A Stronger Data Privacy Law Sought in Proposed Amendments

Amendments to Republic Act No. 10173, known as the Data Privacy Act of 2012 (DPA), are sought
to strengthen the current law amid the digital transformation in the Philippines.

During the 55th Asia Pacific Privacy Authorities (APPA) Forum, Privacy Commissioner
Raymund Enriquez Liboro said that the House of Representatives – Committee on Information
and Communications Technology, has approved the substitute bill to amend the DPA last
February 4, 2021.

Efforts to amend the DPA began in the last quarter of 2019. The substitute bill grants additional
powers to the National Privacy Commission (NPC). It gives the authority to issue summons,
subpoenas, contempt powers, and to impose administrative penalties.

“In the last five years, the National Privacy Commission has laid down data privacy in the
Philippines with a clear roadmap. In our drive to become a data privacy resilient country, we
have adopted a responsive regulatory approach characterized by raising awareness, strict
compliance, and enforcing the law. To do this, we find a need to amend the current DPA to keep
up with the changing times,” Commissioner Liboro said in his speech at the APPA 55, which was
held virtually last June 16-18 and hosted by the Personal Information Protection Commission of

Other provisions of the substitute bill:

  • Redefining “sensitive personal information” to include biometric and genetic data, and
    political affiliation, considering the innate sensitivity of these classes of personal data.
  • Clarification on extraterritorial application of the DPA by specifying clear instances when
    processing personal data of Philippine citizens and/or residents is concerned. This
    ensures the end-to-end protection of data subjects’ information (i.e., offering of goods or
    services, or monitoring of behavior within the Philippines or when the entity has a link
    with the country), to which they are entitled under the DPA.
  • Define the digital age of consent to process personal information to more than fifteen (15)
    years, applicable where information society services are provided and offered directly to 5th Floor Delegation Building, Philippine International Convention Center (PICC) Complex, Pasay City 1307
    URL: http://privacy.gov.ph Email Add: [email protected]
    a child (as children more than 15 years old under Philippine laws may already act with
  • Inclusion of performance of a contract as a new criterion of the lawful basis for processing
    of sensitive personal information.
  • Allowing Personal Information Controllers (PICs) outside of the Philippines to authorize
    Personal Information Processors (PIPs) in the country to report data breaches to the
    Commission on behalf of the controller.
  • Modifying criminal penalties under the DPA, giving the proper courts the option to
    impose either imprisonment or fine upon its sound judgment.

Shifting gears in new normal

Aside from the proposed amendments to the DPA, the NPC is set to introduce administrative
fines to strengthen data privacy accountability and build data privacy resilience among PICs and

The NPC presented in the Forum the Digital Identity, e-Commerce, and e-Governance in the
Philippines and ASEAN, highlighting the Commission’s efforts in assisting the development of
the law and its IRR to ensure the people’s right to privacy.

The NPC also presented its efforts to curb harmful handling of citizens’ personal data such as the
Commission’s issuances and guidance to the public as part of the COVID-19 response and the
Kabataang Digital, the NPC’s advocacy campaign promoting a safe online environment for the
youth. Also discussed are the guidelines expressly prohibiting the harvesting of contact lists of
borrowers for debt collection through harassment; guidelines promoting the use of
videoconferencing technology or e-hearing to hear cases; and the amended Rules of Procedure to
streamline the Commission’s complaints process.

“The NPC, despite the pandemic, has shifted gears and embraced the new normal of resolving
data privacy complaints. We commenced Project Decongestion 2.0, refining our strategy in
handling our case dockets clogged with thousands of individual complaints,” Commissioner
Liboro said.

Designations from the following jurisdictions joined APPA 55: the NPC; Office of the Australian
Information Commissioner; Office of the Information and Privacy Commissioner, British
Columbia; Office of the Privacy Commissioner of Canada; Privacy Commissioner for Personal
Data, Hong Kong, China; Personal Information Protection Commission, Japan; Personal
Information Protection Commission, Republic of Korea; Korea Internet & Security Agency; Office
for Personal Data Protection, Macao SAR, China; National Institute for Transparency, Access to
Information and Personal Data Protection, Mexico; Office of the Privacy Commissioner, New
Zealand; National Authority for Personal Data Protection of Peru; Office of the Information 5th Floor Delegation Building, Philippine International Convention Center (PICC) Complex, Pasay City 1307
URL: http://privacy.gov.ph Email Add: [email protected]
Commissioner, Queensland; Personal Data Protection Commissioner, Singapore; Federal Trade
Commission, United States; and Office of the Victorian Information Commissioner.

APPA is acknowledged as the principal forum for privacy and data protection authorities in the
Asia Pacific region. Some of the topics at APPA 55 is about data protection measures as part of
the response to COVID-19, privacy issues encountered in the new normal, updates on global
privacy developments, and children’s privacy.