On August 15, Philippine President Benigno Aquino III signed into law the Data Privacy Act of 2012, formally titled “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes”. The Act is modeled after the EU Data Protection Directive and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.
The Act applies to “the processing of all types of personal information” and to any person, including both government and private-sector entities, “involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.” The term “Personal Information” is defined as any information “from which the identity of an individual is apparent or can be reasonably and directly ascertained” or that “when put together with other information would directly and certainly identify an individual.”
The Act contains provisions that govern the processing of personal information, the rights of data subjects (e.g., notice, access, and data portability), and the security of personal information (which includes a breach notification requirement). In addition, the Act creates the National Privacy Commission, which is tasked with administering and implementing the provisions of the Act and monitoring and ensuring compliance with international standards for data protection.
The law sets forth a detailed schedule of penalties for violations of Act, which include both imprisonment and fines. For example, the unauthorized processing of personal information is penalized by imprisonment of one to three years and a fine of not less than 500,000 pesos (approximately $11,850 USD) but not more than two million pesos (approximately $47,390 USD). If the unauthorized processing involves sensitive personal information, the penalties increase to imprisonment of three to six years and a fine of up to four million pesos (approximately $94,780 USD). In addition, the Act also penalizes – by imprisonment and fine – the improper disposal of personal information, the processing of personal information for unauthorized purposes, the concealment of a security breach, and the malicious and unauthorized disclosure of personal information.