Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette.
We previously reported on the preceding draft text of the IRR. There are several points of interest that were resolved in the final text, which presents a more practical framework than had been proposed in the draft IRR. Any changes to the final IRR will require a regulatory amendment by the Commission rather than an act of the legislature.
Some points of interest that have been resolved or finalized include the following:
- The IRR has two separate defined terms, “personal data” and “personal information,” but the potential discrepancy between the two terms has been resolved. “Personal information” refers to information which can identify a particular individual, and is consistent with the definition provided in the statute. “Personal data” is defined as all types of “personal information,” which presumably includes both “ordinary” personal information and sensitive personal information.
- The draft IRR had used the term “personal data” to describe “personal information” that has been input into an information and communication system, which would mean “personal information” that has been digitally and electronically formatted. This definition no longer appears in the final IRR. In addition, the terms “personal information” and “personal data” are now used more consistently in relation to their definitions. This may result in less ambiguity and a lower prospect of confusion from the use of the two terms.
- The final IRR has now been made consistent with a provision in the original statute which stated that the Data Privacy Act would not apply to personal information collected in a foreign jurisdiction (in compliance with the laws or rules of that jurisdiction) which is being processed in the Philippines. The draft IRR had provided that, in such instances, the data privacy laws of the foreign jurisdiction would apply in relation to the collection of personal information, while the Philippine Data Privacy Act would apply to processing that takes place within the Philippines. This would have entailed a complex analysis as to where collection-related obligations under the foreign jurisdiction end and where processing-related obligations under Philippine law begin, and how the two sets of legal obligations might intersect.
- The final IRR requires that, even where personal information has been collected in a foreign jurisdiction for processing in the Philippines, the Philippine requirements to implement information security measures will still apply. This will impose some security-related costs on that portion of the information-processing operations that take place within the Philippines.
- The final IRR requires that sharing of personal data in the private sector proceeds according to a data sharing agreement. The data sharing agreement may be subject to review by the Commission on its own initiative or following a complaint of a data subject. The draft IRR might have been interpreted to require review by the Commission in all instances, which would have imposed a substantial burden on all sharing of personal data, as well as a burden on the resources of the Commission itself.
- The final IRR sets forth rules on the internal organizational operations and structure of personal information controllers, such as requirements to (1) appoint a privacy officer, (2) maintain records of processing activities, (3) implement physical security measures and technical security measures, and (4) carry out regulator monitoring for security breaches. However, these obligations only apply “where appropriate.” The draft IRR might have been interpreted to require compliance in all instances. Where and when these potentially complicated requirements will be “appropriate” will depend on a number of factors, including the nature of personal data, the risks posed by the processing, the size and complexity of the organization and its operations, current best practices and cost of security implementation.
- The final IRR gives the data subject an additional right to object or withhold consent to processing. This appears to be a new right that did not appear in the original text of the statute. This right is substantially retained from the draft IRR, with changes to specifically allow the data subject to object to processing for direct marketing, automated processing or profiling.
- The final IRR provides more clarity on the notification requirements in connection with to a data breach. Individuals must be notified of data breaches only when both (1) sensitive personal information or information that may be used to enable identity fraud are involved; and (2) the personal information controller believes that the breach is likely to pose a real risk of serious harm to any affected data subject.
- If the notification requirement does apply, the notification must be made within 72 hours, though notification may be delayed in certain limited circumstances. The final IRR stipulate the categories of content that must appear in the notification.
- The requirement under the draft IRR to notify affected individuals in the event of any breach that involves personal, sensitive or privileged information has been removed. That had been a material expansion of the circumstances under which a breach notification had to be made. By removing this requirement, the final IRR keeps the notification requirement within a relatively restricted range of circumstances. However, written reports of security incidents and personal data breaches have to be prepared and a summary has to be provided to the Commission on an annual basis. This amounts to a less onerous notification obligation.
- In summary, the data breach notification requirement is now more clearly subject to a “risk-based approach” (i.e., the requirement to notify does not arise automatically, but arises instead on a case-by-case basis depending on an evaluation of the risk involved). Only data breaches that involve higher levels of risk must be notified.
- The final IRR has requirements to register data processing operations and to notify the Commission of automated processing operations, but these now apply only in particular circumstances. The requirement to register with the Philippine data protection authority only applies to processing by personal information controllers and processors which employ 250 or more persons, or to processing that involves risk to the rights and freedoms of data subjects, takes place more than occasionally, or involves more than a de minimis amount (at least 1,000 individuals) of sensitive personal information. The requirement to notify individuals of data processing only applies to processing that is the sole basis of decision making that would significantly affect the data subject.
- The draft IRR required both universal registration and notification. This would have both increased the burden of processing data and contrasted with the international trend (i.e., the new EU General Data Protection Regulation, which modifies the registration requirements of the previous EU Data Protection Directive).
- In relation to the accountability principle, the final IRR makes generalized references to the possibility of indemnification on the basis of applicable provisions of Philippine civil law and criminal liability. The final IRR now avoids the discussion of the potential for joint liability, along with the personal information controller, on the part of personal information processors, privacy officers, employees and agents, which had appeared in the draft IRR.
The following additional items are worth noting:
- The requirements in the final IRR to notify data subjects (at the time of the collection of their personal information) now include an obligation to provide “meaningful information” about the “logic” that will be involved in processing personal information. Requiring that this be done for each and every instance in which personal information is to be collected and processed, and in a way that would satisfy a regulatory authority and the lawyer drafting the notice, is challenging.
- The final IRR contains a provision stating that personal data may not be retained in perpetuity in contemplation of a future use yet to be determined. This may have potential to impair the processing of “big data” in the Philippines.
- The draft IRR had established a right of data portability. The final IRR seems to restrict the applicability of this right, by making it apply only where the data subject’s personal information is processed by electronic means and in a structured and commonly-used format. This would seem to enable data processors and controllers to avoid an obligation to comply with this right, by processing personal data using unstructured or unusual formats.
- The draft IRR had prohibited the processing of privileged information (i.e., private communications made between an individual and his or her lawyer in preparation for litigation), unless the same requirements applicable to the processing of sensitive personal information had been satisfied. While this provision may be potentially problematic, the final IRR mitigates this by providing an exception for uses of privileged information in the context of court proceedings, legal claims and constitutional or statutory mandates. It is not clear if this exception will be adequate to cover all possible situations where an exception will be needed, but further amendments to the IRR could be made to address any shortcomings.
- In relation to the accountability principle, the final IRR discusses the idea of liability, but does not discuss other aspects of the principle. In particular, the final IRR does not establish rules by which a personal information controller might establish that it observes good internal data handling practices and demonstrates that they comply with applicable standards, or by which the Commission would require production and review of these practices against its standards. The final IRR also does not discuss how to apply the accountability principle in the context of cross-border data transfers; while a provision of the IRR discusses data sharing, it does not appear to describe what a company must do to share data internationally in accordance with the IRR.