Philippines Puts Key Privacy Rules in Place but NPC Faces Pressure
(2016) 143 Privacy Laws & Business International Report, 19-21
5 Pages Posted: 10 Jan 2017 Last revised: 13 Jul 2018
Date Written: September 30, 2016
Philippines’ President Rodrigo Duterte, in office since June 30 2016, has a reputation for supporting extra-judicial executions. The Philippines’ new National Privacy Commission (NPC), only appointed in March 2016, by Duterte's predecessor, took swift steps to bring the Philippines Data Privacy Act (DP Act), dormant since enactment in 2012, into force.
On 25 August 2016 the NPC issued the finalized Implementing Rules and Regulations (IRRs) necessary for the Act to become effective. However, three days before the NPC issued the IRRs, Duterte purported to require the resignation of all its members.
This article provides a brief account of the effect of the IRRs on the Data Privacy Act, the NPC’s issuing of data breach notification rules (its other most significant action to date), and the implications of the attempted forced resignation of the Commission members.
It is arguable that the IRRs do add some substantive new obligations (but fewer or less onerously than the draft IRRs), in such areas as requirements for data sharing agreements to be approved by the NPC, and a right for data subjects to object or withhold consent to processing, particularly in relation to direct marketing, automated processing or profiling. The IRRs also add many other essential details as to how the Act will operate.
Prior to issuing the IRRs, the NPC also issued a draft Rules of Procedure for Data Breach Notification and Other Responsibilities.
Businesses across the world are using the Philippines for outsourced data processing, and many may do so on the assumption that the Philippines has effective (or at least operative) data privacy laws, plus at least some adherence to the rule of law. All businesses using or considering data processing in the Philippines need to understand fully the contexts in which their work is being carried out, and consider the implications. Although their initial actions are commendable, the NPC's enforcement of the Act will need to be kept under close scrutiny until it becomes clear that the Philippines does in fact have a functioning Data Privacy Act.
Keywords: privacy, data protection, Philippines, Asia, data breach notification
Suggested Citation: Suggested Citation