Introduction: Data Privacy Act | Republic Act [RA] No. 10173
Filipinos are heavy social media users. Thus, it is but proper to tackle our own data privacy act, law, or statute, whatever you may call it. According to We Are Social and Hootsuite, advertising firms, on their annual report released last January 2021, Filipinos may have been spending an average of 4 hours and 15 minutes each day on social media. It has topped the worldwide usage rankings for six (6) consecutive years.
In the same report, 38.2% of Filipinos say they are worried about how companies will use the data they put online. Perforce, this is where Data Privacy Act of 2012 can be exercised or put into play.
Data Privacy Act of 2012
Data Privacy Act of 2012 (DPA)1 or Republic Act No. 10173 is an act protecting individual personal data in information and communications systems in the government and the private sector.2
The law was passed “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Chapter 1, Section 2).3
Under Data Privacy Act of 2012 (DPA), people whose personal information is collected, stored, and processed are called data subjects. Organizations who deal with your personal details, whereabouts, and preferences are dutybound to observe and respect your data privacy rights.4
The Act has also established the National Privacy Commission which oversees the administration and implementation of the Data Privacy Act of 2012 (DPA). Monitoring and ensuring compliance of the Philippines with international standards for personal information are also tasked to the National Privacy Commission.
Primary Relevance | Data Protection
The Data Privacy Act of 2012 (DPA) “applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.” (Republic Act. No. 10173, Chapter 1, Section 4).5
Moreover, RA 10173 has extraterritorial application, which “applies to an act done or practice engaged in and outside of the Philippines by an entity if:6
“(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;7
“(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:8
“(1) A contract is entered in the Philippines;9
“(2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and10
“(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and11
“(c) The entity has other links in the Philippines such as, but not limited to:12
“(1) The entity carries on business in the Philippines; and13
“(2) The personal information was collected or held by an entity in the Philippines.” (Republic Act. No. 10173, Chapter 1, Section 6).14
Under the Data Privacy Act of 2012 (DPA), all personal data must be collected with the customer’s proper consent. There must be legitimate reasons for collection, which should be clear to both parties giving and receiving the information.
Such personal information should be solely used for its intended purposes, and be protected and secured from collection to proper disposal, avoiding access from unauthorized parties.
Every person shall have the following data privacy rights under the DPA:
(a) The right to be informed, this is the basic right that empowers you as a data subject to consider other actions to protect your data privacy and assert your other privacy rights;15
(b) The right to access, under the Data Privacy Act of 2012, you have a right to obtain from an organization a copy of any information relating to you that they have on their computer database and/or manual filing system;16
(c) The right to object, this can be exercised if the personal data processing involved is based on consent or on legitimate interest;17
(d) The right to erasure or blocking, under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data;18
(e) The right to damages, you may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of your rights and freedoms as data subject;19
(f) The right to rectify, you have the right to dispute and have corrected any inaccuracy or error in the data a personal information controller (PIC) hold about you;20
(g) The right to data portability, this right assures that you remain in full control of your data.21
Data portability allows you to manage your personal data in your private device, and to transmit your data from one personal information controller to another.
To protect these rights, companies should have a Data Protection Officer, privacy knowledge programs and privacy and data policies to regulate the handling of information, routine assessment to ensure quality data protection, a proper procedure for breach notification to its customers.
