Professional Documents
Culture Documents
Ra 10173 - Data Privacy Act of 2012
Ra 10173 - Data Privacy Act of 2012
Ra 10173 - Data Privacy Act of 2012
In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict
privacy legislation “to protect the fundamental human right of privacy, of communication
while ensuring free flow of information to promote innovation and growth.” (Republic
Act. No. 10173, Ch. 1, Sec. 2). This comprehensive privacy law also established a National
Privacy Commission that enforces and oversees it and is endowed with rulemaking power.
On September 9, 2016, the final implementing rules and regulations came into force,
adding specificity to the Privacy Act.
Approach
The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”
Consent must be “freely given, specific, informed,” and the definition further requires that
consent to collection and processing be evidenced by recorded means. However,
processing does not always require consent.
Consent is not required for processing where the data subject is party to a contractual
agreement, for purposes of fulfilling that contract. The exceptions of compliance with a
legal obligation upon the data controller, protection of the vital interests of the data
subject, and response to a national emergency are also available.
An exception to consent is allowed where processing is necessary to pursue the legitimate
interests of the data controller, except where overridden by the fundamental rights and
freedoms of the data subject.
Required agreements
1
The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements
are subject to review by the National Privacy Commission.
2
right is expressly limited by the fact that continued publication may be justified by
constitutional rights to freedom of speech, expression and other rights.
Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.
A right to data portability is also provided.
Requirement to notify
The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority.
Section 38 of the IRRs provides the requirements of breach notification:
• The breached information must be sensitive personal information, or information that
could be used for identity fraud, and
• There is a reasonable belief that unauthorized acquisition has occurred, and
• The risk to the data subject is real, and
• The potential harm is serious.
The law provides that the Commission may determine that notification to data subjects is
unwarranted after taking into account the entity’s compliance with the Privacy Act, and
whether the acquisition was in good faith.
Notification contents
The contents of the notification must at least:
• Describe the nature of the breach;
• The personal data possibly involved;
• The measures taken by the entity to address the breach;
• The measures take to reduce the harm or negative consequence of the breach;
• The representatives of the personal information controller, including their contact
details;
3
• Any assistance to be provided to the affected data subjects.
•
Penalties
The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.
Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately P500,000 to
P5,000,000.
Notably, there is also the previously mentioned private right of action for damages, which
would apply.