Tinaja, Ronellie Marie P.

Tinaja 2 May 2019

JD4103 Legal Writing: Exercise # 6

The Data Privacy Act of 2012

Filipinos are heavy social media users. Millions of Filipino netizens are reported to have
personal accounts to be able to use various social networking sites such as Facebook, Twitter,
and Instagram. Moreover, the business process management and health information technology
industry has been growing in the Philippines. In 2016, the total IT spending reached $4.4 billion
and by 2020, the sector is expected to more than double. Thus, the Philippines have
strengthened its protection for privacy and protection due to the rapid growth of the digital
economy including also the increase of international data trade.1

Republic Act No. 10173, otherwise known as the Data Privacy Act is the policy of the State
to protect the fundamental human right of privacy, of communication while ensuring free flow of
information to promote innovation and growth. The State recognizes the vital role of information
and communications technology in nation-building and its inherent obligation to ensure that
personal information in information and communications systems in the government and in the
private sector are secured and protected2. It is a law that seeks to protect all forms of
information, be it private, personal, or sensitive.3 It was passed in 2012, and on September 9,
2016, the final implementing rules and regulations came into force, adding specificity to the
Privacy Act.4

The Data Privacy Act applies to any natural or juridical persons involved in the
processing of personal information. It also covers those who, although not found or established
in the Philippines, use equipment located in the Philippines, or those who maintain an office,
branch, or agency in the Philippines.5 This includes acts done or practice engaged in and
outside the country if:

a. The natural or juridical person involved in the processing of personal data is found or
established in the Philippines;

b. The act, practice or processing relates to personal data about a Philippine citizen or
Philippine resident;

c. The processing of personal data is being done in the Philippines; or

1
Alex Wall, CIPP/E, CIPP/US, CIPM, FIP, Summary: Philippines Data Privacy Act and implementing regulations,
available at https://iapp.org/news/a/summary-philippines-data-protection-act-and-implementing-regulations/
(last accessed May 1, 2019).
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the
Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other
Purposes, [Data Privacy Act of 2012], Republic Act No. 10173, §2 (2011).
3
Data Privacy Philippines, available at https://privacy.com.ph/learn-data-privacy-compliance/what-is-the-scope-
of-the-data-privacy-act/ (last accessed May 1, 2019).
4
Id.
5
Data Privacy Act of 2012, §4.
 d. The act, practice or processing of personal data is done or engaged in by an entity
with links to the Philippines, with due consideration to international law and comity, such
as, but not limited to, the following:

1. Use of equipment located in the country, or maintains an office, branch or

agency in the Philippines for processing of personal data;

2. A contract is entered in the Philippines;

3. A juridical entity unincorporated in the Philippines but has central management

and control in the country;

4. An entity that has a branch, agency, office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal data;

5. An entity that carries on business in the Philippines;

6. An entity that collects or holds personal data in the Philippines. 6

In Special Cases, the Data Privacy act does not apply to the only to the minimum extent of
collection, access, use, disclosure or other processing necessary to the purpose, function, or
activity concerned. Such cases includes among others are: (a) information processed for
purpose of allowing public access to information that fall within matters of public concern; (b)
those personal information processed for journalistic, artistic or literary purpose, in order to
uphold freedom of speech, of expression, or of the press, subject to requirements of other
applicable law or regulations; (c) personal information that will be processed for research
purpose, intended for a public benefit, subject to the requirements of applicable laws,
regulations, or ethical standards; (d) information necessary in order to carry out the functions of
public authority, in accordance with a constitutionally or statutorily mandated function pertaining
to law enforcement or regulatory function; Information necessary for banks, other financial
institutions under the jurisdiction of the independent, central monetary authority or Bangko
Sentral ng Pilipinas, and other bodies authorized by law; and personal information originally
collected from residents of foreign jurisdictions in accordance with the laws of those foreign
jurisdictions.7 The law also covers protection over Data Subjects and to Journalists and their
sources.

Personal information controllers and personal information processors shall implement

reasonable and appropriate organizational, physical, and technical security measures for the
protection of personal data. The personal information controller and personal information
processor shall take steps to ensure that any natural person acting under their authority and
who has access to personal data, does not process them except upon their instructions, or as
required by law.8

6
Implementing Rules and Regulations of the Data Privacy Act of 2012, §4, (2016).
7
Id, §5.
8
Id, §25.
 Under the DPA, a personal information controller refers to a person, natural or juridical,
who controls the processing of personal information, including a person or organization who
instructs another to process personal information on his or her behalf. The term does not
include a person who performs such functions as instructed by the controller and any individual
who “collects, holds, processes or uses personal information in connection with the individual’s
personal, family or household affairs.” Meanwhile, a personal information processor refers to
any person “qualified to act as such to whom a personal information controller may outsource
the processing of personal data pertaining to a data subject.”9

The obligations of the Personal Information Controller under the Data Privacy Act
include the following:

In processing of personal information they shall: ensure implementation of personal

information processing principles (Sec. 11); process personal information only when lawfully
allowed (Sec. 12); and ensure that the personal information processor implements proper
safeguards to ensure the confidentiality of the personal information being processed, prevent
misuse and comply with laws and legal obligations involving the processing of personal
information on its behalf (Sec. 14).

In Data Subject Personal Information Controller are obliged: to furnish to the data
subject any personal information relating to him or her (Sec. 16b); to provide their identity,
including name and address or through a representative as the personal information controller
(Sec. 16c); to provide for a mechanism to correct any inaccuracies to the personal information
entered by the data subject and to allow access to the new and previous information. (Sec.
16d); to inform any personal information processor about inaccuracies and to update their
records accordingly (Sec. 16d); to notify and order the blocking, removal or destruction of
personal information from the personal information controller’s system upon knowledge that the
personal information is incomplete, outdated, false, unlawfully obtained, used for unauthorized
purposes or are no longer necessary for the purposes for which they were collected (Sec. 16e);
to provide for a copy of any electronically processed personal information to the data subject
(Sec. 18).

In terms of Security of Personal Information: to implement reasonable security and data

recovery measures to protect the data subject’s personal information (Sec. 20a-b); to ensure
that personal information processors implement the same security measures (Sec. 20d); to
ensure that its employees, agents and representatives hold the personal information under strict
confidentiality (Sec. 20e); to notify the National Privacy Commission of any suspected or actual
data breach (Sec. 20f)

And in the Accountability for Transfer of Personal Information they are: to be

accountable for any processing of personal information under its control and those which have
been transferred to personal information processors (Sec. 21a); to designate a Data Privacy
Officer accountable for the compliance of the Data Privacy Act (Sec. 21b); obligations of

9
Disini & Disini Law Office, Controller v. Processor / Data Sharing v. Data Outsourcing available at
https://privacy.com.ph/dndfeature/9599/ (last accessed May 1, 2019)
personal information controllers and personal information processors under the Data Protection
Laws.10

10
Ariel Conrad, Personal Information Controller – Obligations Under The Data Privacy Act, available at
https://www.privacyph.net/2018/06/06/personal-information-controller-obligations-under-the-data-privacy-act/
(last accessed May 2, 2019)