Professional Documents
Culture Documents
Data Privacy Act
Data Privacy Act
*Quoting the dissent of Justice Douglas in Public Utilities Commission v. Pollak, 343 U.S. 451, 467 (1952).
**Quoting the dissent of Justice Brandeis in Olmstead v. United States, 277 U.S. 438, 478 (1928).
THE RIGHT TO PRIVACY
The right of the people to be secure in their persons, houses, papers, and
effects against unreasonable searches and seizures of whatever nature and
for any purpose shall be inviolable, and no search warrant or warrant of
arrest shall issue except upon probable cause to be determined personally
by the judge after examination under oath or affirmation of the
complainant and the witnesses he may produce, and particularly describing
the place to be searched and the persons or things to be seized.
(Sec. 2)
THE BILL OF RIGHTS
The right of the people, including those employed in the public and
private sectors, to form unions, associations, or societies for purposes
not contrary to law shall not be abridged.
(Sec. 8)
THE BILL OF RIGHTS
Two-part test:
(1) whether, by his conduct, the individual has exhibited an expectation
of privacy (subjective); and
(2) this expectation is one that society recognizes as reasonable
(objective).
(Ople v. Torres, G.R. No. 127685, July 23, 1998)
Before one can have an expectation of privacy in his or her OSN activity, it is first
necessary that said user. . . manifest the intention to keep certain posts private, through
the employment of measures to prevent access thereto or to limit its visibility. And this
intention can materialize in cyberspace through the utilization of the OSN's privacy tools.
In other words, utilization of these privacy tools is the manifestation, in cyber world, of the
user's invocation of his or her right to informational privacy.
(Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014)
PRIVACY TOOLS IN OSN
The intention to limit access to [a] particular post, instead of being broadcasted to the
public at large or all the user's friends en masse, [is] more manifest and palpable [by
the use of] the "Me Only" privacy setting, or the "Custom" setting [of Facebook or
Meta.]
(a restatement of Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014)
THE RIGHT TO PRIVACY
• As for the exclusionary rule, the Bill of Rights was intended to protect
private individuals against government intrusions.
• Violation of the right to privacy between individuals is properly governed
by the provisions of the Civil Code, the Data Privacy Act, and other
pertinent laws. Admissibility shall be governed by the rules on relevance,
materiality, authentication of documents, and the exclusionary rules under
the Rules on Evidence.
(Cadajas y Cabias v. People, G.R. No. 247348, November 16, 2021)
CIVIL CODE PROVISIONS ON PRIVACY
...
(Art. 26, NCC)
CIVIL CODE PROVISIONS ON PRIVACY
(Vivares v. St. Theresa's College, G.R. No. 202666, [September 29, 2014])
Locational privacy, also known as situational privacy, pertains to privacy
that is felt in a physical space. It may be violated through an act of trespass
or through an unlawful search.
(Separate opinion of Justice Leonen* in Versoza v. People, G.R. No. 184535, September 3, 2019)
* Quoting Former Chief Justice Puno in his speech “The Common Right to Privacy.”
Decisional privacy involves the right to independence in making certain important
decisions, while informational privacy refers to the interest in avoiding disclosure of
personal matters.
(Disini, Jr. v. Secretary of Justice, G.R. Nos. 203335, etc., February 18, 2014)
- See also Vivares v. St. Theresa’s College, G.R. No. 202666, September 29, 2014; both cases cite Justice Puno’s speech, “The
Common Right to Privacy.”
THE DPA PROTECTS INFORMATIONAL PRIVACY
(Vivares v. St. Theresa's College, G.R. No. 202666, [September 29, 2014])
INFORMATIONAL PRIVACY HAS THE FOLLOWING
ASPECTS:
The . . . Data Privacy Act was based heavily [on] Directive 95/46/EC* of the
European Parliament and Council and is at par with the Asia Pacific Economic
Cooperation (APEC) Information Privacy Framework** standards.
(Senate of the Philippines, 19th Congress, Press Release, March 20, 2012)
The usual identifying information regarding a person includes his name, his
citizenship, his residence address, his contact number, his place and date of birth, the
name of his spouse if any, his occupation, and similar data.
(Disini, Jr. v. Secretary of Justice, G.R. Nos. 203335, etc., February 18, 2014)
WHAT IS PRIVILEGED INFORMATION?
Ethnic Marital
Race Age Color
origin status
a. Right to be informed
b. Right to object
c. Right to access
d. Right to rectification
e. Right to erasure or blocking
f. Right to Data Portability
g. Right to damages
h. Right to lodge a complaint before the commission
RIGHT TO DATA PORTABILITY
The lawful heirs and assigns of the data subject may invoke the
rights of the data subject to which he or she is an heir or an
assignee, at any time after the death of the data subject, or
when the data subject is incapacitated or incapable of exercising
the rights as enumerated in the immediately preceding section.
