The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012 (the “Act“), took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission (“NPC“) to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations to effectively implement the provisions of the Act. It was not until March 2016 that the NPC was officially formed, and soon after issued draft implementing rules and regulations of the Act (“IRRs“). Following a period of public consultation, the IRRs were finalised and formally promulgated on 24 August 2016 and will come into effect today, 9 September 2016.
The IRRs and their Impact
The IRRs will have a significant impact on business in the Philippines generally and on the Philippines’ IT and business process outsourcing (“IT/BPO“) industry – an industry reportedly worth over USD 20 billion in the Philippines and the largest contributor to the country’s GDP.
Indeed, one of the main drivers behind the Act was to bring the Philippines in line with international data protection standards to encourage investment and maintain the country’s position as a leading IT/BPO outsourcing destination. Importantly, the IRRs apply to both “personal information controllers” – those who control the processing of personal data, and “personal information processors” – those engaged by personal information controllers to process personal data on their behalf. This means that both customers that use data processing facilities in the Philippines and IT/BPO vendors themselves will need to comply. Personal information does not need to relate to Philippine residents in order to warrant protection.
The IRRs bring important clarifications to the position of multinational businesses with offshore call centres, business process outsourcing facilities and other offshore arrangements in the Philippines. These businesses will generally be personal information controllers within the meaning of the Act. Pursuant to the IRRs, personal information collected from foreign residents in accordance with their local laws will not be regulated under the Act, save that the Act’s requirements in relation to the implementation of security measures will continue to apply, both to the customer organization and to the service provider in the Philippines.
In addition to IT/BPO vendors and customers, the IRRs will impact businesses in banking and finance, tourism, retail and virtually any other industry that involves processing customer, employee and other personal information.
It is fair to say that the IRRs impose a fairly rigorous standard of data protection regulation, borrowing concepts from the recent overhaul of European data protection law and from South Korea, the Asia-Pacific region’s high-water mark. Examples of European inspired developments include a right to object to profiling, a right of data portability and a mandatory 72 hour data breach notification requirement. As is the case under South Korean data protection law, data sharing requires that data subjects be notified of the specific identity of data transferees when they consent to data sharing arrangements.
The IRRs permit a one-year period within which personal information controllers and processors are expected to register with the NPC data processing systems that process sensitive personal information of 1,000 data subjects or more. Any automated processing operations, where processing is the sole basis of making decisions that would significantly affect the data subject, will also need to be notified.
Some other notable features of the IRRs include:
- The scope of protected information: The IRRs seek to protect “personal information” meaning “any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”. Additional rules on processing and security apply in relation to sensitive personal information, which is defined broadly to include (among other things) information about an individual’s race, age, health, education and government issued information such as social security numbers and licenses. Uncommonly among other data protection regimes, the IRRs specifically protect “privileged information” meaning legally privileged communications such as client-attorney communications.
- Data protection principles: The IRRs recognise transparency, legitimate purpose, and proportionality as the key principles to be adhered to in the processing of personal information. Other principles include consent as the basis for collecting personal information, subject to certain exemptions; fair and lawful processing of personal information; the provision of information, in plain language, on the purpose and extent of processing; ensuring the accuracy and quality of personal information; implementing adequate safeguards in the processing and transmission of personal information; and non-retention of personal information. Critically, processing necessary for the personal information controller’s pursuit of its legitimate interests is an alternative to consent as a basis for processing, subject to Philippines citizen’s constitutional rights.
- Data sharing: The IRRs require that data subjects consent to any private sector data sharing. Consents must be accompanied by detailed disclosures to data subjects prior the sharing taking place, including the specific identities of personal information controllers and personal information processors with whom personal information will be shared. The IRRs specifically state that consent will be required for intra-group sharing arrangements. A form of data sharing agreement must be entered into, and these agreements will be reviewable by the NPC on its own motion or following a complaint by a data subject.
- Data protection officers: The IRRs require any person or body involved in the processing of personal information to designate an individual as data protection officer, compliance officer or otherwise accountable for ensuring the protection of data privacy and security. The contact details of that person should be provided to the NPC when registering personal data processing systems and made available to data subjects upon request.
- Outsourcing of data processing activities: Personal information controllers that engage personal information processors must use “contractual or other reasonable means” to ensure that proper safeguards are in place to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for unauthorized purposes, and otherwise comply with the law. The IRRs specify the types of clauses that are required in outsourcing contracts with personal information processors. This will require vendors and customers alike to review their standard form terms of service to ensure they align with the IRRs.
- Security measures: The IRRs set out the NPC’s expectations on security measures to be adopted in the processing of personal information, requiring that reasonable and appropriate organizational, physical and technical measures be put in place. Examples include the need for privacy in the physical design of office space, the ability to restore personal information in the event of an interruption, and encryption of personal information during storage, while in transit and during the authentication process. The NPC will monitor security measures adopted by companies involved in processing personal information, and will take account of the nature of the personal information, the risks posed by processing activities, the size of the organization, the complexity of its operations, current data privacy best practices and cost.
- Mandatory breach notification: Personal information controllers are required to notify the NPC and affected data subjects within 72 hours in the event of an acquisition by any unauthorized person of (i) sensitive personal information; or (ii) information that may be used to commit identity fraud. The threshold for notification is where the unauthorized acquisition is “likely to give rise to a real risk of serious harm to any affected data subject”.
- Penalties: The IRRs carry significant penalties for breach, demonstrating the seriousness with which instances of personal data breaches are to be regarded. Examples of such penalties include imprisonment of 1 to 3 years and a fine of up to Php 1 million (around USD 21,000) for unauthorized disclosure of personal information, and imprisonment for 3 to 6 years and a fine of Php 4 million (around USD 85,000) for processing sensitive personal information without the consent of the data subject.
- Data subject rights: Echoing some of the rights of EU data subjects under the new General Data Protection Regulation (“GDPR“), data subjects under the IRRs have the right to be informed about the processing of their personal information, which specifically includes the conduct of any profiling and automated decision-making; the right to object to processing of their personal information (including, it seems, the right to object to any profiling, whether or not there is a fully automated decision involved); rights of access and rectification of personal information; and the right to data portability (meaning that data subjects can obtain a copy of their personal information in a commonly used electronic or structured format so that it can easily be moved to a new controller, thus preventing customer “lock-in”).
Overall, the IRRs represent a significant development in data privacy regulation in the Philippines, and will affect multi-national businesses that use or provide services in or from the Philippines, as well as local vendors with data processing facilities in the Philippines. It is fair to say that the IRRs set one of the higher bars for compliance standards in the Asia-Pacific region, borrowing heavily from some of the more advanced data protection concepts found in Europe’s GDPR and some of the more stringent requirements emerging in South Korea in recent years. Businesses should look to conduct a review of their data processing activities and facilities in the Philippines, including their contractual arrangements with vendors, the adequacy of their physical and technical security measures, their data governance policies and their data subject notification and consent protocols. It is also important to note that the IRRs can apply to data processing that takes place outside the Philippines where the data relates to Philippine citizens or residents, or where the processing entity has links to the Philippines e.g. it has a branch or subsidiary in the Philippines.
For multi-national businesses, this type of review may form part of a group-wide project amidst a global shift towards enhanced regulation and heavier penalties in this area. But companies are reminded of the one-year deadline within which they are expected to notify the NPC unless, an extension is granted.