cybersecurity, cybercrime, cyberterrorism? A: The following are the primary legislation on privacy, data protection, cybersecurity, cybercrime, and cyberterrorism:

• Republic Act No. 10175 (2012) or the “Cybercrime Prevention Act of 2012”; and • Republic Act No. 10173 (2012) or the “Philippine Data Privacy Act of 2012”

Q: What are the fields of law closely related to privacy and data protection that are regulated in the Philippine jurisdiction? (e.g. e-commerce, telecommunications, media, intellectual property, etc.). A: Telecommunications, media, information technology, e-commerce, and intellectual property are the main fields of law that are closely related to privacy and data protection that are regulated in the Philippine jurisdiction. Other fields of law that may also be related to privacy and data protection and that are also regulated would include labor and employment, banking and regulation of financial services, and medical law.

Q: What are the key definitions in the field of data protection (e.g. Personal Data, Sensitive Data, Data Processing, Data Controller, Data Subject, Pseudonymised Data, Anonymised Data, Processing or any other definition)? A: The following key definitions and concepts in the field of data protection may be found in the Data Privacy Act of 2012:

• Personal information - any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; • Sensitive personal information – refers to any personal information:

i. about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; ii. about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; iii. issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and iv. specifically established by an executive order or a law to be kept classified. • Personal data – refers to all types of personal information. • Processing – any operation or any set of operations performed upon personal data, including but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. • Personal information controller – a natural or juridical person who controls the processing of personal data, or instructs another to process personal data on its behalf. • Personal information processor – any natural or juridical person to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject; • Pseudonymized data or anonymized data – Philippine data protection legislation do not contain definitions for “pseudonymized data” or “anonymized data”, but the Philippine National Privacy Commission has, in its issuances, determined how to identify when data is “pseudonymized” or “anonymized”, which follows the GDPR (please see our response below). • Data processing system - the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.

Q: In particular, is there a distinction between identifiable, pseudonymised and anonymised data and if so, how are they regulated? A: Yes. Personally identifiable information are considered “personal information” and their collection and processing must meet the requirements of the Data Privacy Act of 2012. Collection and processing of personal information requires a lawful criterion, such as consent of the data subject. The personal information controller and processor are also required to implement appropriate organizational, technical, and physical security measures to ensure adequate protection of the personal information.

Although the law does not define “pseudonymised data”, the National Privacy Commission, in an issuance describes “pseudonymization” as a process that “consists of replacing one attribute (typically a unique attribute) in a record by another” that “lessens the risks.” Nevertheless, the National Privacy Commission still considers personal data which have undergone pseudonymization as personal data and therefore, the requirements for their collection and processing remain the same.

The National Privacy Commission considers information as “anonymous” when such information “does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” “Anonymized data” is not considered as “personal data” and does not fall within the purview of the Data Privacy Act of 2012. Collection and processing of “anonymized data” will not be subject to the requirements of the law.

Q: Is there a national Data Protection Authority? A: Yes, the Philippines has a National Privacy Commission that implements the Philippine Data Privacy Act of 2012.

Q: Which national judicial authorities are competent on privacy and data protection related matters? A: The following judicial authorities are generally competent on privacy and data protection related matters:

• Regional Trial Courts; • Court of Appeals; and • Supreme Court

Q: Is there a one-stop-shop mechanism in place? A: The National Privacy Commission will principally handle complaints for violations of the Data Privacy Act of 2012. The National Privacy Commission cannot prosecute criminal offenses on its own and can only recommend their prosecution, after conducting its own investigation, to the office of the prosecutor who has the obligation to file a criminal case in court. The National Privacy Commission, however, may impose administrative fines and penalties, which could include the imposition of damages, and the issuance of enforcement and compliance orders, cease and desist orders, or temporary and

permanent ban on the processing of personal data. Decisions of the National Privacy Commission may be appealed to the proper courts.