In case of data breach, the law requires a data breach notification within 72 hours upon knowledge of the breach or reasonable belief that it has occurred to the NPC and the data subject.22
The NPC may investigate the breach, depending on its nature or if there is a delay or failure to notify. Inquiries may include on-site examination of systems and procedures.23
Improper access, whether intentional or through negligence, unauthorized processing, handling or disposal of personal or sensitive information, and other unlawful acts shall be penalized as follows:
| Unlawful Acts | Penalties |
|---|---|
| Unauthorized Processing of Personal Information [RA 10173, Section 25 (a)] | Imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) |
| Unauthorized Processing of Sensitive Personal Information [RA 10173, Section 25 (b)] | Imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) |
| Accessing Personal Information Due to Negligence [RA 10173, Section 26 (a)] | Imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) |
| Accessing Sensitive Personal Information Due to Negligence [RA 10173, Section 26 (b)] | Imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) |
| Improper Disposal of Personal Information [RA 10173, Section 27 (a)] | Imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) |
| Improper Disposal of Sensitive Personal Information [RA 10173, Section 27 (b)] | Imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) |
| Processing of Personal Information for Unauthorized Purposes [RA 10173, Section 28 (a)] | Imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) |
| Processing of Sensitive Personal Information for Unauthorized Purposes [RA 10173, Section 28 (b)] | Imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) |
| Unauthorized Access or Intentional Breach [RA 10173, Section 29] | Imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) |
| Concealment of Security Breaches Involving Sensitive Personal Information [RA 10173, Section 30] | Imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) |
| Malicious Disclosure [RA 10173, Section 31] | Imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) |
| Unauthorized Disclosure of Personal Information [RA 10173, Section 32 (a)] | Imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) |
| Unauthorized Disclosure of Sensitive Personal Information [RA 10173, Section 32 (b)] | Imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) |
| Combination or Series of Acts [RA 10173, Section 33] | Imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00) |
What is the purpose of the Data Privacy Act 2012?
Data Privacy Act 2012 or Republic Act No. 10173 is a law that the Philippine Congress has enacted to protect the individual’s personal data, whether sensitive or otherwise, in the information and communications systems of the government and of the private sector. The statute creates for this purpose a National Privacy Commission.
The purpose of the Data Privacy Act 2012 or Republic Act No. 10173 under its declaration policy is “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Chapter 1, Section 2).24
Furthermore, the law regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; and ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC).
The National Privacy Commission (NPC) was created by virtue of the act to oversees the administration and implementation of the Data Privacy Act of 2012 (DPA), thereby, monitoring and ensuring compliance of the Philippines with international standards for personal information is also tasked to the National Privacy Commission.
How can an individual violate the Data Privacy Law?
Under the Data Privacy Act of 2012 (DPA), an individual can violate and be penalized, if he/she is involved in the following:
(a) Unauthorized processing of personal information and sensitive personal information, in which he/she processes personal information without the consent of the data subject, or without being authorized under the Act or any existing law;25
(b) Accessing personal information and sensitive personal information due to negligence, in which he/she due to negligence, provided access to personal information without being authorized under the Act or any existing law;26
(c) Improper disposal of personal information and sensitive personal information, in which he/she who knowingly or negligently dispose, discard, or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection;27
(d) Processing of personal information and sensitive personal information for unauthorized purposes, in which he/she is processing personal information for purposes not authorized by the data subject, or otherwise authorized under the Act or under existing laws;28
(e) Unauthorized access or intentional breach, in which he/she knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored;29
(f) Concealment of security breaches involving sensitive personal information, in which he/she after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach;30
(g) Malicious disclosure, in which he/she with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her;31
(h) Unauthorized disclosure, in which he/she discloses to a third-party personal information not covered by the immediately preceding section without the consent of the data subject.32
Can you sue for privacy breach?
One can sue for privacy violation, specifically for personal data breach. As advised in the National Privacy Commission (NPC) website, “If you feel that your personal data has been misused, maliciously disclosed, or improperly disposed, or if any of the rights discussed here have been violated, the data subject has a right to file a complaint with us.”
Furthermore, in the National Privacy Commission (NPC) Circular 16-03 – Personal Data Breach Management, Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
A personal data breach may be in the nature of:33
(1) An availability breach resulting from loss, accidental or unlawful destruction of personal data;
(2) Integrity breach resulting from alteration of personal data; and/or
(3) A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.
In case of data breach, the law requires notification [data breach] within 72 hours upon knowledge of the breach or reasonable belief that it has occurred to the NPC and the data subject.34 The NPC may investigate the breach, depending on its nature or if there is a delay or failure to notify. Inquiries may include on-site examination of systems and procedures.35
When you screen shot a conversation and send it to another person, is it a violation of the Data Privacy Act?
The National Privacy Commission (NPC) has made an advisory opinion relative to this query issued on November 4, 2020. The liability or breach will depend on what is the subject of the screenshot or what does the screenshot capture.
If the information will include personal data, such as a name or an address, or sensitive personal information like school or medical records, the sender may be held liable for unauthorized processing. This will mean at least a P500,000 fine and an incarceration for at least one (1) year.
According to the NPC, when someone sends a screenshot to another individual, it is considered processing. Nonetheless, for it to fall under the scope of Philippine data privacy laws, such must contain personal data — “if the conversation/screenshot itself allows for the identification of the parties.”36
“If it is simply the content of the conversation, with names and other identifiers redacted or cropped out of the conversation, it might not be within the scope of the DPA,” the NPC said in its Advisory Opinion 2020-043.37
Personal information is defined under the Data Privacy Act as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”38
Can you refuse a website collecting data and information from you?
Under the Data Privacy Act of 2012 (DPA), “Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn.”39
Consent of the data subject under the Act “refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information.40
Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative, or an agent specifically authorized by the data subject to do so.”41 While “Data subject refers to an individual whose personal, sensitive personal, or privileged information is processed.”42
Furthermore, the law provided that “Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing.”43
Thus, an individual as one of his/her fundamental rights to privacy can refuse a website collecting data and information from him/her.
Final Thoughts
Data Privacy Act 2012 or Republic Act No. 10173 is a comprehensive and strict privacy legislation. This strengthens the country’s privacy and security protections by protecting individual personal information in information and communications systems in the government and the private sector.
This piece of legislation will complement and effectively safeguard the individual’s right to privacy, as well, of his personal information and circumstances, whether the same are sensitive or not.
However, this law is relatively new to majority as the same has only been enacted in 2012 and the National Privacy Commission (NPC) has been formally organized only in 2016, and, on the same year, the IRRs and circulars have been issued.
That is why, even on these contemporary times, Filipinos say they are worried about how companies will use the data they put online. Added to this woes, even big companies have been found to be not complying with the mandate and directives of RA 10173 or the Data Privacy Act, maybe because of lack of awareness which hampers them in faithfully observing the law.
Hence, as a recommendation, the National Privacy Commission (NPC) as the regulatory body, tasked to put life and teeth into [and unto] the law, should bolster the administration and implementation of thereof.
As data providers and Filipino citizens, we need to know our rights and be informed on how our private data should be handled and take our part to protect the basic and fundamental human right of privacy and of communication.
- RA 10173[↩]
- Ibid.[↩]
- Section 2, RA 10173[↩]
- Know Your Data Privacy Rights, National Privacy Commission [NPC][↩]
- Section 4, RA 10173[↩]
- Section 6, RA 10173[↩]
- Id., Sec. 6[a][↩]
- Id., Sec. 6[b][↩]
- Id., Sec. 6[b1][↩]
- Id., Sec. 6[b2][↩]
- Id., Sec. 6[b3][↩]
- Id., Sec. 6[c][↩]
- Id., Sec. 6[c1][↩]
- Id., Sec. 6[c2][↩]
- Section 16 [a], RA 10173[↩]
- Section 16 [b] and [c], RA 10173[↩]
- Section 16 [d], RA 10173[↩]
- Section 16 [e], RA 10173[↩]
- Section 16 [f], RA 10173[↩]
- Section 16 [d (second part)], RA 10173[↩]
- Section 18, RA 10173[↩]
- NPC Circular 16-03, Personal Data Breach, Section 18[↩]
- Id., Section 21[↩]
- Supra.[↩]
- RA 10173, Section 25[↩]
- Id., Section 26[↩]
- Id., Section 27[↩]
- Id., Section 28[↩]
- Id., Section 29[↩]
- Id., Section 30[↩]
- Id., Section 31[↩]
- Id., Section 32[↩]
- Availability, Integrity and Confidentiality of Personal Data, Section 7, NPC Circular 16-03[↩]
- Section 18, Supra.[↩]
- Section 21, Supra.[↩]
- Privacy Policy Office, Advisory Opinion NO. 2020-043[↩]
- Ibid.[↩]
- Section 3[g], RA 10173[↩]
- Section 19 [a1]. General principles in collection, processing and retention, IRR of RA 10173[↩]
- Section 3 [b], RA 10173[↩]
- Id.[↩]
- Section 3 [c]. Id.[↩]
- Section 19 [b1]. General principles in collection, processing and retention, IRR of RA 10173[↩]
