A Stronger Data Privacy Law Sought in Proposed Amendments

Amendments to Republic Act No. 10173, known as the Data Privacy Act of 2012 (DPA), are sought to strengthen the current law amid the digital transformation in the Philippines.

During the 55th Asia Pacific Privacy Authorities (APPA) Forum, Privacy Commissioner Raymund Enriquez Liboro said that the House of Representatives – Committee on Information and Communications Technology, has approved the substitute bill to amend the DPA last February 4, 2021.

Efforts to amend the DPA began in the last quarter of 2019. The substitute bill grants additional powers to the National Privacy Commission (NPC). It gives the authority to issue summons, subpoenas, contempt powers, and to impose administrative penalties.

“In the last five years, the National Privacy Commission has laid down data privacy in the Philippines with a clear roadmap. In our drive to become a data privacy resilient country, we have adopted a responsive regulatory approach characterized by raising awareness, strict compliance, and enforcing the law. To do this, we find a need to amend the current DPA to keep up with the changing times,” Commissioner Liboro said in his speech at the APPA 55, which was held virtually last June 16-18 and hosted by the Personal Information Protection Commission of Korea.

Other provisions of the substitute bill:

• Redefining “sensitive personal information” to include biometric and genetic data, and political affiliation, considering the innate sensitivity of these classes of personal data.
• Clarification on extraterritorial application of the DPA by specifying clear instances when processing personal data of Philippine citizens and/or residents is concerned. This ensures the end-to-end protection of data subjects’ information (i.e., offering of goods or services, or monitoring of behavior within the Philippines or when the entity has a link with the country), to which they are entitled under the DPA.
• Define the digital age of consent to process personal information to more than fifteen (15) years, applicable where information society services are provided and offered directly to 5th Floor Delegation Building, Philippine International Convention Center (PICC) Complex, Pasay City 1307 URL: http://privacy.gov.ph Email Add: [email protected] a child (as children more than 15 years old under Philippine laws may already act with discernment).
• Inclusion of performance of a contract as a new criterion of the lawful basis for processing of sensitive personal information.
• Allowing Personal Information Controllers (PICs) outside of the Philippines to authorize Personal Information Processors (PIPs) in the country to report data breaches to the Commission on behalf of the controller.
• Modifying criminal penalties under the DPA, giving the proper courts the option to impose either imprisonment or fine upon its sound judgment.

Shifting gears in new normal

Aside from the proposed amendments to the DPA, the NPC is set to introduce administrative fines to strengthen data privacy accountability and build data privacy resilience among PICs and PIPs.

The NPC presented in the Forum the Digital Identity, e-Commerce, and e-Governance in the Philippines and ASEAN, highlighting the Commission’s efforts in assisting the development of the law and its IRR to ensure the people’s right to privacy.

The NPC also presented its efforts to curb harmful handling of citizens’ personal data such as the Commission’s issuances and guidance to the public as part of the COVID-19 response and the Kabataang Digital, the NPC’s advocacy campaign promoting a safe online environment for the youth. Also discussed are the guidelines expressly prohibiting the harvesting of contact lists of borrowers for debt collection through harassment; guidelines promoting the use of videoconferencing technology or e-hearing to hear cases; and the amended Rules of Procedure to streamline the Commission’s complaints process.

“The NPC, despite the pandemic, has shifted gears and embraced the new normal of resolving data privacy complaints. We commenced Project Decongestion 2.0, refining our strategy in handling our case dockets clogged with thousands of individual complaints,” Commissioner Liboro said.

Designations from the following jurisdictions joined APPA 55: the NPC; Office of the Australian Information Commissioner; Office of the Information and Privacy Commissioner, British Columbia; Office of the Privacy Commissioner of Canada; Privacy Commissioner for Personal Data, Hong Kong, China; Personal Information Protection Commission, Japan; Personal Information Protection Commission, Republic of Korea; Korea Internet & Security Agency; Office for Personal Data Protection, Macao SAR, China; National Institute for Transparency, Access to Information and Personal Data Protection, Mexico; Office of the Privacy Commissioner, New Zealand; National Authority for Personal Data Protection of Peru; Office of the Information 5th Floor Delegation Building, Philippine International Convention Center (PICC) Complex, Pasay City 1307 URL: http://privacy.gov.ph Email Add: [email protected] Commissioner, Queensland; Personal Data Protection Commissioner, Singapore; Federal Trade Commission, United States; and Office of the Victorian Information Commissioner.

APPA is acknowledged as the principal forum for privacy and data protection authorities in the Asia Pacific region. Some of the topics at APPA 55 is about data protection measures as part of the response to COVID-19, privacy issues encountered in the new normal, updates on global privacy developments, and children’s privacy.

-END-