Support Centre

Philippines

Summary

Law: The Data Privacy Act of 2012 (Republic Act No. 10173) (the Act)

Regulator: The National Privacy Commission (NPC)

Summary: On September 8, 2012, the Data Privacy Act of 2012 (Republic Act No. 10173) (the Act) became effective and is the first comprehensive data privacy law in the Philippines. The National Privacy Commission (NPC) was established in 2016 and supplemented the Act with the Implementing Rules and Regulations of Republic Act No. 10173 (IRR), which became enforceable on September 9, 2016. The IRR provides, in greater detail, the requirements that individuals and entities must comply with when processing personal data, as well as the sanctions for violations of the Act. The NPC has also released over 100 advisory opinions in response to queries on topics such as data breach management, notifications regarding automated decision-making, the designation of data protection officers, Privacy Impact Assessments, and access to personal data. The Philippines participates in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) system.

Insights

According to the 2023 Philippine Judiciary Annual Report, there are about 658,101 pending cases before the Supreme Court down to the lower courts. To support litigants, various laws were enacted to aid them in protecting their rights and defending their claims under the law. In the domain of data privacy, the Data Privacy Act of 2012 (the Act), permits the processing of sensitive and privileged personal information if it is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, for the establishment, exercise, or defense of legal claims, or when provided to the Government or a public authority.

Pursuant to its rule-making authority, the National Privacy Commission (NPC) issued Advisory No. 2024-02, entitled Guidelines on Personal Data Processing Based on Section 13(f) of the Data Privacy Act (the Advisory). The Advisory clarifies the application of Section 13(f) of the Act to enable Personal Information Controllers (PICs) to properly rely on this basis for the processing of personal data. Notably, according to the Advisory, it is not the Act's intention to grant a blanket exemption to public authorities, but rather to strike a balance between, on one hand, the need for public authorities to process personal data pursuant to its functions and mandates, and the need to safeguard the rights and interests of data subjects on the other.

In this Insight article, Edsel F. Tupaz and Julia Antoinette S. Unarce, of Gorriceta Africa Cauton & Saaavedra, discuss the key points under the Guidelines and how to ensure compliance with the provisions regarding lawful bases for processing.

The Philippines is preparing for a quantum leap in artificial intelligence (AI) adoption with the launch of the National AI Strategy Roadmap 2.0 (NAISR 2.0). Announced publicly on July 3, 2024, by the Department of Trade and Industry (DTI), and supported by the Asian Development Bank and a legislation mandate from the Tatak Pinoy Act (Republic Act No. 11981), this updated roadmap aims to position the country as a regional AI powerhouse fostering innovation and sustainable economic growth. For businesses and stakeholders keen on staying ahead of the curve, understanding the nuances between the 2021 NAISR (NAISR 1.0) and NAISR 2.0 is key to understanding the upcoming legislative and regulatory landscape in the Philippines.

In this Insight article, Edsel F. Tupaz and Danica Anne S. Escobiñas, from Gorriceta Africa Cauton & Saaavedra, take a deep dive into the NAISR 2.0, its interplay with other privacy laws, and the impact it may have on development in the Philippines.

The National Privacy Commission (NPC) issued NPC Circular No. 2024-02, entitled Closed-Circuit Television (CCTV) Systems (the Circular), on August 9, 2024. It notes the previously issued NPC Advisory No. 2020-04, entitled Guidelines on the Use of Closed-Circuit Television (CCTV) Systems, and recognizes the need to provide an updated policy in relation to the use of CCTV systems due to the continuously evolving nature of technology concerning CCTV systems. Thus, the NPC has provided guidelines to assist all personal information controllers (PICs) and personal information processors (PIPs) in navigating the emerging privacy risks arising from the use of CCTV systems.

In this Insight article, Edsel F. Tupaz and Luis Teodoro B. Pascua, from Gorriceta Africa Cauton & Saavedra, highlight salient changes in the NPC's policy since its NPC Advisory No. 2020-04 and discuss the practical implications arising from notable changes.

The National Privacy Commission (NPC) issued NPC Circular No. 2024-01 (the Circular) on January 26, 2024, entitled Amendments to Certain Provisions of the 2021 Rules of Procedure of the National Privacy Commission (the 2021 NPC Rules of Procedure).

