icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
People

With one of the largest legal teams in Japan, we bring a wealth of practical knowledge focused on the singular purpose of providing high quality legal services.

Publications

Our lawyers have authored or co-authored a number of newsletters, articles, books and other materials covering a wide range of legal areas to address the latest legal developments and increasingly diverse and complex issues.

Seminars

We regularly hold seminars and offer lectures through various formats, such as online streaming.

SCROLL
TOP
Publications
Newsletters

Updates to Philippine Data Privacy Regulations

NO&T Asia Legal Review

Author
Patricia O. Ko
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Asia Legal Review No.56 (February, 2023)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

Background

In recent months, the National Privacy Commission (“NPC”) has issued several circulars to further clarify and implement the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations (the “DPA”). Amongst the latest circulars, the following are discussed in this article:

  • 1) NPC Circular No. 2022-01 issued on 8 August 2022, which imposes penalties for infractions of the DPA and fixes the range of administrative fines; and
  • 2) NPC Circular No. 2022-04 issued on 5 December 2022 on the registration of personal data processing systems and data protection officer, and notification on automated decision making.

NPC Circular No. 2022-01 on Administrative Fines

To promote organizational accountability and enhance DPA compliance of personal information controllers (“PICs”) and personal information processors (“PIPs”), the following are the types of infractions now subject to administrative fines:

a) Grave infractions

Administrative fines of 0.5% to 3% of the PIC’s or PIP’s annual gross income of the immediately preceding year in which the infraction incurred may be imposed, among others, for violations of the general privacy principles of processing of personal data※1 and violations of the rights of the data subject※2 where the total number of affected data subjects exceed 1,000 in either case.

b) Major infractions

Major infractions include the failure by the PIC to (i) implement or ensure that third parties processing personal information on its behalf implement reasonable and appropriate security measures to protect the personal information※3, or (ii) notify the NPC and affected data subject of personal data breaches (unless punishable as concealment of security breaches involving sensitive personal information under Section 30 of the DPA), and these may subject a PIC to administrative fines of 0.25% to 2% of its annual gross income of the immediately preceding year in which the infraction incurred.

c) Other infractions

On the other hand, administrative fines of Php 50,000 to Php 200,000 may be imposed for other infractions such as the failure to register or provide updated information on the identity or contact details of the PIC, the data processing system, or information on automated decision making. This administrative fine is relevant with respect to NPC Circular No. 2022-04, discussed below.

On top of the fine imposed for the original infraction, the failure to comply with any order, resolution, or decision of the NPC, will result in an administrative fine not exceeding Php 50,000. However, in no case will the total imposable fine for a single act of the PIC or PIP (whether resulting in single or multiple infractions) exceed Php 5,000,000.

Further, consistent with the requirement of due process, administrative fines will be imposed only after notice and hearing. In determining the actual fines imposable, the NPC will consider factors such as whether the infraction occurred due to negligence or was intentional, the degree of damage/harm to the data subject, the actions taken prior to or subsequent to the infraction (e.g., mitigating measures), and the like. Decisions of the NPC on such matters are immediately executory unless restrained by the Court of Appeals or the Supreme Court, and refusal to pay the adjudged administrative fine may subject the PIC or PIP to cease and desist orders and other contempt proceedings.

NPC Circular No. 2022-04 on Registration and Notification Requirements

NPC Circular No. 2022-04 applies to PIPs or PICs operating in the Philippines (i.e., as defined in the circular, PICs and PIPs who, although not founded or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch, or agency in the Philippines). It implements Sections 46 to 48 of the DPA on the requirements for registration of personal data processing systems and notification of automated decision making※4.

The circular became effective on 11 January 2023, and covered persons have 180 days, i.e., until 10 July 2023, to comply with the requirements, which are summarized below:

a) Registration of data processing systems and data protection officer

Mandatory registration for covered persons

A PIC or PIP that (i) employs 250 or more persons, (ii) processes sensitive personal information of 1,000 or more individuals, (iii) processes data that will likely pose a risk to the rights and freedom of data subjects, or (iv) processes personal or sensitive personal information involving automated decision making or profiling shall be required to register its data processing system through its designated data protection officer (“DPO”). The process and requirements to complete registration on the NPC’s official registration platform are detailed in the circular.

Note that PICs or PIPs who do not fall under mandatory registration and do not opt for voluntary registration, are required to submit to the NPC a sworn declaration and undertaking on their exemption from registration, in the form attached to the circular.

Timelines for registration and amendments

Newly implemented data processing systems or inaugural DPOs are required to register within 20 days from the commencement of the system or from their appointment coming into effect. Major amendments to existing registration information (e.g., name or office address of the PIC or PIP) should be made within 30 days from the date the changes take effect, while minor amendments (e.g., system update or changes in the DPO) should be made within 10 days from the system update or appointment of the new DPO.

Notwithstanding the above periods, all covered persons should complete the required registration by 10 July 2023 (within 180 days from the circular).

Validity and renewal of registration

After completion of the registration process, a PIC or PIP shall be issued a certification of registration, which shall be valid for 1 year from its issuance, unless sooner revoked for grounds such as misrepresentation. A PIC or PIP whose certificate of registration is revoked or that violated the registration requirements may be subject to enforcement orders, cease and desist orders or temporary or permanent bans on processing of personal data or administrative fines, after due notice and hearing

b) Notification of automated decision making or profiling

PICs or PIPs that carry out automated decision making or profiling are required to notify the NPC of such fact by indicating it in the registration record or to the amendments or updates of its registration.

A seal of registration shall be issued simultaneously with the certificate of registration, which must be displayed at all times (i) at the main entrance or most conspicuous place in the office of the PIP or PIC to ensure visibility to all data subjects, and (ii) on its main website, or the webpage specifically pertaining to the Philippines (in case of global websites), as either a clickable link to or displayed directly on the privacy notice page.

Conclusion

Considering that the DPA has cross-border application in certain instances, PICs and PIPs should be mindful of the infractions which may now be subject to administrative fines. In addition, PICs and PIPs operating in the Philippines (as defined) and who are covered by mandatory registration should take steps towards compliance with NPC Circular No. 2022-04, given the approaching deadline.

Endnotes

*1
In relation to Section 11 of the DPA

*2
In relation to Section 16 of the DPA

*3
In relation to Section 20 of the DPA

*4
Defined in Section 2(a) of NPC Circular No. 2022-04 as “a wholly or partially automated processing operation that can make decisions using technological means totally independent of human intervention; automated decision-making often involves profiling.”

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

Philippines Related Publications

Apply Select Practice Areas
Apply