President appoints Philippines' first set of privacy commissioners Philippines President Benigno Aquino III has appointed all three members of the National Privacy Commission ("NPC"), the government agency tasked to implement the country's data privacy law, Republic Act No. 10173 or the Data Privacy Act of 2012 ("DPA"). With the appointment of the commissioners, the NPC is expected to issue the implementing rules and regulations of the DPA soon. Although the President signed the DPA into law in August 2012, stakeholders have often questioned if the law is already effective due to the delay in the appointment of the commissioners, and hence, the lack of a government authority to implement its provisions. With the creation of the DPA, the NPC is now finally constituted by the appointment of its Privacy Commissioner and two Deputy Privacy Commissioners. The DPA provides for penalties in case of violation of its provisions, which include fines, imprisonment and temporary or permanent ban on the business activities of a personal information controller or processor. Whether doing business locally or abroad, organizations engaged in, or subcontracting the processing of personal information in the Philippines should review their policies on personal information control and processing to ascertain compliance with the DPA. Who the commissioners are Raymund Liboro, a government service professional previously working as Assistant Secretary of the Department of Science and Technology, leads the three-member collegial body as Privacy Commissioner. The two Deputy Privacy Commissioners are Ivy Patdu, an attorney and medical doctor specializing in health information exchange, and Dondi Mapa, a technology professional. All three members of the NPC are appointed by the President for a term of 3 years. They may be reappointed for another term of the same duration. In the implementing rules and regulations that it will issue, the NPC is expected to clarify contentious matters in the DPA, such as the following: • scope and extraterritorial application of the law; • duties and obligations of personal information controllers and personal information processors, especially companies engaged in business process outsourcing in the Philippines; • mechanism for concerned companies to appoint a data privacy officer; and • procedure for concerned parties to notify the NPC if sensitive personal information in their custody were acquired by an unauthorized person, and other reportorial requirements. What the NPC can do In addition to ensuring compliance with the law, the DPA authorizes the NPC to exercise the following functions: • receive complaints, institute investigations, adjudicate, and award damages on matters affecting an individual's personal information; • issue cease and desist orders and impose a temporary or permanent ban on the processing of personal information, when the processing is found to be detrimental to national security and public interest; • review, approve, reject, or require the modification of privacy codes and policies that are formulated by personal information controllers; • facilitate the cross-border enforcement of data privacy protection; • assist Philippine companies doing business abroad in responding to foreign privacy or data protection laws and regulations; and • recommend to the Department of Justice the prosecution of offenses under the DPA. What the DPA says The DPA provides safeguards for the control and processing of personal information, including sensitive personal information, belonging to individuals, including Philippine citizens and residents. For example, it generally requires the personal information processor to secure the consent of a data subject prior to the processing of personal information. Under the law, personal information processing refers to "any operation or any set of operations performed upon personal information, including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data." The constitution of the NPC demonstrates the government's thrust to promote the security of, and confidence in the Philippines as an outsourcing hub. What we can do now While the NPC has not yet issued the implementing rules and regulations of the DPA, organizations should avoid the risks of violations and non-compliance thereof by undertaking the following steps: • Determine the applicability of the provisions of the DPA to them (i.e., whether as personal information controller or personal information processor) and their personal information processing and subcontracting activities, whether in the Philippines or abroad; • Review current data privacy codes and policies, or formulate one, if there is currently none, to comply with the data privacy principles embodied in the DPA; • Coordinate with foreign affiliates, third parties, and subcontractors regarding data privacy policies and processes, in light of the accountability of personal information controller for personal information processed elsewhere; • Identify classes of information that are considered "personal information" and "sensitive personal information", using the definitions provided by the DPA, and determine the level of protection required; and • Initiate the search for a suitable data privacy officer who will be responsible for ensuring compliance with the DPA. Affected parties will be given a chance to be heard and to provide their position papers with respect to how the NPC will craft the implementing rules and regulations. Quisumbing Torres can assist concerned parties in drafting and making the submissions to the NPC. For more information, please contact Divina Ilas-Panganiban, Bienvenido Marquez or Matthew Tristan Delgado.