Philippines Puts Key Privacy Rules in Place but NPC Faces Pressure

(2016) 143 Privacy Laws & Business International Report, 19-21

UNSW Law Research Paper No. 17-8

5 Pages Posted: 10 Jan 2017 Last revised: 13 Jul 2018

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: September 30, 2016


Philippines’ President Rodrigo Duterte, in office since June 30 2016, has a reputation for supporting extra-judicial executions. The Philippines’ new National Privacy Commission (NPC), only appointed in March 2016, by Duterte's predecessor, took swift steps to bring the Philippines Data Privacy Act (DP Act), dormant since enactment in 2012, into force.

On 25 August 2016 the NPC issued the finalized Implementing Rules and Regulations (IRRs) necessary for the Act to become effective. However, three days before the NPC issued the IRRs, Duterte purported to require the resignation of all its members.

This article provides a brief account of the effect of the IRRs on the Data Privacy Act, the NPC’s issuing of data breach notification rules (its other most significant action to date), and the implications of the attempted forced resignation of the Commission members.

It is arguable that the IRRs do add some substantive new obligations (but fewer or less onerously than the draft IRRs), in such areas as requirements for data sharing agreements to be approved by the NPC, and a right for data subjects to object or withhold consent to processing, particularly in relation to direct marketing, automated processing or profiling. The IRRs also add many other essential details as to how the Act will operate.

Prior to issuing the IRRs, the NPC also issued a draft Rules of Procedure for Data Breach Notification and Other Responsibilities.

Businesses across the world are using the Philippines for outsourced data processing, and many may do so on the assumption that the Philippines has effective (or at least operative) data privacy laws, plus at least some adherence to the rule of law. All businesses using or considering data processing in the Philippines need to understand fully the contexts in which their work is being carried out, and consider the implications. Although their initial actions are commendable, the NPC's enforcement of the Act will need to be kept under close scrutiny until it becomes clear that the Philippines does in fact have a functioning Data Privacy Act.

Keywords: privacy, data protection, Philippines, Asia, data breach notification

Suggested Citation

Greenleaf, Graham, Philippines Puts Key Privacy Rules in Place but NPC Faces Pressure (September 30, 2016). (2016) 143 Privacy Laws & Business International Report, 19-21, UNSW Law Research Paper No. 17-8, Available at SSRN:

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics