Overview and Salient features of Data Privacy Act of 2012

Photo by Fernando Arcos from Pexels

Data Privacy Act of 2012
REPUBLIC ACT NO. 10175
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES

References: (Clickable Links)

RA 10173, Data Privacy Act of 2012 (effective September 8, 2012)
Implementing Rules and Regulations of DPA (effective September 9, 2016)
NPC Advisory Opinions (as of June 20, 2019)
Relevant jurisprudence (as of September 30, 2020)
-- Vivares vs STC, et al (G.R. No. 202666, September 29, 2014)
-- Belo-Henares v. Guevarra (A.C. No. 11394. December 01, 2016 )

Effectivity:

Approved by the President of the Philippines (8/15/2012) 

Overview:

We live in an age of ever-increasing dependence on electronic data storage, communications, and usage. Vast quantities of data are stored electronically and may be instantly transferred electronically from one party to another for business or for other purposes. The nature of such data allows for the increasing possibility that an individual's privacy rights may be violated. Because of the fast pace at which technology is growing, broader societal consequences may not have been reviewed or studied, nor is it clear how the use of such technology will affect existing data systems and their use. (See Explanatory note of SBN-1908 (as filed), Introduced by Senator Miriam Defensor Santiago)

...it seeks to provide the needed framework in relation to the handling and treatment of sensitive and personal infonnation in our country. It also establishes a National Data Privacy Commission that would regulate the use of this infonnation. It is hoped that thru this legislation we will be able to earn the trust of investors and utilize them to propel our country's growth economically. (See Explanatory note of SBN-2965 (Per Ctte. Rpt. No. 56), Introduced by Senator Miriam Defensor Santiago)

The Data Privacy Act of 2012 is a comprehensive law that aims to protect the personal information of individuals in the Philippines. The Act provides a framework for the collection, use, and storage of personal information, and establishes regulations to ensure that personal information is handled in a manner that is transparent, fair, and proportionate.

Some of the key features of the Data Privacy Act of 2012 include:
  • Specifying that personal information must be collected for a specified and legitimate purpose, and that it must be processed in a way that is compatible with that purpose.
  • Requiring that personal information be processed fairly and lawfully, and that it be accurate and up-to-date.
  • Limiting the amount of personal information that can be collected and stored, so that it is adequate and not excessive in relation to the purpose for which it was collected.
  • Stipulating that personal information must be retained only for as long as necessary for the purpose it was collected, and that it must be kept in a form that allows for identification of data subjects for no longer than necessary.
  • Providing for the right of individuals to access and correct their personal information, and to be informed of any breach of security that may have compromised their personal information.
  • Establishing penalties for non-compliance with the Act, and providing for the appointment of a National Privacy Commission to oversee its implementation.
Overall, the Data Privacy Act of 2012 is an important law that helps to safeguard the personal information of individuals in the Philippines. It establishes a framework for the collection, use, and storage of personal information, and ensures that personal information is handled in a manner that is transparent, fair, and proportionate.

Constitutional Basis:

The Constitution, Article III provides that: 

Section 3, Article III of 1987 constitution:
(1). The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law. 
(2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding. (See Explanatory note of SBN-1908 (as filed), Introduced by Senator Miriam Defensor Santiago)

The constitutional basis of Republic Act No. 10173, also known as the Data Privacy Act of 2012, is rooted in the right to privacy of communication and correspondence as provided for in Article III, Section 3 of the Philippine Constitution. This law aims to protect the personal information of individuals from being collected, used, or shared without their consent. It provides guidelines for how personal information can be collected, used, and shared by organizations and businesses, as well as what rights individuals have when it comes to their personal information.

The act also draws its basis on the State's power to promote and protect the rights of its citizens, as provided for in Article II, Section 11 of the Constitution, which states: "The State values the dignity of every human person and guarantees full respect for human rights." This law is designed to safeguard the privacy of the citizens, ensuring that their personal information is not mishandled or misused by organizations and businesses, in order to protect citizens from potential harm or misuse of their personal information.

Declaration of state Policy:

RA 10175 states that: "It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected."

This Declaration is saying that the government recognizes the importance of protecting people's privacy and freedom of communication. It also acknowledges the role that technology plays in society and the economy, and the government's responsibility to ensure that personal information is kept secure in both government and private sector systems. The goal of this policy is to balance protecting individual rights with promoting innovation and growth.

Moreover, "The government has the paramount interest of protecting the integrity and confidentiality of sensitive data maintained by its different agencies and instrumentalities. The giant leaps in technology in recent years make govermnent databases vulnerable to unauthorized intrusions by hackers. The purpose of this Act is to increase the security of sensitive data maintained by the govermnent." (See Explanatory note of SBN-2236, Introduced by Senator Miriam Defensor Santiago)

Important key terms:(See Sec. of RA 10173)

Data subject refers to an individual whose personal information is processed. 

Personal information controller refers to: 

(1) a person or 
(2) organization who controls the collection, holding, processing or use of personal information, 
(3) including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

Sensitive personal information refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.

Extraterritorial Application.

Section 6 of the Data Privacy Act of 2012 (RA 10173) states that this law applies to acts or practices that occur outside of the Philippines if they involve personal information about Philippine citizens or residents. This means that even if the act or practice happens outside of the Philippines, it can still be subject to the provisions of this law.

Furthermore, it also lays out specific criteria that determine if an entity has a "link" with the Philippines and is therefore subject to the law. These include:
  • If the entity has a contract entered in the Philippines.
  • If the entity is an unincorporated entity but has central management and control in the Philippines
  • If the entity has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information
  • If the entity carries on business in the Philippines
  • If the personal information was collected or held by an entity in the Philippines.
To be continued....updated as of 24/01/23