A new law which focuses on the processing of an individual's personal information was approved by the President of the Philippines on August 15 2012. The Data Privacy Act of 2012 (Republic Act No 10173, full title An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose A National Privacy Commission, and for Other Purposes) took effect on September 8 2012. A violation of this law is a crime, and penalties imposed include fines and imprisonment (see Chapter VIII of the Act).
The Data Privacy Act 'applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines' (section 4, para 1). The general rule is that the processing of personal information is allowed if the individual has given his consent (s 12(a)).
Personal information is 'any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual' (s 3(g)). Processing is 'any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data' (s 3(j)).
The citizenship or residence of the data subject is an important factor in determining whether the Data Privacy Act applies. For example, the law will have extra-territorial application, even if processing of personal information was done offshore, in the case wherre personal data pertained to Philippine citizens or residents and the processor has a link with the Philippines (s 6(b)). On the other hand, personal data collected from non-Philippine residents but processed in the Philippines are excluded from the coverage of this law (s 4, para 2(g)).
Implementing rules and regulations of the Data Privacy Act will be issued by the National Privacy Commission, which was created under section 7 of the law.
Hiyasmin H Lapitan
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.