Caring about Sharing: New Rules on Data Sharing Agreements
On December 23, 2020, the Philippine data privacy regulator, the National Privacy Commission (NPC) issued NPC Circular No. 2020-03 on data sharing agreements (2020 DSA Circular).1 The circular supersedes NPC Circular No. 16-02 which specifically applied to data sharing agreements (DSAs) among government agencies, although the NPC had pointed to 16-02 as a source of guidance for personal information controllers (PICs) in the private sector. The 2020 DSA Circular applies to PICs in all sectors.
The Data Privacy Act of 2012 or the DPA (the Philippines’ principal data privacy statute) and its implementing rules (IRR) generally categorize transfers of personal data subject to the DPA into outsourcing agreements and DSAs. Outsourcing agreements are those where data is transferred from a PIC to its personal information processor (PIP) and may only be processed by the PIP pursuant to the purposes and instructions of the PIC, while DSAs cover transfers from a PIC to another PIC that may process the data for its own purposes.
The 2020 DSA Circular tracks the somewhat sparse provisions of the DPA and IRR on data sharing, but clarifies some aspects, as well as provides more guidance on the contents of a DSA. Thus, while the IRR states that data sharing in the private sector requires the consent of the data subject, the 2020 DSA Circular makes it clear that data sharing may be based on any criteria for lawful processing of personal data as set out in the DPA. Thus, consent of the data subject may not always be necessary, and the circular specifically states that in those cases, a privacy notice is sufficient. In this regard, the IRR advises what information needs to be provided to a data subject for any type of collection of data, but where data sharing will also be pursued, the PIC must provide or have provided the data subject with the following information
Focus on Data Privacy, Digital Banks and FinTech SyCipLaw | February 23, 2021 2 1) categories of recipients of the personal data; provided that a PIC must provide a data subject with the identity of the recipients upon request; 2) purpose and objective of the data sharing; 3) categories of data to be shared; 4) existence of data subject rights; and, 5) other information that would inform the data subject of the nature and extent of the data sharing and the manner of processing involved.2
The IRR only requires the execution of a DSA when the data sharing is for commercial purposes, such as the use of personal data to enable marketing. The 2020 DSA Circular, however, does push for the execution of DSAs as a sound recourse, which demonstrates accountable personal data processing and good faith in complying with the requirements of the DPA and its related issuances.3 The circular also hints that having a DSA will allow a PIC to score “brownie points,”4 and that the NPC will look with disfavor at parties’ failure to execute one. The issuance states that the NPC “shall take [the DSA having been put into place] into account in case a complaint if filed pertaining to such data sharing and/or in the course of any investigation relating thereto, as well as in the conduct of compliance checks.”5
A PIC that engages in data sharing must establish and maintain a record of its DSAs. Subject to the terms of the DSA, each party to the agreement will be responsible for any personal data under its control or custody. Covered by a DSA or not, any data sharing arrangement may be reviewed by the NPC and may, on its own, terminate the arrangement if it determines that a party has violated the DPA or any NPC issuance.
Gathering of information about the user through third parties • Having authority to delete the user’s account without prior notice or reason • Keeping user logs for an undefined period of time
Lack of warranty regarding uninterrupted, timely, secure or error-free service • Possibility of using tracking pixels, web beacons, browser fingerprinting, and/or device fingerprinting on users8
In order to address these matters, the NPC advised that it is closely monitoring developments and will coordinate with WhatsApp to ensure the transparent and easily understandable consent processes.9 In the meantime, the regulator suggests that those using the application back up their data in case the user determines that it is more prudent to move to a different platform.10
New National Privacy Commission Rules of Procedure Hint at Stricter Enforcement On January 28, 2021, the NPC issued NPC Circular No. 2021-01, or the 2021 Rules of Procedure of the National Privacy Commission (2021 NPC Rules of Procedure),11 which supersedes NPC Circular No. 16-04,12 NPC Circular No. 18-03.13 The rules set out the procedure for the NPC’s exercise of its quasi-judicial and enforcement powers14 in relation to complaints filed with and investigations initiated by the NPC.15 Data subjects filing complaints under the rules must be able to show that: (i) he or she had sent a written notice to the PIC, PIP, or concerned entity of the privacy violation or personal data breach, and (ii) there has been no timely or appropriate response. The rules appear to consider that response within 15 calendar days from receipt of notice is timely.
