Encarnacion, Angelica Alyza V.

JD4103

The Data Privacy Act of 2012 and It’s Implementing Rules and Regulations

Introduction

Republic Act No. 10173 or otherwise known as the “Data Privacy Act of 2012”. Its
full title is “An Act Protecting Individual Personal Information in Information and
Communications Systems in the Government and the Private Sector, Creating for this
Purpose a National Privacy Commission, and for Other Purposes.”1 Generally, it gives
right to a person for protection against unauthorized access or processing of personal
and private information wherein one’s identity is apparent.2

Brief Background

The Data Privacy Act was passed by the Congress on June 6, 2012 and was
signed into law by Former President Benigno S. Aquino III on Aug. 15, 2012. The Act
was based on the EU Data Protection Directive and the Asia-Pacific Economic
Cooperation (APEC) Privacy Framework.3

Through the Republic Act No. 10173, the National Privacy Commission was
created. President Aquino, thereafter, appointed Raymundo Liboro as the inaugural
head of the commission and Damian Mapa and Atty. Ivy Patdu as inaugural deputy
privacy commissioners, who all remain in their position until today with the exception of
Damian Mapa, who was succeeded by Atty. Leandro Aguirre.4

The Commission conducted a series of public consultations that started on July

13 at the University of the Philippines, Diliman.5 The last hearing was held at the
University of the Philippines Manila on Aug. 16.6

1 An Act Protecting Individual Personal Information in Information and Communications Systems in the
Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other
Purposes [Data Privacy Act of 2012] Act. No.10173, (2012).
2 Amihan, The begginer’s Guide to RA 10173 (Data Privacy Act of 2012) available at
https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/ (last accessed May 1, 2019).
3Hogan Lovells, Philippine Data Privacy Law is Signed into Law available at
https://www.hldataprotection.com/2012/08/articles/international-eu-privacy/philippine-data-privacy-law-is-
signed-into-law/ (last accessed May 1, 2019).
4 National Privacy Commission: About Us, available at https://www.privacy.gov.ph/about-us/#orgchart (last

accessed May 1, 2019).

5 Newsbytes.ph, IRR for Data Privacy Act released 4 year after passage of law. available at

http://newsbytes.ph/2016/08/27/irr-for-data-privacy-act-released-4-years-after-passage-of-law/ (last
accessed May 1, 2019).
6 Id.
 After 4 years since the implementation of the Data Privacy Act, on Aug 24, 2016,
its Implementing Rules and Regulations was promulgated by the Commission was and
was signed and subsequently took effect on Sept. 9, 2016.

Purpose of the Data Privacy Act

As stated in Section 2 of the Act, its purpose is “to protect the fundamental
human right of privacy of communication while ensuring free flow of information to
promote innovation and growth. The State recognizes the vital role of information and
communications technology in nation-building and its inherent obligation to ensure that
personal information in information and communications systems in the government and
in the private sector are secured and protected.”

Scope and Coverage of the Data Privacy Act

Under Section 4 paragraph 1 of the law, its scope covers “the processing of all
types of personal information and to any natural and juridical person involved in personal
information processing including those personal information controllers and processors
who, although not found or established in the Philippines, use equipment that are
located in the Philippines, or those who maintain an office, branch or agency in the
Philippines subject to the immediately succeeding paragraph.”7

However, there are certain exceptions to the its scope, this is covered under
Section 4 paragraph 2 of the law which states that “Information about any individual who
is or was an officer or

“This Act does not apply to the following:

(a) Information about any individual who is or was an officer or

employee of a government institution that relates to the position or
functions of the individual, including:
(1) The fact that the individual is or was an officer or employee
of the government institution;
(2) The title, business address and office telephone number of
the individual;
(3) The classification, salary range and responsibilities of the
position held by the individual; and

7 Data Privacy Act of 2012, §4 ¶ 1.

 (4) The name of the individual on a document prepared by the
individual in the course of employment with the government.

(b) Information about an individual who is or was performing service

under contract for a government institution that relates to the services
performed, including the terms of the contract, and the name of the
individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial

nature such as the granting of a license or permit given by the
government to an individual, including the name of the individual and
the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or

research purposes;

(e) Information necessary in order to carry out the functions of public

authority which includes the processing of personal data for the
performance by the independent central monetary authority and law
enforcement and regulatory agencies of their constitutionally and
statutorily mandated functions.

