NPC updating penalties for data privacy violators

The National Privacy Commission (NPC) is updating the penalties to be imposed against violators of the Data Privacy Act of 2021.

In a statement on Friday, the NPC said it conducted an online public hearing on March 22, where it presented an updated draft circular on administrative fines to its stakeholders.

The privacy body said the updated draft includes consolidated comments from previous hearings which started last April 2021.

In consideration of the comments from the public, the NPC said it revised the scope to include all personal information controllers (PICs) or personal information processors (PIPs) under the jurisdiction of the Data Privacy Act.

It said the circular on administrative fines aims to promote organizational accountability and compliance with the Data Privacy Act by providing an optimal deterrence.

Currently, an administrative fine may be imposed based on the annual gross income of PICs or PIPS within the range of 0.25% to 3% for grave violations and 0.25% to 2% for major violations.

The NPC said one of the notable changes in the current draft is the proposal to include a ceiling for the imposition of administrative fines.

As such, the provision limiting the total imposable fine to not more than P5,000,000 was inserted, the privacy body said.

Such ceiling applies, whether the infraction results in single or multiple violations arising from a single act of PICs and PIPs, it said.

The NPC said the single act pertains to a per processing activity basis and not per data privacy principle or data subject right violated.

“The National Privacy Commission has consistently issued proactive measures for personal information controllers and personal information processors to comply with the law,” said Privacy Commissioner John Henry Naga.

“The Data Privacy Act was enacted in 2012 and upon the constitution of the Commission in 2016, it has been actively promoting, educating, and assisting the stakeholders in their common endeavor in complying with the law. By now, we expect PICs and PIPs to have incorporated in their respective processes and implemented necessary measures, to protect data subjects and uphold data privacy rights,” said Naga.

In computing the imposable fine, the NPC said it will take into consideration the number of data subjects affected; the degree of negligence, or the intent of the PICs or PIPs that contributed or resulted in the violation; the categories of personal data affected; and the nature, duration, and severity of such infraction, among others.

Meanwhile, to determine the annual gross income of the erring PICs or PIPs, the privacy body said it may review and require the submission of audited financial statements filed with the appropriate tax authorities for the immediately preceding year of the violation, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as may be deemed relevant and appropriate for the purpose.

If a particular PIC and PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed, the NPC said.

The privacy body noted that PICs and PIPs who refuse to pay the administrative fines may be subject to a cease-and-desist order, and other processes or reliefs the NPC is authorized to pursue as provided under Section 7 of the DPA, and/or appropriate contempt proceedings under the Rules of Court.

The NPC added it is open to receive comments from its stakeholders regarding the draft circular until April 6, 2022.—AOL, GMA News