Complaints will go through pre-investigation, investigation, and decision phases. PICs, PIPs, or entities, as respondents, are given opportunities to be heard by way of comments to be filed during the pre-investigation phase;16 and, by way of memoranda during the investigation phase.17
Further, during the pre-investigation and investigation phases, the NPC may order a temporary ban on the processing of personal information on certain grounds18 only after due notice and summary hearing.19 The rules likewise include a procedure for the discovery of electronically-stored information. During the preliminary conference, either party may file motions or stipulations on issues pertaining to production, access to, and preservation and protection of electronically-stored information.20 Failure of either party to appear during the preliminary conference constitutes a waiver of rights pertaining to mediation, discovery, stipulation of acts, and such other matters which may be discussed during preliminary conference.21 The NPC’s decision on complaints may include enforcement orders, such as:
1) an award of indemnity; 2) permanent ban on the processing of personal data; 3) a recommendation to the Department of Justice for the prosecution and imposition of penalties specified in the DPA; 4) compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy; 5) impose fines for violations of the DPA or issuances of the NPC; or, 6) any other order to enforce compliance with the DPA.
The 2021 NPC Rules of Procedure provides a more rigid framework of enforcement of the DPA, with particular interest in the filing, investigation, and resolution of complaints for alleged data breach and/or other violations of the law. Even prior to the issuance, however, the NPC has been investigating complaints of alleged violations of the DPA. For example, it recently ordered Familyhan Credit Corporation (Familyhan) to immediately take down its online master database containing sensitive information of its borrowers.22 After the NPC received numerous complaints about online lenders using the personal data of their clients to compel payment causing damage to their reputation and violating their rights as data subjects,23 the NPC issued NPC Circular No. 20-01, or the Guidelines on the Processing of Personal Data for Loan-Related Transactions.24
BSP to Conduct Baseline Study on Governance and Use of Clients’ Digital Data
In a February 2021 press briefing, the Bangko Sentral ng Pilipinas (BSP) or the Philippine Central Bank said that it will conduct a baselining exercise to gather data from the banking and finance industry, specifically looking into processes on data governance and its ethical use for financial institutions vis-à-vis the global standards set under the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS Principles).25 The baseline study will inform the development of a policy on data governance for and the ethical use of data by supervised entities.26 The BSP is expected to come out with a discussion paper on the proposed policy within the first half of 2021.27
This is in further implementation of the BSP’s Digital Payments Transformation Roadmap 2020-2023,28 which seeks: (i) to ensure that all data and information obtained and passing through different digital channels will be handled ethically and that all participants will be bound by key data governance principles; and, (ii) to incorporate into policy the BCBS Principles to support decision making for enterprise-wide risk management.29 This policy thrust is geared towards creating an efficient, inclusive, safe, and secure digital payments ecosystem.30
INTO THE DIGITAL Philippine Central Bank Issues Rules on Setting up of Digital Banks
The BSP has issued Circular No. 1105, Series of 202031 (Digital Bank Circular) dated December 2, 2020, providing guidelines on the establishment of digital banks. The circular took effect on December 23, 2020. A digital bank is defined as a bank that “offers financial products and services that are processed end-to-end through a digital platform and/or electronic channels with no physical branch/sub-branch or branch-lite unit offering financial products and services.”32 The minimum capitalization requirement for digital banks is Php 1 billion and the application fee and license fee are Php 250,000 and Php 12.5 million, respectively. Digital banks are required to maintain a principal/head office in the Philippines to serve as the main point of contact for stakeholders, including the BSP and other regulators.33
A digital bank may perform any or all of the following services: 1) grant loans, whether secured or unsecured; 2) accept savings and time deposits, including basic deposit accounts; 3) accept foreign currency deposits; 4) invest in readily marketable bonds and other debt securities, commercial papers and accounts receivable, drafts, bills of exchange, acceptances or notes arising out of commercial transactions; 5) act as correspondent for other financial institutions; 6) act as collection agent for non-government entities; 7) issue electronic money products subject to certain guidelines; 8) issue credit cards; 9) buy and sell foreign exchange; and, 10) present, market, sell, and service microinsurance products subject to certain guidelines.34 The voting shares of stock of a foreign individual or a foreign non-bank corporation and their aggregate ownership of voting shares in a digital bank is limited to 40%. However, if the owner of the voting shares is a qualified foreign bank, its stockholdings in a digital bank can be 100%, whether held solely by the qualified foreign bank or in aggregate with other qualified foreign banks.35