Nothing in this Act shall be construed as to have amended or

repealed Republic Act No. 1405, otherwise known as the Secrecy of
Bank Deposits Act; Republic Act. No 6426, otherwise known as the
Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise
known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions

under the jurisdiction of the independent central monetary authority or
Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510,
and Republic Act No. 9160, as amended, otherwise known as the
Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign

jurisdictions in accordance with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is being processed
in the Philippines.”8

8 Data Privacy Act of 2012, §4, ¶ 2.

 Furthermore, the scope of the law does not contradict or subvert the protection
afforded to journalists and to their sources as stated in Section 5 of the Data Privacy Act.

“SECTION 5. Protection Afforded to Journalists and Their

Sources. — Nothing in this Act shall be construed as to have
amended or repealed the provisions of Republic Act No. 53, which
affords the publishers, editors or duly accredited reporters of any
newspaper, magazine or periodical of general circulation protection
from being compelled to reveal the source of any news report or
information appearing in said publication which was related in any
confidence to such publisher, editor, or reporter.”9

Application of the Data Privacy Act

Pursuant to Section 6 of the Law, it has an Extraterritorial Application wherein the

Law “applies to an act done or practice engaged in and outside of the Philippines by an
entity.”10 However, in order for the law to be applied on the person who committed the
violation, his or her act must be classified under the following:

“(a) The act, practice or processing relates to personal information

about a Philippine citizen or a resident;
(b) The entity has a link with the Philippines, and the entity is
processing personal information in the Philippines or even if the
processing is outside the Philippines as long as it is about
Philippine citizens or residents such as, but not limited to, the
following:
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the Philippines but has
central management and control in the country; and

(3) An entity that has a branch, agency, office or subsidiary in the

Philippines and the parent or affiliate of the Philippine entity has
access to personal information; and
(c) The entity has other links in the Philippines such as, but not limited
to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by an entity in
the Philippines.” 11

9 Data Privacy Act of 2012, §5.

10 Id. §6
11 Id.
Obligations of personal information controllers and personal information
processors under the Data Protection Laws

The law provided for the requirements of processing personal information.

Generally, it is allowed to process personal information provided that they “comply with
the requirements of this Act and other laws allowing disclosure of information to the
public and adherence to the principles of transparency, legitimate purpose and
proportionality.”12

It is required that the personal information be:

“(a) Collected for specified and legitimate purposes determined and

declared before, or as soon as reasonably practicable after
collection, and later processed in a way compatible with such
declared, specified and legitimate purposes only;

(b) Processed fairly and lawfully;

(c) Accurate, relevant and, where necessary for purposes for which it
is to be used the processing of personal information, kept up to
date; inaccurate or incomplete data must be rectified,
supplemented, destroyed or their further processing restricted;

(d) Adequate and not excessive in relation to the purposes for which
they are collected and processed;

(e) Retained only for as long as necessary for the fulfillment of the
purposes for which the data was obtained or for the
establishment, exercise or defense of legal claims, or for
legitimate business purposes, or as provided by law; and

(f) Kept in a form which permits identification of data subjects for no

longer than is necessary for the purposes for which the data were
collected and processed: Provided, that personal information
collected for other purposes may lie processed for historical,
statistical or scientific purposes, and in cases laid down in law
may be stored for longer periods: Provided, further, that adequate

12 Data Privacy Act of 2012, §11.

 safeguards are guaranteed by said laws authorizing their
processing.”13

The Law also provided the criteria for the Lawful Processing of personal
information as provided for in the law which states:
“Section 12. Criteria for Lawful Processing of Personal
Information. – The processing of personal information shall be
permitted only if not otherwise prohibited by law, and when at least
one of the following conditions exists:
(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is

related to the fulfillment of a contract with the data subject or in order
to take steps at the request of the data subject prior to entering into a
contract;

(c) The processing is necessary for compliance with a legal

obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important

interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national

emergency, to comply with the requirements of public order and
safety, or to fulfill functions of public authority which necessarily
includes the processing of personal data for the fulfillment of its
mandate; or