Q: What are the main enforcement measures? A: The main enforcement measures in the Philippines for non-compliance with the requirements of the Data Privacy Act of 2012 are the National Privacy Commission’s authority to impose administrative fines and penalties, which could include the imposition of damages, and the issuance of enforcement and compliance orders, cease and desist orders, or temporary and permanent ban on the processing of personal data. Certain acts in violation of the Data Privacy Act of 2012 can be sanctioned by criminal (i.e., imprisonment) and/or civil (i.e., payment of fines and damages) penalties.

Q: What are the actual main sanctions? A: The Data Privacy Act of 2012 sets out the specific acts that constitute violations and are punishable, such as processing of personal data without consent, intentional or negligent concealment of a data breach, or unauthorized disclosure of personal data. In general, the range of possible penalties include imprisonment of at least 18 months up to 7 years and payment of fines ranging from at least PhP100,000 to PhP5 million.

Q: Is there a supra-national applicable legal framework? If the answer is positive, is it binding and to what extent? A: There is no supra-national legal framework specific to data privacy, but the Philippines is a participant to the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Enforcement Arrangement (CPEA). The CPEA is a multilateral agreement which allows Privacy Enforcement Authorities (e.g., National Privacy Commission and other similar government authorities) in the APEC region to cooperate in cross-border enforcement of privacy laws while adhering to a set of guiding principles laid out in the APEC Cross Border Privacy Rules.

Q: Does any foreign authority have jurisdiction on privacy and data protection matters for citizens of the Philippines? If the answer is positive, do they have executive or advisory authority? A: No. In the Philippines, the National Privacy Commission has original and exclusive jurisdiction on privacy and data protection matters for Philippine citizens.

Q: Are there e-discovery or disclosure duties pursuant to a request from a foreign Law Enforcement Agency? A: Philippine legislation, including the Data Privacy Act of 2012 and Cybercrime Prevention Act, do not contain provisions related to e-discovery or disclosure duties pursuant to a request from a foreign law enforcement agency. Nevertheless, the National Privacy Commission has the function to ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, and to participate in international and regional initiatives for data privacy protection. In this regard, although there is no duty, the National Privacy Commission may decide to issue enforcement or compliance orders on Philippine entities in response to a request for information regarding a data privacy matter coming from a foreign regulatory authority, e.g., requests from APEC countries pursuant to the CPEA.

Q: Are privacy-by-design and privacy-by-default mandatory? A: No, privacy-by-design and privacy-by-default are not mandatory in the Philippines. The National Privacy Commission, however, encourages the adoption of these principles.

Q: Are data protection officers (DPOs) foreseen by law and if so, to what extent? A: Yes, personal information controllers and processors are required to designate an individual who shall function as its data protection officer, who will be accountable for ensuring compliance with applicable laws and regulations for data protection and security.

Q: Are data protection impact assessments (DPIAs) mandatory and if so, to what extent?

A: Yes. Personal information controllers and processors are required to conduct a privacy impact assessment as part of the organizational security measures that must be implemented. Under the Data Privacy Act, a privacy impact assessment is a process to evaluate and manage impacts on privacy of a particular program, project, process, measure, system or technology product. It takes into account the nature of the personal data to be protected, the personal data flow, the risks to privacy and security posed by the processing, current data privacy best practices, the cost of security implementation, and, where applicable, the size of the organization, its resources, and the complexity of its operations. The National Privacy Commission requires the privacy impact assessment to be conducted at least on an annual basis.

Q: Is there any obligation to register databases and if so, to what extent? A: No, there is no requirement to register databases. However, personal information controllers and processors are required to register their “Data Processing Systems” operating in the Philippines with the National Privacy Commission if they have at least 250 employees in the Philippines. If they have less than 250 employees, they do not need to register unless, the processing conducted is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of at least 1,000 individuals.

Q: Are definitions like controller, processor, regulator clearly defined and identifiable within the Philippine regulatory framework? A: Yes, please see our responses above.