Edsel F. Tupaz, Senior Partner at Gorriceta Africa Cauton & Saavedra and Lead of the firm's Data Privacy, Cybersecurity, and AI Initiatives practice group, discusses the salient amendments under the Circular and their practical implications for Personal Information Controllers (PICs). In particular, Edsel breaks down and describes the practical import of the amended provisions found in the new procedure of the National Privacy Commission for compliance checks, alternative dispute resolutions (ADR), and decisions.

The National Privacy Commission (NPC) issued the NPC Circular No. 2023-07 (the Circular) on December 13, 2023. This Circular is entitled Guidelines on Legitimate Interest and seeks to clarify the framework within which a personal information controller (PIC) may establish legitimate interest as a basis for processing personal data. The Circular is not meant to introduce any new basis for processing personal information, rather, it seeks to clarify concepts and requirements of legitimate interest, which is a lawful basis for processing personal information under Philippine privacy laws. Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, walks through these guidelines and their implications for PICs.  

The Circular should be read alongside part one and part two of the series on the NPC Guidelines on Consent, which comprise important tool kits for PICs and personal information processors that process the personal data of Philippine data subjects.  

Since the release of the National Privacy Commission (NPC) Circular No. 2023-04 (the Circular) and the Guidelines on Consent, privacy practitioners and businesses have scurried to review and revise their privacy notices. Part one of this series addressed the implications the Circular had on the ways in which personal information controllers (PICs) obtain the consent of data subjects. In this second part, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, continues with a discussion on the Circular's rules for PICs on using continued use of service as a stand-in for written consent, the documentation of consent, obtaining consent for direct marketing, data sharing, and automated profiling systems. Edsel concludes with some strategies for webmasters and app developers to enhance their products' compliance with the Circular. 

In today's digital landscape, consent is a cornerstone of effective privacy management and a critical safeguard for the rights of data subjects. In the Philippines, the National Privacy Commission (NPC) released the NPC Circular No. 2023-04 (the Circular) on November 7, 2023, providing guidelines on the use of consent as a lawful basis for data processing, ensuring compliance thereof by affected personal information controllers (PICs), and prohibiting, among others, the use of deceptive design patterns. On the same date, the NPC issued Advisory No. 2023-01 (the Advisory), which comprises the Guidelines on Deceptive Design Patterns. Both the Circular and the Advisory make references to each other and must be read together. 

In this Insight Article, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, discusses the more salient, practical implications of the Circular and the Advisory on affected PICs. He focuses on the Circular's impact on existing mechanisms for privacy notices, timing of consent, withdrawal of consent, and level of granularity, as well as underscoring the use of the 'average member of the target audience' standard, prohibitions against deceptive design patterns, and the compliance period. 

The National Privacy Commission ('NPC'), the Philippine agency tasked to implement the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), recently issued Circular No. 2022-04 ('the Circular') which took effect on 11 January 2023. The Circular prescribes guidelines for the registration of personal data processing systems, notification regarding automated decision-making or profiling, and designation of data protection officers ('DPOs').

In this Insight article, Mary Thel Mundin, Dwight Garvy Tan, and Maria Angelica Torio, from Gatmaytan Yap Patacsil Gutierrez & Protacio (C&G Law), discuss the Circular's provisions regarding registration requirements for DPOs, how and when to register, automated decision-making and profiling, as well as penalties.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part two of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from New Zealand, the Philippines, and Singapore.

For insight into handling children's personal data in Australia, China, India, and Japan, please see part one here.

For many organisations, the first step towards compliance in a jurisdiction may involve ensuring that their online presence is in line with any locally applicable rules and regulations. OneTrust DataGuidance provides an overview of online privacy in the Philippines, with a focus on relevant topics such as cookies, emarketing, and privacy policies.

Ten years after the implementation of the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), and six years after the creation of the National Privacy Commission ('NPC') through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRRs'), the ambiguity of the Act on the treatment of foreign persons personal data has been clarified to some extent. OneTrust DataGuidance provides an analysis of the treatment of foreign persons personal data under the Act featuring insights from JJ Disini, Managing Partner at Disini & Disini Law Office.