The implementing rules and regulations for The Philippines’s Data Privacy Act (DPA) came into force almost a year ago. However, businesses are still feeling the effects of the new law as they grapple with the requirements to seek consent from the individuals and organisations whose data they want to collect. Philippine lawyers observe that businesses are busy revising their contracts to update data privacy information and that inability to get consent from data subjects is causing delays in operations.

The Act applies to individuals and organisations that process personal data and has extraterritorial application. It applies if the equipment used for processing is situated in the Philippines. Penalties for violations include a prison sentence of three to six years and a fine of $20,000 to $100,000. The goal for the National Privacy Commission is to ensure that organisations have the necessary data breach security measures, such as privacy impact assessments, and put in data policies.

A case that has attracted attention of the NPC is the Commission on Elections’s violation of the Data Privacy Act. The NPC decided on the prosecution of the chairman of the Commission on Elections as a result of the data breach which occurred in March 2016.

Cynthia del Castillo

“Considering that the DPA requires enacting and implementing comprehensive privacy and security policies containing organisational, physical, and technical security measures for data protection, covered entities have been constantly improving their company policies to ensure that they are meeting the requirements set forth by the DPA,” says Cynthia del Castillo, senior partner at Romulo Mabanta Buenaventura Sayoc & de los Angeles. “Employment contracts and other agreements have also been revised to ensure that proper consent has been given by individuals who are considered data subjects under the law.”

There is an extra registration requirement for processors and collectors of information with employees of over 250 by September 9. “If the organisation has less than 250 employees, unless they process sensitive information of over 1000 people or if the processing is not occasional or if they expose data subjects to rights and freedom risk, there is no need to register,” says Rose Marie King-Dominguez, partner at SyCip Salazar Hernandez & Gatmaitan.

Rose Marie King-Dominguez

“Businesses are figuring out who have the qualifications to be their data protection officers,” says King-Dominguez. “In addition to finding the appropriate people, organisations are also reviewing their policies and manuals. Data-heavy industries like telecommunications should be aware of and mitigate risks.”

Implementation challenges

One of the problem areas businesses are facing is the process of obtaining consent from employees and clients of covered entities. “The NPC interprets that under the DPA, it is absolutely necessary that the rights of data owners be protected and that their personal and sensitive data should never be shared with any third-party individual or corporate entity without explicit authorisation from the data owners,” says del Castillo. “Hence, companies are required to amend or supplement their existing contracts or agreements with clients and employees to ensure that consent be given before information is shared to third party service providers acting as personal information processors.”

One of the main challenges in the implementation of the DPA is the extraterritorial application of the law to covered entities holding personal information of Philippine citizens. “The DPA states that the law shall apply to the processing of personal data whether such act is done within or outside the Philippines, if the act, practice or processing relates to personal data about a Philippine citizen or resident,” explains de Castillo. “In case of violation of any of the provisions of the DPA, the NPC may encounter legal challenges regarding the extent of their regulatory function to those located abroad.”

Del Castillo says that because of the strict implementation of the DPA, delays in exchange of personal information, even among related parties, is expected to occur until concerned individuals have given their consent. Banks have also had difficulty obtaining consent from their clients to share personal information with their affiliated credit card companies and suppliers of ATM cards.

As the Philippines moves towards an increasingly digitised economy, organisations collecting data should ensure that they have data privacy policies and procedures in place. The NPC has a tough job of raising awareness and will need to make sure that it has enforcement measures against data breaches within and without of the Philippines.