On March 20, 2012, the Senate of the Philippines unanimously approved the omnibus Data Privacy Act of 2011, also known as “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for This Purpose a National Data Protection Commission, and for Other Purposes” (S.B. 2965). Once signed into law, the legislation will impose a privacy regime modeled on the EU Data Protection Directive. It features significant notice, consent and data breach notification requirements, and it imposes direct obligations on both data controllers and data processors. The law will create a National Privacy Commission with authority to monitor compliance and recommend to the Department of Justice the imposition of penalties for noncompliance, including imprisonment and fines.

Although the bill does not contain cross-border data transfer restrictions, the law will apply to certain foreign processing of personal information about Philippine residents. In an apparent effort to protect the domestic outsourcing industry, however, the law will not apply to “personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”