(f) The processing is necessary for the purposes of the legitimate

interests pursued by the personal information controller or by a third
party or parties to whom the data is disclosed, except where such
interests are overridden by fundamental rights and freedoms of the
data subject which require protection under the Philippine
Constitution”14

It is also mandated that a personal information controller, must “ensure

implementation of personal information processing principles set out herein.”15 More
broader Obligations of personal information controllers and personal information

13 Data Privacy Act of 2012, §11.

14 Id, §12.
15 Id. §11.
processors as provided for in the law under Chapter V- Security of Personal information,
Section 20 thereof states:

“(a) The personal information controller must implement reasonable

and appropriate organizational, physical and technical measures
intended for the protection of personal information against any
accidental or unlawful destruction, alteration and disclosure, as
well as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and
appropriate measures to protect personal information against
natural dangers such as accidental loss or destruction, and human
dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination.

(c) The determination of the appropriate level of security under this

section must take into account the nature of the personal
information to be protected, the risks represented by the
processing, the size of the organization and complexity of its
operations, current data privacy best practices and the cost of
security implementation. Subject to guidelines as the Commission
may issue from time to time, the measures implemented must
include:

(1) Safeguards to protect its computer network against

accidental, unlawful or unauthorized usage or interference
with or hindering of their functioning or availability;

(2) A security policy with respect to the processing of personal

information;

(3) A process for identifying and accessing reasonably

foreseeable vulnerabilities in its computer networks, and
for taking preventive, corrective and mitigating action
against security incidents that can lead to a security
breach; and

(4) Regular monitoring for security breaches and a process for

taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach.
 (d) The personal information controller must further ensure that third
parties processing personal information on its behalf shall
implement the security measures required by this provision.

(e) The employees, agents or representatives of a personal information

controller who are involved in the processing of personal
information shall operate and hold personal information under
strict confidentiality if the personal information are not intended for
public disclosure. This obligation shall continue even after leaving
the public service, transfer to another position or upon termination
of employment or contractual relations.

(f) The personal information controller shall promptly notify the

Commission and affected data subjects when sensitive personal
information or other information that may, under the
circumstances, be used to enable identity fraud are reasonably
believed to have been acquired by an unauthorized person, and
the personal information controller or the Commission believes
(bat such unauthorized acquisition is likely to give rise to a real
risk of serious harm to any affected data subject. The notification
shall at least describe the nature of the breach, the sensitive
personal information possibly involved, and the measures taken
by the entity to address the breach. Notification may be delayed
only to the extent necessary to determine the scope of the breach,
to prevent further disclosures, or to restore reasonable integrity to
the information and communications system.

(1) In evaluating if notification is unwarranted, the Commission

may take into account compliance by the personal information
controller with this section and existence of good faith in the
acquisition of personal information.

(2) The Commission may exempt a personal information controller

from notification where, in its reasonable judgment, such
notification would not be in the public interest or in the
interests of the affected data subjects.

(3) The Commission may authorize postponement of notification

where it may hinder the progress of a criminal investigation
related to a serious breach.”16

16 Data Privacy Act of 2012, § 20.

 The personal information controller are also responsible for “personal information
under its control or custody, including information that have been transferred to a third
party for processing, whether domestically or internationally, subject to cross-border
arrangement and cooperation.”17

National Privacy Commission

Furthermore, The Data Privacy Act gave birth to the creation of the National
Privacy Commission whose function is to “administer and implement the provisions of
this Act, and to monitor and ensure compliance of the country with international
standards set for data protection”18

Implementing Rules and Regulation of the Data Privacy Act of 2012

The Implementing Rules and Regulation of the Data Privacy Act was created four
years after the Implementation of the law. It was promulgated by the National Privacy
Commission. The rules further implemented the Data Privacy act and adopted the
generally accepted principles of international law as well as the standards for personal
data protection.

The rules also, “recognize the vital role of information and communications
technology in nation-building and enforce the State’s inherent obligation to ensure that
personal data in information and communications systems in the government and in the
private sector are secured and protected.” 19

17 Data Privacy Act of 2012, § 21.

18 Id. § 7.
19 Rules and Regulations Implementing the Data Privacy Act of 2012, § 2 (2016).