The Philippines’ Data Privacy Law and Regulations

The Philippines’ Data Privacy Law and Regulations

The Philippines passed Republic Act No. 10173 in 2012. Also known as the Data Privacy Act, the law protects individuals’ personal data in various information and communications systems in the public and private sectors.

The law also founded the National Privacy Commission (NPC), a body tasked to implement the Act’s provisions.

The law’s implementing rules and regulations (IRRs) came into effect on September 9, 2016, obliging all companies to comply. The law is meant to ensure companies’ adherence to international standards for data protection.

The Data Privacy Act is also intended to protect citizens from the unauthorized processing of personal information that is private and not publicly available. The Act covers “identifiable information” as well, wherein an individual’s identity can be determined through direct attribution, or when combined with other available information.


The need for data privacy

 The act is a necessity in a world that has swiftly gone digital over the past two decades. According to Amihan Global Strategies, a Makati-based strategic consulting company, an estimated 2.5 quintillion – equivalent to 2.5 billion – bytes of data were produced each day in 2014. This covers unprecedented knowledge about what individuals were reading, watching, posting, and listening to online.

At the national level, the country’s rapidly growing business process outsourcing and health information technology industries point to the need for laws governing data privacy. An article by Alex Wall in the International Association of Privacy Professionals (IAPP) states that Information technology (IT) spending amounted to $4.4 billion in 2016 and is expected to more than double by 2020.

Moreover, Philippine citizens are heavy social media users. About 42.1 million Filipinos use Facebook, 13 million use Twitter, while 3.5 million use LinkedIn.

The Philippines is also making free public Wi-Fi more widely available. This increased access to the internet means that more people will be making their personal information available online and – whether intentionally or not – to companies.

With the rapid growth of the digital economy and the pace at which data is being traded at the international level, the country has taken measures to strengthen privacy and security protections.


Scope and application

 RA 10173 is applicable to legal entities and individuals processing personal information. It has extraterritorial applications, meaning it not only applies to businesses with established offices in the country but also to Philippine-based equipment used for processing. Moreover, the law applies to the processing of the personal information of Filipino citizens regardless of where they live.

However, there are some exceptions. For one, the law doesn’t apply to the processing of personal information that has been lawfully collected from citizens of foreign jurisdictions. This exception is a boon for Philippine companies that offer cloud services.

The act mandates that the collection of personal data should have a legitimate and specified purpose. It also provides that consent is necessary prior to the collection of personal data.

When obtaining consent, individuals and legal entities must inform the data owner of the purpose and full extent of processing. It specifically mentions the automated processing of the owner’s data for purposes of profiling, direct marketing, and data sharing. Consent is also required when sharing the owner’s information with affiliates or mother companies.

The owner must give informed consent, and this consent must be put on record.

However, the processing of personal information doesn’t always necessitate consent. This tends to be the case when the owner is bound to a contractual agreement. Exceptions may also arise in order to protect the owner’s vital interests, and in case of a national emergency.

Exceptions are also allowed when processing is necessary for pursuing the data controller’s legitimate interests unless their interests are overridden by the owner’s fundamental rights and freedoms.


Read related post: Data privacy principles and data subject rights in the Philippines

Learn more about setting up a business in the Philippines. Contact FilePino today at +1.806.553.6552 (USA) or +63.917.8922337 (Philippines). You may also send your inquiries here.