On August 15, 2012, Philippines President Benigno S. Aquino III signed the Data Privacy Act of 2012 passed earlier this year by the Philippine Senate and House of Representatives. Concerns about the creation of the National Privacy Commission and the criminal penalties associated with the Act delayed final enactment.

The Data Privacy Act of 2012 is a traditional data protection law that establishes privacy as a fundamental human right. The Act creates a National Privacy Commission comprised of a Privacy Commissioner and two Deputy Privacy Commissioners who are vested with broad powers to implement the Act and process complaints from the public. The Commission is empowered to approve codes of conduct and issue cease and desist orders. The Commission may recommend that the Department of Justice prosecute cases and impose penalties, which could include up to six years in prison for the unauthorized processing of sensitive personal information.

The Act requires that personal information be processed lawfully, and establishes individual privacy rights based on traditional fair information practices of notice, consent, access and correction. The law applies generally to data collected in the Philippines or about Philippine citizens or residents where there is a nexus to the Philippines, though there are several important exceptions. Notably, the Act could encompass the outsourced collection of information from the Philippines as the scope of the Act includes “those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines…” subject to certain exceptions.

The Act establishes certain rights of the data subject, such as the right to be informed of the purposes of the processing of personal information. Section 19 of the Act, however, notes that the rights of the data subject are not applicable if “personal information are used only for the needs of scientific and statistical research” if the results of the processing do not directly impact the individual. Purpose specification requirements, however, limit the utility of this provision as it relates to big data applications.

Data transfers from the Philippines are governed by an accountability principle that states, “[e]ach personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.” This provision establishes the basis for the implementation of the APEC Cross-Border Privacy Rules.

The National Privacy Commission is required to draft rule and regulations to implement the requirements of the Act within 90 days of the effective date of the Act, and organizations must comply within one year of the date those rules and regulations become effective.