Amending the Data Privacy Act
In several months’ time, the country’s data protection law—Republic Act No. 10173, also called the Data Privacy Act of 2012 (DPA)—will be seven years old. Inform people of this fact, though, and most will probably say it doesn’t really feel like it. After all, it was only in 2016 that the agency charged with its enforcement (i.e., National Privacy Commission or NPC) was established. The same year its implementing rules were issued and took effect.
Just the same, with all things considered, the DPA does seem dated at this point and there are already those who believe it is due for a review and a decent upgrade. They may have a point: the policy it was patterned after has already been replaced by one that reflects more effectively the technologies and practices of this era. If anything, shouldn’t that make an amendment of the DPA a logical recourse on our end?
To be certain, one thing we can do is visualize what an improved DPA looks like. And we can start by going over the proposals currently sitting in Congress. At the moment, two are pending at the House of Representatives. One (House Bill No. 1188) seeks to impose stiffer penalties on violations of the law. The second (House Bill No. 5612) covers a wide range of issues and is poised to have a tremendous impact on the implementation of the law.
Let’s take a look at the latter and get a feel of just how much better off we’ll be if it successfully hurdles the legislative process. These are some of the highlights of HB 5612:
Special Cases. The bill seeks to remove one item in the list of exemptions: personal data being processed here in the Philippines but which were originally collected from another country in accordance with the latter’s laws. This provision has been a source of tension between the NPC and the business process outsourcing sector, with the latter insisting that their data processing activities are not covered by the law. Meanwhile, two items are being added: (1) processing by courts acting in their judicial capacity; and (2) processing by an individual for purely personal or household reasons. The first is important to ensure an independent judiciary. That, although courts will still be covered by the DPA when they conduct data processing activities in a different capacity. The second should dispel the misconception that all instances of personal data use is a data protection concern. People forget that data protection is meant to address the risks caused by automated data processing and massive filing systems. As regards the exemption given to information processed for research purposes, it is now limited to those conducted for the public benefit or for the development of knowledge. Just the same, research activities will still be subject to applicable laws and ethical standards. Finally, the bill clarifies that an absolute exemption does not exist under the DPA.
Definitions. The bill modifies the definition of sensitive personal information (SPI). First, it adds to the mix: biometric data, sexual orientation or gender identity, an individual’s financial data, identification numbers, and information established by regulations as confidential. At the same time, it removes the following: information about a person’s education, marital status, age, color, and the denial, suspension, or revocation of licenses. The fact that data points like age and marital status are currently classified as SPI has been a constant source of implementation woes. The same is true for the undefined concept of “information about a person’s education”, which has led to varying interpretations among stakeholders. Meanwhile, many have wondered why people’s financial information is not considered SPI, notwithstanding current social values and business practices.
Extra-territorial Application. The current language of the law is poorly written. The bill remedies this by making it clear that the DPA will apply to data processing done outside of the Philippines, if two elements concur: (1) the personal data relates to a Filipino or a resident of the Philippines; and (2) the entity carrying out the data processing has a link to the Philippines. The bill also borrows from the GDPR when it says the DPA will also cover data processing that either purports to offer goods or services to Filipinos and Philippine residents, or which consists of monitoring behavior within the Philippines.
Functions of the NPC. The Commission will get to enjoy enhanced powers. Its power to impose administrative fines (with the limit set at PhP5M per violation) is expressly stated to quell any lingering doubts as to the existence of such authority. Its ability to put a stop to data processing may already be exercised if necessary to uphold the rights of individuals over their personal data. The NPC will also have the prerogative to publicize reports regarding its disposition of complaints and the results of its investigations. The Office of the Ombudsman currently has such authority.
Data Privacy Principles. There are currently six data privacy principles under the DPA. The proposal is to add a seventh: Personal data should be processed in a safe and secure manner.
Legal Bases for Processing Sensitive Personal Information. Subject to certain conditions, the bill adds the following to the list: (1) if it is pursuant to a contract with the concerned individual; (2) if it relates to information already made public by the individual; (3) if it is due to public interest considerations; and (4) if it is necessary for archiving purposes. Thankfully, there is also an attempt to fix a “broken” provision concerning so-called public organizations. Prospectively, the law will say: processing of SPI by non-profits will be allowed as long as they relate only to their current or former members or people they have regular contact with, and the personal data are not disclosed to third parties.
Data Subject Rights. An individual will be given the right to object to the processing of her personal data for direct marketing or profiling purposes, or if it turns out that a decision affecting her is the result of automated decision-making. She may also withdraw her consent if changes are made to the nature or extent of processing of her personal data. Two existing rights—the right to reasonable access and the right to data portability—will be modified. A person will be able to access all information she is entitled to by reason of her right to be informed. She will also be able to obtain a copy, as long as this does not affect other people’s rights. Coinciding with these “improvements” is the introduction of additional scenarios wherein data subject rights may not be invoked, namely: (1) if processing is for archiving done in the public interest; (2) if there are adequate safeguards in place; (3) if it is provided for by law or a regulation; and (4) if it is necessary to protect the life and health of the individual.
Data Breach Notification. The bill elevates to a statutory requirement the breach notification period of 72 hours. At the moment, this is only featured in the DPA’s implementing rules. It also recognizes a situation wherein a personal information processor (PIP) will be required to notify the NPC. This contrasts the current policy which says the personal information controller will still be the one to notify the Commission, even in instances where the breach occurs while the affected data is with a PIP or service provider.
Apart from these, there are numerous minor amendments to the law. Some of them will be featured in the second part of this article. More importantly, the more problematic proposals will be taken up, as well as existing problems of the DPA, which were not addressed by the bill.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He is currently the Director of the University Data Protection Office of the Ateneo de Manila University, and Policy and Legal Advisor to the Foundation for Media Alternatives. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.