Q: Are there obligations to adopt reasonable technical, physical and organizational measures to protect the security of sensitive personal information and if so, to what extent? A: Yes, personal information controllers and processors are required to implement appropriate organizational, physical, and technical security measures. These security measures must maintain the availability, integrity, and confidentiality of personal data and should ensure the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing. These measures must be implemented to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

Organizational security measures include, but are not limited to:

• Creation and implementation of a data protection policy/manual; • Management of human resources – non-disclosure agreements, training, and capacity building; and • Regular review and monitoring of privacy and security policies

Physical security measures include, but are not limited to:

• Design of office space and work stations, including the physical arrangement of furniture and equipment that ensure privacy; and • Limiting access to records and work stations

Technical security measures include, but are not limited to:

• Security policy system monitoring; and • Encryption and authentication process

Q: Are there security breach notification requirements and if so, to what extent? A:Yes, personal information controllers are required to notify the National Privacy Commission and the affected data subjects within 72 hours upon knowledge or when there is reasonable belief that a personal data breach has occurred and is likely to give rise to a real risk of serious harm to any affected data subject. Depending on the nature of the incident, or if there is delay or failure to notify, the National Privacy Commission may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures.

Q: Can authorities access large amounts of data and/or specific data without a court or prosecutor’s order? A: No, access to large amounts of data and/or specific data can only be obtained by authorities if there is a lawful court order or a subpoena validly issued by a competent quasi-judicial body.

Q: Are there specific kinds of data covered by stronger provisions on legal protection (e.g. children data, etc.)? A: Yes, there are special categories of personal data that enjoy stronger legal protection under the Data Privacy Act of 2012 such as “sensitive personal information” (please see the definition above) and “privileged information”. “Privileged information” refers to that

information which under the Rules of Court and other pertinent legislation constitutes privileged communication, e.g., communication covered by attorney-client privilege.

Q: Is there a specific regulation for the collection of data? A: Yes, there is a specific regulation for the collection of personal data in the Philippines. The Data Privacy Act of 2012 expressly requires that in order to first collate, process, and then use or share, personal data, the personal information controller or processor must have a lawful criterion or basis for processing, such as consent. There are instances, however, when other criteria for lawful processing are present and the processing of personal information is allowed even without consent, e.g., when done for the protection of the life or health of the data subject, in fulfilment of a contractual obligation, or in pursuit of legitimate interests. The personal information controller or processor is also required to disclose certain information to the data subject prior to or reasonably after the collection of personal data such as the nature, extent, and purpose for the collection and processing of their personal data.

Q: Is it possible to use personal data for electronic marketing purposes and if so, to what extent? A: Yes, provided there is an appropriate lawful criterion for the use of the data, such as consent of the data subject, and relevant rules are observed (e.g., if information used for marketing by a controller was obtained from another controller, a data sharing agreement between the two controllers needs to be in place).

Q: Is transfer of data outside the Philippine jurisdiction regulated? A: Generally, transfers of personal data outside of the Philippines are not regulated.

Q: Can individuals access their data and request their correction or deletion? A: Yes, the Data Privacy Act of 2012 guarantees the rights of data subject to reasonable access to their personal data upon demand. They also have the right to dispute the inaccuracy or error in the personal data held by the personal information controller and they can request for the immediate correction. Data subjects also have the right to

suspend, withdraw, or order the blocking, removal, destruction, or deletion of their personal data from the personal information controller’s filing system.

Q: How can individuals exercise their privacy rights? A: An individual must first file a written request to the personal information controller. If the personal information controller does not respond within 15 days or if there is no timely or appropriate action on the request, the individual may file a complaint to the National Privacy Commission. The decisions of the National Privacy Commission may be appealed to the proper courts.

Q: Are there associations entitled to advocate privacy and data protection rights? A: No, there are no associations that are specifically entitled to advocate privacy and data protection rights in the Philippines. Individuals may enforce their privacy and data protection rights through the National Privacy Commission. Persons are free to establish associations for lawful purposes.

Q: Is access to data regulated according to specific and detailed legal acts stating legal requirements to exercise the right to access, e.g. timeframe, identity and categories of legitimate applicant, templates for various forms of request, obligations of the requested entity etc.? A: No, there are no specific and detailed legal requirements to exercise the right to access under the Data Privacy Act of 2012. Personal information controllers and processors are required to develop, implement, and review policies and procedures for data subjects to exercise their rights under the Data Privacy Act of 2012 as part of the implementation of organizational security measures.