Existing banks may apply for conversion to a digital bank and the BSP may require banks that already meet the definition of digital bank to convert their banking license to a digital banking license.36 Entities planning to convert to a digital bank or to set up a digital bank must act with urgency because the Monetary Board may limit the total number of digital banks that may be established taking into account the total number of applications received and the assessment of the overall banking situation.37 New Philippine Rules on Virtual Assets On the heels of its circular on the setting up of digital banks, the BSP issued Circular No. 1108, Series of 202138 (VASP Circular) dated January 26, 2021, providing guidelines on the operations and reporting obligations of virtual asset service providers (VASP) in the Philippines. The VASP Circular took effect on February 16, 2021
A VA is defined as “any type of digital unit that can be digitally traded, or transferred, and can be used for payment or investment purposes. It is a medium of exchange or a form of digitally stored value created by agreement within the community of VA users.”39 Virtual currencies as defined under BSP Circular No. 944 (Virtual Currency Circular) are now referred to as VAs.40 Digital units that are in the nature of gift checks or gaming tokens are not considered as VAs under the VASP Circular. The issue and use of e-money is also not covered by the VASP Circular. Meanwhile, VASP is defined as an “entity that offers services or engages in activities that provide facility for the transfer or exchange of VA, which involve the conduct of one or more of the following activities: 1) exchange between VAs and fiat currencies; 2) exchange between one or more forms of VAs; 3) transfer of VAs; an 4) safekeeping and/or administration of VAs or instruments enabling control over VAs.”41 The VASP Circular was issued to ensure that VA systems are not misused, and that the Philippines’ financial system is not employed for money laundering, terrorist financing, and proliferation financing activities.42 The activities and entities covered by the VASP Circular is wider
in scope than the Virtual Currency Circular, since it includes not only exchanges between VAs and fiat currencies but also exchanges between one or more forms of VAs, transfer of VAs, and safekeeping and/or administration of VAs or instruments enabling control over VAs.43 The wider regulatory scope was designed to ensure that dealings with VAs are undertaken through am end to end chain of regulated entities. This is consistent with international best practices on risk-based approaches in regulating VASPs. A VASP is considered as a money service business and must secure a Certificate of Authority from the BSP to be able to operate. The VASP shall adhere to the registration procedure found in Appendix N-7 of the MORNBFI and shall comply with the rules and regulations on Outsourcing, Liquidity Risk Management, Operational Risk Management, IT Risk Management, Business Continuity Management, Internal Control, Anti-Money Laundering, Financial Consumer Protection, and sound corporate governance principles, among others.44 If the VASP provides safekeeping and/or administration services for VAs, the minimum capitalization requirement is Php 50 million.45 Otherwise, the minimum capitalization requirement is Php 10 million.46 The VASP shall also pay a one-time registration fee and annual service fees.47 VASPs providing wallet services for holding and storing VAs must establish an adequate cybersecurity framework and adopt appropriate security measures/controls in their VA platform. When the VASP performs outsourcing activities, it shall adopt a sound risk management system to mitigate the risks arising from outsourcing.48 VASPs shall adopt customer awareness measures to educate their customers and they shall clearly communicate and explain to their customers how losses and liabilities will be settled between the VASP and its customers.49 The VASP must also conduct customer due diligence.50 A VASP shall only engage with other VASPs, financial institutions, and/or remittance and transfer companies that are duly authorized and licensed by the appropriate regulatory authorities.51
BSP-registered Virtual Currency Exchanges and VASPs currently operating without BSP approval shall apply for a Certificate of Authority no later than three months from the effectivity of the VASP Circular.52 Upon submission of the application, said entities may continue to operate
All VASPs must also comply with the applicable requirements prescribed in the VASP Circular within six months from the Circular’s effectivity.54 Failure to comply with the requirements shall subject the entity to appropriate enforcement action.