NPC presents the revised draft Circular on Administrative Fines for data privacy violators

The National Privacy Commission (NPC) conducted an online public hearing on March
22, 2022, where the updated draft Circular on Administrative Fines was presented before its
stakeholders. The updated draft includes consolidated comments from previous hearings which
started last April 2021.

In consideration of the comments from the public, the NPC revised the scope to include
all personal information controllers (PICs) or personal information processors (PIPs) under the
jurisdiction of the Data Privacy Act of 2012 (DPA).

The Circular on Administrative Fines aims to promote organizational accountability and
compliance with the DPA by providing an optimal deterrence, as further explained by the
economic study of the University of the Philippines Law Center. Specifically, an administrative
fine may be imposed based on the annual gross income of PICs or PIPS within the range of 0.25%
to 3% for grave violations and 0.25% to 2% for major violations.

One of the notable changes in the current draft is the proposal to include a ceiling for the
imposition of administrative fines. As such, the provision limiting the total imposable fine to not
more than Five Million Pesos (Php 5,000,000.00) was inserted. Such ceiling applies, whether the
infraction results in single or multiple violations arising from a single act of PICs and PIPs. The
NPC clarified that the single act pertains to a per processing activity basis and not per data
privacy principle or data subject right violated.

Privacy Commissioner John Henry D. Naga told attendees of the public consultation that
the draft circular provides a fair and reasonable system of fines.

“The National Privacy Commission has consistently issued proactive measures for
personal information controllers and personal information processors to comply with the law.
The Data Privacy Act was enacted in 2012 and upon the constitution of the Commission in 2016,
it has been actively promoting, educating, and assisting the stakeholders in their common
endeavor in complying with the law. By now, we expect PICs and PIPs to have incorporated in
their respective processes and implemented necessary measures, to protect data subjects and
uphold data privacy rights,” Naga explained.

Factors affecting fines

In computing the imposable fine, the NPC will take into consideration the number of data
subjects affected; the degree of negligence, or the intent of the PICs or PIPs that contributed or
resulted in the violation; the categories of personal data affected; and the nature, duration, and
severity of such infraction, among others.

Meanwhile, to determine the annual gross income of the erring PICs or PIPs, the NPC
may review and require the submission of audited financial statements filed with the appropriate
tax authorities for the immediately preceding year of the violation, the last regularly prepared
balance sheet or annual statement of income and expenses, and such other financial documents
as may be deemed relevant and appropriate for the purpose.

If a particular PIC and PIP has not been operating for more than one year, the base for
computing administrative fines will be the entity’s total gross income at the time the violation
was committed.

PICs and PIPs who refuse to pay the administrative fines may be subject to a Cease-and-Desist Order, and other processes or reliefs the NPC is authorized to pursue as provided under Section 7 of the DPA, and/or appropriate contempt proceedings under the Rules of Court.

The Commission is open to receive comments from its stakeholders regarding the draft
circular until April 6, 2022. Any comments may be sent to [email protected].

Access the draft guidelines on administrative fines