NO&T Asia Legal Review
In recent months, the National Privacy Commission (“NPC”) has issued several circulars to further clarify and implement the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations (the “DPA”). Amongst the latest circulars, the following are discussed in this article:
To promote organizational accountability and enhance DPA compliance of personal information controllers (“PICs”) and personal information processors (“PIPs”), the following are the types of infractions now subject to administrative fines:
Administrative fines of 0.5% to 3% of the PIC’s or PIP’s annual gross income of the immediately preceding year in which the infraction incurred may be imposed, among others, for violations of the general privacy principles of processing of personal data※1 and violations of the rights of the data subject※2 where the total number of affected data subjects exceed 1,000 in either case.
Major infractions include the failure by the PIC to (i) implement or ensure that third parties processing personal information on its behalf implement reasonable and appropriate security measures to protect the personal information※3, or (ii) notify the NPC and affected data subject of personal data breaches (unless punishable as concealment of security breaches involving sensitive personal information under Section 30 of the DPA), and these may subject a PIC to administrative fines of 0.25% to 2% of its annual gross income of the immediately preceding year in which the infraction incurred.
On the other hand, administrative fines of Php 50,000 to Php 200,000 may be imposed for other infractions such as the failure to register or provide updated information on the identity or contact details of the PIC, the data processing system, or information on automated decision making. This administrative fine is relevant with respect to NPC Circular No. 2022-04, discussed below.
On top of the fine imposed for the original infraction, the failure to comply with any order, resolution, or decision of the NPC, will result in an administrative fine not exceeding Php 50,000. However, in no case will the total imposable fine for a single act of the PIC or PIP (whether resulting in single or multiple infractions) exceed Php 5,000,000.
Further, consistent with the requirement of due process, administrative fines will be imposed only after notice and hearing. In determining the actual fines imposable, the NPC will consider factors such as whether the infraction occurred due to negligence or was intentional, the degree of damage/harm to the data subject, the actions taken prior to or subsequent to the infraction (e.g., mitigating measures), and the like. Decisions of the NPC on such matters are immediately executory unless restrained by the Court of Appeals or the Supreme Court, and refusal to pay the adjudged administrative fine may subject the PIC or PIP to cease and desist orders and other contempt proceedings.
NPC Circular No. 2022-04 applies to PIPs or PICs operating in the Philippines (i.e., as defined in the circular, PICs and PIPs who, although not founded or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch, or agency in the Philippines). It implements Sections 46 to 48 of the DPA on the requirements for registration of personal data processing systems and notification of automated decision making※4.
The circular became effective on 11 January 2023, and covered persons have 180 days, i.e., until 10 July 2023, to comply with the requirements, which are summarized below:
A PIC or PIP that (i) employs 250 or more persons, (ii) processes sensitive personal information of 1,000 or more individuals, (iii) processes data that will likely pose a risk to the rights and freedom of data subjects, or (iv) processes personal or sensitive personal information involving automated decision making or profiling shall be required to register its data processing system through its designated data protection officer (“DPO”). The process and requirements to complete registration on the NPC’s official registration platform are detailed in the circular.
Note that PICs or PIPs who do not fall under mandatory registration and do not opt for voluntary registration, are required to submit to the NPC a sworn declaration and undertaking on their exemption from registration, in the form attached to the circular.
Newly implemented data processing systems or inaugural DPOs are required to register within 20 days from the commencement of the system or from their appointment coming into effect. Major amendments to existing registration information (e.g., name or office address of the PIC or PIP) should be made within 30 days from the date the changes take effect, while minor amendments (e.g., system update or changes in the DPO) should be made within 10 days from the system update or appointment of the new DPO.
Notwithstanding the above periods, all covered persons should complete the required registration by 10 July 2023 (within 180 days from the circular).
After completion of the registration process, a PIC or PIP shall be issued a certification of registration, which shall be valid for 1 year from its issuance, unless sooner revoked for grounds such as misrepresentation. A PIC or PIP whose certificate of registration is revoked or that violated the registration requirements may be subject to enforcement orders, cease and desist orders or temporary or permanent bans on processing of personal data or administrative fines, after due notice and hearing
PICs or PIPs that carry out automated decision making or profiling are required to notify the NPC of such fact by indicating it in the registration record or to the amendments or updates of its registration.
A seal of registration shall be issued simultaneously with the certificate of registration, which must be displayed at all times (i) at the main entrance or most conspicuous place in the office of the PIP or PIC to ensure visibility to all data subjects, and (ii) on its main website, or the webpage specifically pertaining to the Philippines (in case of global websites), as either a clickable link to or displayed directly on the privacy notice page.
Considering that the DPA has cross-border application in certain instances, PICs and PIPs should be mindful of the infractions which may now be subject to administrative fines. In addition, PICs and PIPs operating in the Philippines (as defined) and who are covered by mandatory registration should take steps towards compliance with NPC Circular No. 2022-04, given the approaching deadline.
*1
In relation to Section 11 of the DPA
*2
In relation to Section 16 of the DPA
*3
In relation to Section 20 of the DPA
*4
Defined in Section 2(a) of NPC Circular No. 2022-04 as “a wholly or partially automated processing operation that can make decisions using technological means totally independent of human intervention; automated decision-making often involves profiling.”
This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.
(August 2024)
Keiji Tonomura, Minh Thi Cao Koike, Hiroya Nadamoto, Anju Yamamoto (Co-author)
(July 2024)
Yasushi Kudo, Tsubasa Watanabe, Hayato Maruta (Co-author)
Keiji Tonomura, Akira Komatsu, Chie Komiya, Simon Clemens Wegmann (Gleiss Lutz) (Co-author)
(May 2024)
Keiji Tonomura, Minh Thi Cao Koike, Yoshiteru Matsuzaki, Masahiro Kondo (Co-author), Yukiko Konno (Contributor)
Rashmi Grover
Ario Putra Pamungkas
Shohei Sasaki, Salin Kongpakpaisarn, Thunyapuck Saicharoen (Co-author)
Yothin Intaraprasong, Poonyisa Sornchangwat, Naruenad Charoenpakdee (Co-author)
Rashmi Grover
Ario Putra Pamungkas
Shohei Sasaki, Salin Kongpakpaisarn, Thunyapuck Saicharoen (Co-author)
Yothin Intaraprasong, Poonyisa Sornchangwat, Naruenad Charoenpakdee (Co-author)
Patricia O. Ko
Patricia O. Ko
Patricia O. Ko
Patricia O. Ko