NPC is set to impose administrative fines

The National Privacy Commission (NPC) is set to impose administrative fines on data privacy violations of personal information controllers or processors from the private sector. A separate initiative for government agencies is also underway with the NPC holding consultations with the Civil Service Commission.

The NPC presented the draft circular on the guidelines on administrative fines to concerned organizations and stakeholders in an online public consultation on April 30, 2021. The Commission made it clear that the proposed fines are separate from the criminal penalties and fines provided under the Data Privacy Act (DPA) and its implementing rules and regulations.

Together with the University of the Philippines (UP) Law Center and an expert from the UP School of Economics, the NPC studied and adopted an economic analysis of law to come up with an apt range of fines that provides the proper deterrent effect to companies while also ensuring free flow of information to promote innovation and growth. Depending on the infraction committed, the draft circular proposes fines ranging between 0.5% to 5% of the annual gross income of the personal information controller or processor handling the personal data.

Factors affecting fines

Factors that influence the determination of the fines include the gravity of infraction, the number of data subjects affected, failure to notify the Commission and affected data subjects of personal data breaches, and the intentional or negligent character of the offense, among others.

“The proposed circular considers the proportionality of the fine meted, its dissuasive effects, the costs of precaution, and other social, regulatory, and economic impacts that its adoption may create to all personal information controllers and processors,” Privacy Commissioner Raymund E. Liboro told attendees of the public consultation.

As a matter of due process, the personal information controller or processor have rights enabling them to present evidence on whether the fine should be imposed or, in case fines will be imposed, it should be lowered because of certain circumstances.

Deputy Privacy Commissioner Leandro Angelo Y. Aguirre said that the fines are not intended to be an added financial cost to companies. “The fines are incentives for companies to protect all of us. Because if we are all protecting the information we process, that benefits both the companies and data subjects. It serves to incentivize the implementation of appropriate measures while disincentivizing the misuse of data,” Aguirre added.

The draft circular introduces to the NPC a new range of enforcement tools to ensure accountability from all organizations, businesses, and individuals when processing personal information. Liboro said that the administrative circular adapts to the Philippines’ growing economy and reinforces our national ambition of building a high trust, resilient, and knowledge-based society.

“The National Privacy Commission hopes that this administrative circular will further enhance the culture of data privacy accountability in the Philippines, incentivize compliance for the DPA, build maximum data privacy resilience by encouraging full accountability, compliance, and ethics from our data users,” Liboro said.

The draft circular is available on the NPC website. An online public hearing will be held soon reflecting stakeholders’ recommendations and comments.