The Philippines recently enacted a privacy law (the Data Privacy Act of 2012), which law was modeled on the EU Data Privacy Directive, as well as the APEC privacy framework. The law generally applies to personal information processed by those located in the Philippines; those that have offices, branches or agents in the country; and those that use equipment in the Philippines to process personal information. The law provides for a “National Privacy Commission” to administer and implement the law’s requirements. Those requirements include, inter alia, processing information for legitimate, lawful and specified purposes, keeping information accurate and up-to-date, retaining information only as long as is needed (or as is required by law), obtaining consent for most uses of information (except in limited circumstances), and having appropriate security measures in place, including with vendors.

TIP: The provisions of the Philippines law should look familiar for those who are familiar with the EU Data Privacy Directive. Companies who have procedures in place to comply with EU member states’ laws should be well on their way to compliance with this new privacy law, to the extent that they find themselves subject to its provisions. We will continue to monitor the status of this law to determine when the National Privacy Commission begins its implementation and administration.