(Sec. 35, IRR)
LIMITATIONS OF RIGHTS
• for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding
the data subject;
• for the purpose of investigations in relation to any criminal, administrative
or tax liabilities of a data subject.
(Sec. 19, DPA)
Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or
investigation. (Sec. 37, IRR)
PROTECTION AFFORDED TO JOURNALISTS
AND THEIR SOURCES
• “Journalists” shall not be compelled to reveal their source if the information was related
in any confidence to such journalist.
• “Journalists” who are likewise personal information controllers or personal information
processors within the meaning of the law are still bound to follow the Data Privacy Act
and related issuances with regard to the processing of personal data, upholding rights of
their data subjects and maintaining compliance with other provisions that are not
incompatible with the protection provided by Republic Act No. 53.
(Sec. 7, IRR)
• The DPA did not repeal or amend Republic Act No. 53. (Sec. 5, DPA)
RECALL THAT THE LAW . . .
. . . which brings us to . . .
THE PERSONAL INFORMATION CONTROLLER
"Personal information controller" refers to a natural
or juridical person, or any other body who controls the
processing of personal data, or instructs another to
process personal data on its behalf. The term excludes:
(Sec. 3 [m])
A person who sets up CCTV for household purposes is not a PIC but if the
CCTV faces outward and captures images of individuals beyond the
boundaries of such property as where it monitors a public space, the
operator is deemed a PIC and subject to the obligations under the DPA.
(NPC Advisory 20-04)
The use of closed-circuit television (CCTV) is expressly allowed under the
Safe Space Act but subject to regulations implementing
the Data Privacy Act. Moreover, the use of CCTV by a private individual
on private property is subject to Art. 26 (1) of the Civil Code.
(Calleja v. Executive Secretary, G.R. Nos. 252578, etc., December 7, 2021)
PICs and PIPs shall provide CCTV notices which are readily visible and
prominent within their premises, such as at points of entry, or other
conspicuous areas. The CCTV notices shall provide information to the
public that there is a CCTV system in operation in clear, plain, and concise
language.
(Sec. 4[C], NPC Advisory 2020-04)
PRINCIPLE OF ACCOUNTABILITY
To fulfill functions of public authority which necessarily includes processing of personal data
Legitimate interests of the PIC or third parties, except if against Constitutional rights
The data subject must be aware of the nature, purpose, and extent
of the processing of his or her personal data, including the risks and
safeguards involved, the identity of personal information controller,
his or her rights as a data subject, and how these can be exercised.
Any information and communication relating to the processing of
personal data should be easy to access and understand, using clear
and plain language.
(Sec. 19 [a], IRR)
PRINCIPLE OF LEGITIMATE PURPOSE
SECTION 7. The right of the people to information on matters of public concern shall be
recognized. Access to official records, and to documents, and papers pertaining to official
acts, transactions, or decisions, as well as to government research data used as basis for
policy development, shall be afforded the citizen, subject to such limitations as may be
provided by law.
EXECUTIVE ORDER NO. 2, 2016
While providing access to information, public records, and official records, responsible officials shall afford
full protection to an individual's right to privacy as follows:
(a) Each government office per Section 2 hereof shall ensure that personal information in its custody or
under its control is disclosed or released only if it is material or relevant to the subject matter of the
request and its disclosure is permissible under this Order or existing laws, rules or regulations;
(b) Each government office must protect personal information in its custody or control by making
reasonable security arrangements against leaks or premature disclosure of personal information which
unduly exposes the individual whose personal information is requested to vilification, harassment, or
any other wrongful acts, and
(c) Any employee or official of a government office per Section 2 hereof who has access, authorized or
unauthorized, to personal information in the custody of the office must not disclose that information
except when authorized under this, Order or pursuant to existing laws, rules or regulations.
(Sec. 7, EO2)
HENCE, THE NEED FOR SECURITY MEASURES
TO PROTECT PERSONAL DATA
Also, to observe the criteria for lawful processing of personal and sensitive personal information.
THE NATIONAL PRIVACY COMMISSION
FUNCTIONS OF THE NPC
• Rule Making
• Advisory
• Public Education
• Compliance and Monitoring
• Complaints and Investigations
• Enforcement
• Other functions
(Sec. 9, IRR)
COMPLIANCE AND MONITORING
All security incidents and personal data breaches shall be documented through
written reports, including those not covered by the notification requirements. In the
case of personal data breaches, a report shall include the facts surrounding an
incident, the effects of such incident, and the remedial actions taken by the personal
information controller. In other security incidents not involving personal data, a
report containing aggregated data shall constitute sufficient documentation. These
reports shall be made available when requested by the Commission. A general
summary of the reports shall be submitted to the Commission annually.
