By Atty. Isaac D. De Leon
Republic Act No. 10173, or The Data Privacy Act of 2012 (DPA), is the overarching data privacy law of the Philippines. This law defines the categories of personal information, lays down the rights of data subjects, lists the responsibilities of data processors and controllers, and created the National Privacy Commission (NPC). This law was more or less copied from the European Union’s General Data Protection Regulation (GDPR)—the data privacy law that created limits on how companies (mostly those with an online presence) can collect and share data.
Brief History.
Though the DPA was enacted as early as August 2012, its provisions were only fully implemented in 2016, when its Implementing Rules and Regulations (IRR) was published by the NPC. Since then, the NPC has been assisting the general public in familiarizing themselves with the salient points of the DPA by providing free seminars, spending on education drives, and streamlining the compliance requirements of the DPA.
In the wake of the frequent cyber-attacks in the last five (5) years, the general public started to become more aware of their individual rights as data subjects under the DPA. With that, the NPC began exerting pressure on businesses to fully comply with the requirement of this law, lest they be fined and/or penalized for non-compliance. The issue of data privacy became even more relevant in 2020 when most businesses were forced to move their operations online.
Purpose.
The DPA was enacted in order to safeguard the fundamental human right of every individual to privacy, to ensure the free flow of information, and other allied rights. The definition of “personal information” under this law is so broad that it defines it as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.” This definition is not limited to just the names of the data subjects but may refer to any information that may point to their identity (such as customer numbers, account numbers, unit numbers, etc.).
Real-World Application.
Nonetheless, its full implementation has still been slow. This is to be expected, since Filipinos are generally very open and social people, with very little regard for privacy. Only now that more transactions are made online do Filipinos begin to see the value of having these data privacy laws in place. To fully maximize the rights granted by the law, a cultural shift in the value Filipinos place on privacy may be necessary.
Due to the DPA’s broad definition of personal information and its burdensome requirements for safeguarding personal information, most small business owners scrambled to comply with the DPA and its IRR. There is still much confusion about whether the collection, processing, and distribution activities of business owners fall within the “legitimate interest” clause of the DPA.
Legitimate Interest: A Balancing Act.
To date, there are no cases regarding this particular law that has reached the Supreme Court. Most advice that lawyers give to their clients regarding this law is based on the advisory opinions of the NPC. For example, business owners will have no choice but to gauge for themselves if the extent they are processing personal information is within their “legitimate interest”, the definition of which, according to the NPC, may be validated by employing a three-part test:
1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?
Hence, the parameters are not clear. There is much room for abuse from both business owners themselves and the data subjects. One must remember the DPA is a practical copy of the GDPR—the law that even developed countries have a hard time complying to. The Philippines, eager to be first in Southeast Asia, summarily enacted its own version of the GDPR and placed a massive burden on business owners. Because of these uncertainties, the general sentiment of small business owners is that the law is vague and unduly burdensome.
The NPC is not unaware of these sentiments, which was why in 2021 it scheduled a series of talks with stakeholders in order to get feedback on how to better implement the law. Perhaps after these talks, the general public will find a newfound appreciation for the often-forgotten rights granted under the DPA.
For more information, contact us at sdl@sauloglaw.com.ph and 8-813-6145.
Disclaimer: The information provided on this website does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials available on this site are for general informational purposes only. Such links are only for the convenience of the reader, user, or browser. Saulog and De Leon Law Offices do not recommend or endorse the contents of the third-party sites. Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, contributing law firms, or committee members and their respective employers.
