R.A. No. 10173 or the Data Privacy Act of 2012

The Data Privacy Act of 2012 (Republic Act No. 10173) is the primary law in the Philippines that governs the collection, processing, and storage of personal data in both the public and private sectors. It is a comprehensive law designed to protect the privacy of individuals and ensure the free flow of information to promote innovation and growth. The law applies to all forms of personal data, whether in physical or digital form, and establishes various rights for data subjects and obligations for data controllers and processors. Here's a detailed breakdown of the key aspects related to the Act:

I. Objectives of the Data Privacy Act

1. Protect the Fundamental Human Right to Privacy: The Data Privacy Act upholds the right to privacy of communication and correspondence as enshrined in Section 3(1), Article III of the Philippine Constitution, which protects the privacy of communication from unlawful intrusion.

2. Regulate the Collection, Use, and Processing of Personal Data: It seeks to regulate how personal data is collected, used, stored, disclosed, and disposed of, ensuring that individuals’ personal data is not misused or unlawfully disclosed.

3. Ensure Data Security: The law emphasizes the importance of maintaining security in handling personal information, particularly against unauthorized access, modification, or destruction.

II. Scope of the Data Privacy Act

1. Territorial Scope: The Data Privacy Act applies to both government and private sector entities located within the Philippines that process personal data. It also applies to entities outside the Philippines if they use equipment located in the country or process the personal data of Philippine citizens and residents.

2. Entities Covered:

   • Personal Information Controllers (PIC): These are entities that control the processing of personal data, such as corporations, organizations, or individuals.
   • Personal Information Processors (PIP): These are entities or individuals that process data on behalf of PICs.

3. Exclusions: The Act does not apply to the following:

   • Personal, family, or household activities.
   • Journalistic, artistic, literary, or research purposes.
   • Information about government officials in relation to their official functions.
   • Data processed for the national security, public order, and safety of the country.
   • Law enforcement, if duly authorized under existing laws.

III. Key Definitions Under the Data Privacy Act

1. Personal Data: Information, whether recorded or not, from which the identity of an individual can be reasonably and directly ascertained or, when put together with other information, would make an individual identifiable.

2. Sensitive Personal Information: Information related to an individual's race, ethnic origin, marital status, age, health, education, genetic or sexual life, government-issued identifiers (such as social security number), and financial data.

3. Privileged Information: Any and all forms of data that are considered privileged under existing laws (e.g., attorney-client communications).

IV. Data Privacy Principles

The Act imposes a set of principles that data controllers and processors must adhere to when handling personal data:

1. Transparency: Personal data processing must be fully transparent to the data subject. The data subject must be aware of how, why, and what personal data is being processed.

2. Legitimate Purpose: The data collected must be for a legitimate purpose that is clearly communicated to the data subject, and the data must be processed in a manner compatible with that purpose.

3. Proportionality: Only personal data that is necessary for the declared purpose should be collected, and it should not be retained longer than necessary.

V. Rights of Data Subjects

The Data Privacy Act grants individuals specific rights concerning their personal data:

1. Right to Be Informed: Individuals have the right to be informed whether their personal data is being processed, including the purpose of such processing, the data being collected, and other related information.

2. Right to Access: Data subjects have the right to access the personal data being held about them and be informed about how this data has been processed.

3. Right to Rectification: If the data subject finds inaccuracies in their personal data, they have the right to have it corrected without undue delay.

4. Right to Erasure or Blocking: Data subjects can demand the deletion or blocking of their personal data if it is unlawfully processed or if it is no longer necessary for the purpose for which it was collected.

5. Right to Object: Individuals can object to the processing of their personal data, especially for purposes such as direct marketing or profiling.

6. Right to Data Portability: Data subjects have the right to receive a copy of their data in a structured, commonly used, and machine-readable format.

7. Right to File a Complaint: The data subject can lodge a complaint with the National Privacy Commission (NPC) in case of a violation of their privacy rights.

8. Right to Damages: Individuals are entitled to claim compensation for any damage caused by the unlawful processing of their personal data.

VI. Obligations of Personal Information Controllers (PIC) and Personal Information Processors (PIP)

1. Compliance with Data Privacy Principles: PICs and PIPs must strictly comply with the principles of transparency, legitimate purpose, and proportionality when processing personal data.

2. Implementation of Security Measures: Entities must implement reasonable and appropriate organizational, physical, and technical measures to secure personal data against breaches, unauthorized access, and other risks.

3. Notification of Data Breach: In case of a breach of personal data, the PIC must inform the NPC and the affected data subjects within 72 hours of discovering the breach.

4. Appointment of a Data Protection Officer (DPO): Every entity processing personal data is required to appoint a Data Protection Officer who ensures compliance with the law and manages data protection issues.

5. Data Processing Agreement: Where a PIC contracts with a PIP for data processing, a contract ensuring compliance with data privacy standards must be executed between the parties.

VII. Security Measures and Breach Notification

The Data Privacy Act outlines stringent security measures to safeguard personal data. These include:

1. Organizational Security: Establishing clear policies and procedures for data management and protection, and ensuring that employees handling personal data are adequately trained.

2. Physical Security: Implementing access controls to prevent unauthorized physical access to personal data storage facilities, whether on-premises or remote.

3. Technical Security: Employing measures such as encryption, secure storage, and access control to protect personal data in electronic form.

4. Data Breach Notification: If a breach occurs, the PIC must notify the NPC and affected individuals if the breach is likely to affect their rights and freedoms. This notification should include the nature of the breach, the personal data involved, and actions taken to mitigate the breach.

VIII. Enforcement and Penalties

The law grants the NPC powers to investigate and enforce compliance with the Act. Violators of the Data Privacy Act face civil, criminal, and administrative liabilities:

1. Criminal Penalties: The Act provides for imprisonment of up to six (6) years and fines of up to five million pesos (₱5,000,000) for violations such as unauthorized processing, accessing, or disclosing personal data, and concealment of breaches.

2. Administrative Penalties: The NPC can impose administrative fines and sanctions, such as revoking or suspending licenses, depending on the gravity of the violation.

3. Civil Liability: Data subjects who suffer damages due to non-compliance with the Act may seek compensation.

IX. Role of the National Privacy Commission (NPC)

The National Privacy Commission is the primary enforcement body under the Data Privacy Act. Its roles include:

1. Monitoring Compliance: Ensuring that entities comply with the Data Privacy Act and its implementing rules and regulations.

2. Adjudicating Complaints: Handling complaints filed by data subjects and imposing penalties for violations.

3. Issuing Guidelines: Issuing rules, guidelines, and advisory opinions to clarify the application of the Data Privacy Act.

X. Relationship with the Constitution and the Bill of Rights

The Data Privacy Act of 2012 operationalizes the constitutional guarantee under Article III, Section 3 of the 1987 Constitution, which provides for the privacy of communication and correspondence. The Act complements this constitutional right by regulating the collection, processing, and management of personal data in modern information systems, providing a legal framework that balances the individual's right to privacy with the demands of technological and economic advancement.

Conclusion

R.A. No. 10173, the Data Privacy Act of 2012, is a comprehensive legislative measure aimed at protecting individuals' personal data from misuse while ensuring that the free flow of information is not unduly restricted. The law’s extensive provisions on data subject rights, data controller and processor obligations, security measures, and breach notification reflect the country’s commitment to protecting privacy in the digital age. Compliance with this law is vital for both public and private entities that handle personal information, and the enforcement powers granted to the National Privacy Commission ensure that individuals’ rights are adequately protected.