(Sec. 41[b], IRR)
"Security incident" is an event or occurrence
that affects or tends to affect data protection,
or may compromise the availability, integrity
and confidentiality of personal data. It
includes incidents that would result to a
personal data breach, if not for safeguards
that have been put in place.
"Personal data breach" refers to a breach of
security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data
transmitted, stored, or otherwise processed;
DATA BREACH NOTIFICATION
The personal information controller shall promptly notify the Commission and
affected data subjects when:
• sensitive personal information; or
• other information that may, under the circumstances, be used to enable identity
fraud
• are reasonably believed to have been acquired by an unauthorized person; and
• the personal information controller or the Commission believes that such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject.
(Sec. 20[f], DPA)
DATA BREACH NOTIFICATION
Within 72 hours . . .
upon knowledge of, or when there is reasonable belief by the personal information controller
or personal information processor that, a personal data breach requiring notification has
occurred.
(Sec. 38[a], IRR)
CONTENT OF THE NOTICE
The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures
taken by the entity to address the breach. Notification may be delayed
only to the extent necessary to determine the scope of the breach, to
prevent further disclosures, or to restore reasonable integrity to the
information and communications system.
(Sec. 20[f], DPA)
The content and information of the complete breach report is needed by
the Commission in order to determine whether [a PIC] has acted
adequately in order to protect the rights of the affected data subject and to
see if [it] has undertaken measures to avoid further damage and prevent
similar incidents from recurrence.
(In Re: Rokko & Associates, Inc., CID BN 19-034, 21 September 2020)
Notification of data subjects of a personal data breach is the general rule and exemptions
are allowed only under specific circumstances. The purpose of the requirement to notify
data subjects of a breach incident is to give them the opportunity to take the necessary
precautions or such other measures to protect themselves against possible effects of the
breach. PICs are likewise required to establish all reasonable mechanisms to ensure that
all affected data subjects are made aware of the breach. A delay in notification can cause
harm to affected data subjects as they cannot protect themselves from the consequences
of the breach.
(IN RE: BPI PHILAMLIFE ASSURANCE CORP., NPC BN No. 21-054, 15 April 2021)
COMPLIANCE WITH OTHER REQUIREMENTS
• Restitution for any aggrieved party shall be governed by the provisions of the New Civil
Code. (Sec. 37, DPA)
• Pursuant to the exercise of its quasi-judicial functions, the Commission shall award
indemnity to an aggrieved party on the basis of the provisions of the New Civil Code.
Any complaint filed by a data subject shall be subject to the payment of filing fees,
unless the data subject is an indigent.(Sec. 7[b], DPA; Sec. 64, IRR)
ADMINISTRATIVE SANCTIONS
CEO, CDO, BAN, FINE
Violations of the Act, these Rules, other issuances and orders of the
Commission, shall, upon notice and hearing, be subject to compliance and
enforcement orders, cease and desist orders, temporary or permanent ban
on the processing of personal data, or payment of fines, in accordance with
a schedule to be published by the Commission.
(Sec. 65. IRR)
LIST OF CASES
CASES
General Privacy Cases:
• Morfe v. Mutuc, G.R. No. L-20387, January 31, 1968
• Disini, Jr. v. Secretary of Justice, G.R. Nos. 203335, etc., February 18, 2014
• De Leon v. Duterte, G.R. No. 252118, May 8, 2020
• Kilusang Mayo Uno v. Director-General, G.R. Nos. 167798 & 167930, April 19, 2006
CASES
• In the Matter of the Petition for Writ of Habeas Corpus/Data v. De Lima, G.R. Nos. 215585 &
215768, [September 8, 2020])
• Hilado v. Reyes, G.R. No. 163155, July 21, 2006
• Zarate v. Aquino III, G.R. No. 220028 (Notice), November 10, 2015
CASES
General Privacy Cases:
• Re Request for Copy of 2008 SALN, A.M. Nos. 09-8-6-SC & 09-8-07-CA (Resolution), June 13,
2012
• Subido Pagente Certeza Mendoza and Binay Law Offices v. Court of Appeals, G.R. No. 216914,
December 6, 2016
• Re: Rolando Espinosa, Sr., A.M. Nos. RTJ-17-2494 & RTJ-19-2557, January 26, 2021
• Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244 , June 16, 2021
• Calleja v. Executive Secretary, G.R. Nos. 252578, etc., December 7, 2021
• Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014
• Office of the Court Administrator v. Atillo, Jr., A.M. No. RTJ-21-018, September 29, 2021
• Gamboa v. Chan, G.R. No. 193636, July 24, 2012
Data Privacy Act cases:
• Cadajas v. People, G.R. No. 247348, November 16, 2021
• Philippine Stock Exchange v. Secretary of Finance, G.R. No. 213860, July 5, 2022
National Privacy Commission Decisions: