Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette.
We previously reported on the preceding draft text of the IRR. There are several points of interest that were resolved in the final text, which presents a more practical framework than had been proposed in the draft IRR. Any changes to the final IRR will require a regulatory amendment by the Commission rather than an act of the legislature.
Some points of interest that have been resolved or finalized include the following:
- The IRR has two separate defined terms, “personal data” and “personal information,” but the potential discrepancy between the two terms has been resolved. “Personal information” refers to information which can identify a particular individual, and is consistent with the definition provided in the statute. “Personal data” is defined as all types of “personal information,” which presumably includes both “ordinary” personal information and sensitive personal information.
- The draft IRR had used the term “personal data” to describe “personal information” that has been input into an information and communication system, which would mean “personal information” that has been digitally and electronically formatted. This definition no longer appears in the final IRR. In addition, the terms “personal information” and “personal data” are now used more consistently in relation to their definitions. This may result in less ambiguity and a lower prospect of confusion from the use of the two terms.
- The final IRR has now been made consistent with a provision in the original statute which stated that the Data Privacy Act would not apply to personal information collected in a foreign jurisdiction (in compliance with the laws or rules of that jurisdiction) which is being processed in the Philippines. The draft IRR had provided that, in such instances, the data privacy laws of the foreign jurisdiction would apply in relation to the collection of personal information, while the Philippine Data Privacy Act would apply to processing that takes place within the Philippines. This would have entailed a complex analysis as to where collection-related obligations under the foreign jurisdiction end and where processing-related obligations under Philippine law begin, and how the two sets of legal obligations might intersect.
- The final IRR requires that, even where personal information has been collected in a foreign jurisdiction for processing in the Philippines, the Philippine requirements to implement information security measures will still apply. This will impose some security-related costs on that portion of the information-processing operations that take place within the Philippines.
- The final IRR requires that sharing of personal data in the private sector proceeds according to a data sharing agreement. The data sharing agreement may be subject to review by the Commission on its own initiative or following a complaint of a data subject. The draft IRR might have been interpreted to require review by the Commission in all instances, which would have imposed a substantial burden on all sharing of personal data, as well as a burden on the resources of the Commission itself.
- The final IRR sets forth rules on the internal organizational operations and structure of personal information controllers, such as requirements to (1) appoint a privacy officer, (2) maintain records of processing activities, (3) implement physical security measures and technical security measures, and (4) carry out regulator monitoring for security breaches. However, these obligations only apply “where appropriate.” The draft IRR might have been interpreted to require compliance in all instances. Where and when these potentially complicated requirements will be “appropriate” will depend on a number of factors, including the nature of personal data, the risks posed by the processing, the size and complexity of the organization and its operations, current best practices and cost of security implementation.
- The final IRR gives the data subject an additional right to object or withhold consent to processing. This appears to be a new right that did not appear in the original text of the statute. This right is substantially retained from the draft IRR, with changes to specifically allow the data subject to object to processing for direct marketing, automated processing or profiling.
- The final IRR provides more clarity on the notification requirements in connection with to a data breach. Individuals must be notified of data breaches only when both (1) sensitive personal information or information that may be used to enable identity fraud are involved; and (2) the personal information controller believes that the breach is likely to pose a real risk of serious harm to any affected data subject.
- If the notification requirement does apply, the notification must be made within 72 hours, though notification may be delayed in certain limited circumstances. The final IRR stipulate the categories of content that must appear in the notification.
- The requirement under the draft IRR to notify affected individuals in the event of any breach that involves personal, sensitive or privileged information has been removed. That had been a material expansion of the circumstances under which a breach notification had to be made. By removing this requirement, the final IRR keeps the notification requirement within a relatively restricted range of circumstances. However, written reports of security incidents and personal data breaches have to be prepared and a summary has to be provided to the Commission on an annual basis. This amounts to a less onerous notification obligation.
- In summary, the data breach notification requirement is now more clearly subject to a “risk-based approach” (i.e., the requirement to notify does not arise automatically, but arises instead on a case-by-case basis depending on an evaluation of the risk involved). Only data breaches that involve higher levels of risk must be notified.
- The final IRR has requirements to register data processing operations and to notify the Commission of automated processing operations, but these now apply only in particular circumstances. The requirement to register with the Philippine data protection authority only applies to processing by personal information controllers and processors which employ 250 or more persons, or to processing that involves risk to the rights and freedoms of data subjects, takes place more than occasionally, or involves more than a de minimis amount (at least 1,000 individuals) of sensitive personal information. The requirement to notify individuals of data processing only applies to processing that is the sole basis of decision making that would significantly affect the data subject.
- The draft IRR required both universal registration and notification. This would have both increased the burden of processing data and contrasted with the international trend (i.e., the new EU General Data Protection Regulation, which modifies the registration requirements of the previous EU Data Protection Directive).
- In relation to the accountability principle, the final IRR makes generalized references to the possibility of indemnification on the basis of applicable provisions of Philippine civil law and criminal liability. The final IRR now avoids the discussion of the potential for joint liability, along with the personal information controller, on the part of personal information processors, privacy officers, employees and agents, which had appeared in the draft IRR.
The following additional items are worth noting:
- The requirements in the final IRR to notify data subjects (at the time of the collection of their personal information) now include an obligation to provide “meaningful information” about the “logic” that will be involved in processing personal information. Requiring that this be done for each and every instance in which personal information is to be collected and processed, and in a way that would satisfy a regulatory authority and the lawyer drafting the notice, is challenging.
- The final IRR contains a provision stating that personal data may not be retained in perpetuity in contemplation of a future use yet to be determined. This may have potential to impair the processing of “big data” in the Philippines.
- The draft IRR had established a right of data portability. The final IRR seems to restrict the applicability of this right, by making it apply only where the data subject’s personal information is processed by electronic means and in a structured and commonly-used format. This would seem to enable data processors and controllers to avoid an obligation to comply with this right, by processing personal data using unstructured or unusual formats.
- The draft IRR had prohibited the processing of privileged information (i.e., private communications made between an individual and his or her lawyer in preparation for litigation), unless the same requirements applicable to the processing of sensitive personal information had been satisfied. While this provision may be potentially problematic, the final IRR mitigates this by providing an exception for uses of privileged information in the context of court proceedings, legal claims and constitutional or statutory mandates. It is not clear if this exception will be adequate to cover all possible situations where an exception will be needed, but further amendments to the IRR could be made to address any shortcomings.
- In relation to the accountability principle, the final IRR discusses the idea of liability, but does not discuss other aspects of the principle. In particular, the final IRR does not establish rules by which a personal information controller might establish that it observes good internal data handling practices and demonstrates that they comply with applicable standards, or by which the Commission would require production and review of these practices against its standards. The final IRR also does not discuss how to apply the accountability principle in the context of cross-border data transfers; while a provision of the IRR discusses data sharing, it does not appear to describe what a company must do to share data internationally in accordance with the IRR.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code