Philippines Appoints Privacy Commission in Time for Mass Electoral Data Hack
(2016) 141 Privacy Laws & Business International Report, 22-23
3 Pages Posted: 17 Aug 2016
Date Written: May 30, 2016
The Philippines Data Privacy Act 2012 (DP Act) was signed into law by President Benigno Aquino on 15 August 2012, and (in theory) came into effect 15 days after its publication (s. 45). The Act remained dormant, because until a National Privacy Commission (NPC) was appointed, and made Implementing Rules and Regulations (IRR), very few of its provisions were enforceable, and none were enforced. After nearly four years, the NPC has finally been appointed, and has taken up its role at a time of change of Presidents, combined with a massive data breach at the country’s electoral commission (Comelec). Less than four months before the expiry of his Presidential term, Aquino finally appointed the three-person Commission, each for a three year term. Just after the NPC’s appointment, the Commission on Elections (Comelec) website was hacked and defaced, and its database containing personal identifiable information of 55 million voters was copied and posted online. This article surveys this changed landscape, and the implications for businesses of the delayed coming into force of the Philippines’ law.
The NPC must make implementing rules and regulations (IRRs) within 90 days of its appointment, by early June 2016, and it will be another year before businesses and agencies must comply. The significance of the IRRs, the powers of the Commission, and the implications for businesses, are explained.
Keywords: privacy, data protection, Philippines, Asia, DPA, Privacy Commission
Suggested Citation: Suggested Citation