To download the Data Privacy Q&A guide, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.
Is there a data privacy law in the jurisdiction of the Philippines? If yes, is it implemented? If no, what laws are relied on?)
Yes. The Philippines has a data privacy law, which is Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA Law). The corresponding implementing rules and regulations (IRR) of the DPA Law was issued in 2016.
What significant legal instruments relating to data protection are currently pending? If any, what are the timelines?
There are pending bills filed in the lower house or the House of Representatives (HOR), which was consolidated into House Bill No. 9651, seeking to amend the DPA Law. The amendments are intended strengthen the regulatory framework on data privacy protection and align the provisions of the DPA Law with international standards, among others.
As of July 2021, House Bill No. 9651 is pending approval of the HOR Committee on Rules to substitute the bills earlier filed.
Unless declared a priority legislation, House Bill No. 9651 is not likely to pass into law this year as the current congress has less than a year left and a version of the amendatory bill is not yet filed with the Senate of the Philippines.
To whom does Philippine Data Protection Laws apply to?
The DPA Law applies to the processing of all types of personal information in the Philippines, including those who, although not founded/established in the Philippines, use equipment that are located in the Philippines. It does not apply to the following:
a. Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
• The fact that the individual is or was an officer or employee of the government institution;
• The title, business address and office telephone number of the individual;
• The classification, salary range and responsibilities of the position held by the individual; and
• The name of the individual on a document prepared by the individual in the course of employment with the government;
b. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
c. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
d. Personal information processed for journalistic, artistic, literary or research purposes;
e. Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.
f. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with the Anti-Money Laundering Act and other applicable laws; and
g. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
Who are the relevant regulatory and enforcement authorities in the Philippines with regards to personal data protection?
The DPA Law established the National Privacy Commission (NPC), which is tasked to implement the law, among others. The NPC periodically releases advisories and advisory opinions on the interpretation and/or application of the DPA Law.
How is personal data/personal information defined in the Philippines?
The DPA Law defines Personal Information (PI) as such information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual.
Is there a distinction between personal data/personal information and sensitive data/sensitive personal information under the DPA Law?
Yes. The DPA Law enumerates the following as sensitive personal information (SPI):
b. Ethnic origin
c. Marital status
f. Religious, philosophical or political affiliations
g. Health, education, genetic or sexual life
h. Proceeding for any offense committed or alleged to have been committed by an individual
i. Government-issued identification including tax returns, licenses or its denials, suspension or revocation
j. Matters established by an executive order or an act of Congress to be kept classified
What is the consent requirement in the Philippines?
The consent must be freely given, specific and informed where the data subject agrees to the collection and processing of personal information. The consent must be evidenced by written, electronic or recorded means.
In case of SPI, the data subject must give consent specific to the purpose prior to the processing.
What restrictions are there for cross-border transfer of personal data?
The DPA Law currently does not set any restriction on the cross-border transfer of personal data. As long as the data subject consents to the cross-border transfer of personal information, the same will be compliant with the provisions of DPA Law. The NPC is also given the authority to perform acts necessary to facilitate cross-border enforcement of data privacy protection.